Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

Bergquist, Brett-2

I am getting this error when trying to install a JAR

 

      [sql] Failed to execute:  CALL SQLJ.INSTALL_JAR('/opt/canogaview/temp/buil

d/core_pkg/META-INF/customize/csemdb/csem-derby.jar', 'CSEM.csemderby', 0)

      [sql] java.sql.SQLTransactionRollbackException: The exception 'java.securi

ty.AccessControlException: access denied ("java.io.FilePermission" "/opt/canogav

iew/temp/build/core_pkg/META-INF/customize/csemdb/csem-derby.jar" "read")' was t

hrown while evaluating an expression.

      [sql] Failed to execute:   CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('de

rby.database.classpath','CSEM.csemderby')

      [sql] java.sql.SQLSyntaxErrorException: The database class path contains a

n unknown jar file '"CSEM"."CSEMDERBY"'.

 

This error does not occur with Derby 10.13.1.1 but does occur now that I have upgrade to 10.14.2.0. 

 

I believe the this is related to some security change.   Possibly:

 

https://issues.apache.org/jira/browse/DERBY-6987

 

The application that is starting the JVM that is running Derby Network Server has not changed.   Only the version of Derby has changed.  

 

Any pointers will be greatly appreciated.

 

I will be honest here.  Trying to find the change in the release notes is darn near impossible since the release notes for the releases are no longer on the Derby web site, at least I cannot find them.   Having to download an release and expand it to see what has changed is pretty awful.  

 

So interestingly I just clicked on this link again:

 

http://db.apache.org/derby/releases/release-10.14.2.0.cgi

 

Now I get a totally different page being returned.   I think this has something to do with the mirrors.   Earlier this morning, it brought me to page where it shows all of the apache projects and I had to drill down to “db/derby” and then was able to download the “bin” zip file for 10.14.2.0.  

 

So there is possibly some issue with the mirrors sometimes not displaying the same content. 



Canoga Perkins
20600 Prairie Street
Chatsworth, CA 91311
(818) 718-6300

This e-mail and any attached document(s) is confidential and is intended only for the review of the party to whom it is addressed. If you have received this transmission in error, please notify the sender immediately and discard the original message and any attachment(s).
Reply | Threaded
Open this post in threaded view
|

Re: Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

Bryan Pendleton-3
Hi Brett,

I'm not sure what's going on with the mirrors. The cgi page is working
properly for me now, and it contains the release notes on that page.

http://db.apache.org/derby/releases/release-10.14.2.0.cgi

When you finally got the the right page, did it have the release notes on it?

Meanwhile, w.r.t. the permissions question, I think you are right
that DERBY-6987 is the source of your problems.

Can you change your startup procedures so that you specify a
security policy with the slightly looser permission that your application
requires?

Here's the docs on how to provide your desired security policy:
https://db.apache.org/derby/docs/10.14/security/csecjavasecurity.html

thanks,

bryan


On Mon, Jun 4, 2018 at 8:18 AM, Bergquist, Brett <[hidden email]> wrote:

> I am getting this error when trying to install a JAR
>
>
>
>       [sql] Failed to execute:  CALL
> SQLJ.INSTALL_JAR('/opt/canogaview/temp/buil
>
> d/core_pkg/META-INF/customize/csemdb/csem-derby.jar', 'CSEM.csemderby', 0)
>
>       [sql] java.sql.SQLTransactionRollbackException: The exception
> 'java.securi
>
> ty.AccessControlException: access denied ("java.io.FilePermission"
> "/opt/canogav
>
> iew/temp/build/core_pkg/META-INF/customize/csemdb/csem-derby.jar" "read")'
> was t
>
> hrown while evaluating an expression.
>
>       [sql] Failed to execute:   CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('de
>
> rby.database.classpath','CSEM.csemderby')
>
>       [sql] java.sql.SQLSyntaxErrorException: The database class path
> contains a
>
> n unknown jar file '"CSEM"."CSEMDERBY"'.
>
>
>
> This error does not occur with Derby 10.13.1.1 but does occur now that I
> have upgrade to 10.14.2.0.
>
>
>
> I believe the this is related to some security change.   Possibly:
>
>
>
> https://issues.apache.org/jira/browse/DERBY-6987
>
>
>
> The application that is starting the JVM that is running Derby Network
> Server has not changed.   Only the version of Derby has changed.
>
>
>
> Any pointers will be greatly appreciated.
>
>
>
> I will be honest here.  Trying to find the change in the release notes is
> darn near impossible since the release notes for the releases are no longer
> on the Derby web site, at least I cannot find them.   Having to download an
> release and expand it to see what has changed is pretty awful.
>
>
>
> So interestingly I just clicked on this link again:
>
>
>
> http://db.apache.org/derby/releases/release-10.14.2.0.cgi
>
>
>
> Now I get a totally different page being returned.   I think this has
> something to do with the mirrors.   Earlier this morning, it brought me to
> page where it shows all of the apache projects and I had to drill down to
> “db/derby” and then was able to download the “bin” zip file for 10.14.2.0.
>
>
>
> So there is possibly some issue with the mirrors sometimes not displaying
> the same content.
>
>
> ________________________________
> Canoga Perkins
> 20600 Prairie Street
> Chatsworth, CA 91311
> (818) 718-6300
>
> This e-mail and any attached document(s) is confidential and is intended
> only for the review of the party to whom it is addressed. If you have
> received this transmission in error, please notify the sender immediately
> and discard the original message and any attachment(s).
Reply | Threaded
Open this post in threaded view
|

RE: Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

Bergquist, Brett-2
Yes the release notes are showing up now.   I cleared the browser cache to make sure as well.   It was very disconcerting to find the information gone and one dumped into a directory listing of the Apache projects and having to root around (ie. I had to assume that the link "db" took me to where Derby might be located).   Glad it is all better now!

I can create a security policy file and start it with that or I believe I could move my "jar" that has functions and procedures loaded into Derby with the "SQLJ.INSTALL_JAR" call into the "derby home" directory and load the functions from there.   It is only during installation of our product that these functions/procedures are loaded.   I don't need to have a general purpose area to load from.

Thanks for taking the time to get back on this Bryan.   It is much appreciated.

Brett

-----Original Message-----
From: Bryan Pendleton [mailto:[hidden email]]
Sent: Monday, June 04, 2018 9:02 PM
To: Derby Discussion
Subject: Re: Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

Hi Brett,

I'm not sure what's going on with the mirrors. The cgi page is working properly for me now, and it contains the release notes on that page.

http://db.apache.org/derby/releases/release-10.14.2.0.cgi

When you finally got the the right page, did it have the release notes on it?

Meanwhile, w.r.t. the permissions question, I think you are right that DERBY-6987 is the source of your problems.

Can you change your startup procedures so that you specify a security policy with the slightly looser permission that your application requires?

Here's the docs on how to provide your desired security policy:
https://db.apache.org/derby/docs/10.14/security/csecjavasecurity.html

thanks,

bryan


On Mon, Jun 4, 2018 at 8:18 AM, Bergquist, Brett <[hidden email]> wrote:

> I am getting this error when trying to install a JAR
>
>
>
>       [sql] Failed to execute:  CALL
> SQLJ.INSTALL_JAR('/opt/canogaview/temp/buil
>
> d/core_pkg/META-INF/customize/csemdb/csem-derby.jar',
> 'CSEM.csemderby', 0)
>
>       [sql] java.sql.SQLTransactionRollbackException: The exception
> 'java.securi
>
> ty.AccessControlException: access denied ("java.io.FilePermission"
> "/opt/canogav
>
> iew/temp/build/core_pkg/META-INF/customize/csemdb/csem-derby.jar" "read")'
> was t
>
> hrown while evaluating an expression.
>
>       [sql] Failed to execute:   CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('de
>
> rby.database.classpath','CSEM.csemderby')
>
>       [sql] java.sql.SQLSyntaxErrorException: The database class path
> contains a
>
> n unknown jar file '"CSEM"."CSEMDERBY"'.
>
>
>
> This error does not occur with Derby 10.13.1.1 but does occur now that
> I have upgrade to 10.14.2.0.
>
>
>
> I believe the this is related to some security change.   Possibly:
>
>
>
> https://issues.apache.org/jira/browse/DERBY-6987
>
>
>
> The application that is starting the JVM that is running Derby Network
> Server has not changed.   Only the version of Derby has changed.
>
>
>
> Any pointers will be greatly appreciated.
>
>
>
> I will be honest here.  Trying to find the change in the release notes
> is darn near impossible since the release notes for the releases are no longer
> on the Derby web site, at least I cannot find them.   Having to download an
> release and expand it to see what has changed is pretty awful.
>
>
>
> So interestingly I just clicked on this link again:
>
>
>
> http://db.apache.org/derby/releases/release-10.14.2.0.cgi
>
>
>
> Now I get a totally different page being returned.   I think this has
> something to do with the mirrors.   Earlier this morning, it brought me to
> page where it shows all of the apache projects and I had to drill down
> to “db/derby” and then was able to download the “bin” zip file for 10.14.2.0.
>
>
>
> So there is possibly some issue with the mirrors sometimes not
> displaying the same content.
>
>
> ________________________________
> Canoga Perkins
> 20600 Prairie Street
> Chatsworth, CA 91311
> (818) 718-6300
>
> This e-mail and any attached document(s) is confidential and is
> intended only for the review of the party to whom it is addressed. If
> you have received this transmission in error, please notify the sender
> immediately and discard the original message and any attachment(s).

Canoga Perkins
20600 Prairie Street
Chatsworth, CA 91311
(818) 718-6300

This e-mail and any attached document(s) is confidential and is intended only for the review of the party to whom it is addressed. If you have received this transmission in error, please notify the sender immediately and discard the original message and any attachment(s).
Reply | Threaded
Open this post in threaded view
|

RE: Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

Bergquist, Brett-2
I was able to move my "jar" to the "derby home" directory and load the functions from the "jar" from there without modifying the security policy file.   This was an ok solution for me as the "jar" does not need to stick around after being loaded and only needs to be loaded one, so it was acceptable for me to do this.

Thank for the help Bryan!

-----Original Message-----
From: Bergquist, Brett [mailto:[hidden email]]
Sent: Thursday, June 07, 2018 3:09 PM
To: Derby Discussion
Subject: RE: Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

Yes the release notes are showing up now.   I cleared the browser cache to make sure as well.   It was very disconcerting to find the information gone and one dumped into a directory listing of the Apache projects and having to root around (ie. I had to assume that the link "db" took me to where Derby might be located).   Glad it is all better now!

I can create a security policy file and start it with that or I believe I could move my "jar" that has functions and procedures loaded into Derby with the "SQLJ.INSTALL_JAR" call into the "derby home" directory and load the functions from there.   It is only during installation of our product that these functions/procedures are loaded.   I don't need to have a general purpose area to load from.

Thanks for taking the time to get back on this Bryan.   It is much appreciated.

Brett

-----Original Message-----
From: Bryan Pendleton [mailto:[hidden email]]
Sent: Monday, June 04, 2018 9:02 PM
To: Derby Discussion
Subject: Re: Question on why I am getting a security exception calling SQLJ.INSTALL_JAR with Derby 10.14.2.0

Hi Brett,

I'm not sure what's going on with the mirrors. The cgi page is working properly for me now, and it contains the release notes on that page.

http://db.apache.org/derby/releases/release-10.14.2.0.cgi

When you finally got the the right page, did it have the release notes on it?

Meanwhile, w.r.t. the permissions question, I think you are right that DERBY-6987 is the source of your problems.

Can you change your startup procedures so that you specify a security policy with the slightly looser permission that your application requires?

Here's the docs on how to provide your desired security policy:
https://db.apache.org/derby/docs/10.14/security/csecjavasecurity.html

thanks,

bryan


On Mon, Jun 4, 2018 at 8:18 AM, Bergquist, Brett <[hidden email]> wrote:

> I am getting this error when trying to install a JAR
>
>
>
>       [sql] Failed to execute:  CALL
> SQLJ.INSTALL_JAR('/opt/canogaview/temp/buil
>
> d/core_pkg/META-INF/customize/csemdb/csem-derby.jar',
> 'CSEM.csemderby', 0)
>
>       [sql] java.sql.SQLTransactionRollbackException: The exception
> 'java.securi
>
> ty.AccessControlException: access denied ("java.io.FilePermission"
> "/opt/canogav
>
> iew/temp/build/core_pkg/META-INF/customize/csemdb/csem-derby.jar" "read")'
> was t
>
> hrown while evaluating an expression.
>
>       [sql] Failed to execute:   CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('de
>
> rby.database.classpath','CSEM.csemderby')
>
>       [sql] java.sql.SQLSyntaxErrorException: The database class path
> contains a
>
> n unknown jar file '"CSEM"."CSEMDERBY"'.
>
>
>
> This error does not occur with Derby 10.13.1.1 but does occur now that
> I have upgrade to 10.14.2.0.
>
>
>
> I believe the this is related to some security change.   Possibly:
>
>
>
> https://issues.apache.org/jira/browse/DERBY-6987
>
>
>
> The application that is starting the JVM that is running Derby Network
> Server has not changed.   Only the version of Derby has changed.
>
>
>
> Any pointers will be greatly appreciated.
>
>
>
> I will be honest here.  Trying to find the change in the release notes
> is darn near impossible since the release notes for the releases are no longer
> on the Derby web site, at least I cannot find them.   Having to download an
> release and expand it to see what has changed is pretty awful.
>
>
>
> So interestingly I just clicked on this link again:
>
>
>
> http://db.apache.org/derby/releases/release-10.14.2.0.cgi
>
>
>
> Now I get a totally different page being returned.   I think this has
> something to do with the mirrors.   Earlier this morning, it brought me to
> page where it shows all of the apache projects and I had to drill down
> to “db/derby” and then was able to download the “bin” zip file for 10.14.2.0.
>
>
>
> So there is possibly some issue with the mirrors sometimes not
> displaying the same content.
>
>
> ________________________________
> Canoga Perkins
> 20600 Prairie Street
> Chatsworth, CA 91311
> (818) 718-6300
>
> This e-mail and any attached document(s) is confidential and is
> intended only for the review of the party to whom it is addressed. If
> you have received this transmission in error, please notify the sender
> immediately and discard the original message and any attachment(s).

Canoga Perkins
20600 Prairie Street
Chatsworth, CA 91311
(818) 718-6300

This e-mail and any attached document(s) is confidential and is intended only for the review of the party to whom it is addressed. If you have received this transmission in error, please notify the sender immediately and discard the original message and any attachment(s).

Canoga Perkins
20600 Prairie Street
Chatsworth, CA 91311
(818) 718-6300

This e-mail and any attached document(s) is confidential and is intended only for the review of the party to whom it is addressed. If you have received this transmission in error, please notify the sender immediately and discard the original message and any attachment(s).