Quantcast

Security problem with ggregate functions using Java

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Security problem with ggregate functions using Java

nicholas walton
Hi,

I need to extend Java’s aggregate functions to include Median, using the code below

import java.util.ArrayList;
import java.util.Collections;
import org.apache.derby.agg.Aggregator;

public class median<V extends Comparable<V>> 
      implements Aggregator<V,V,median<V>>
{
  private ArrayList<V> _values;

  public median() {}

  public void init() { _values = new ArrayList<V>(); }

  public void accumulate( V value ) { _values.add( value ); }

  public void merge( median<V> other )
  { 
      _values.addAll( other._values ); 
  }

  public V terminate()
  {
      Collections.sort( _values );

      int count = _values.size();

      if ( count == 0 ) { return null; }
      else { return _values.get( count/2 ); }
  }
}

To install I used

CALL SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', 'NWALTON.median',0);
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY ('derby.database.classpath','NWALTON.median’);

CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL NAME 'aggregates.median’ ;

At first this works fine in a trigger or in plain SQL but after a while I get the following error

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException'.
Line 1, column 1

I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under Java version 1.8.0_31-b13.

Thanks in advance

Nick 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security problem with ggregate functions using Java

spykee
Hi Nicholas,

I think that your issue is due to java policy ( either you need to change your Java policy file, or if you supply any do your derby context, update this one ).

for more information.

In the end , I believe that you will need to append accessClassInPackage rights to the derby aggregator,  org.apache.derby.agg.Aggregator;.

E.g. :
grant{ 
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.derby.agg";
}

Regards,
George



Sent from Windows Mail

From: [hidden email]
Sent: ‎Friday‎, ‎February‎ ‎17‎, ‎2017 ‎7‎:‎42‎ ‎PM
To: [hidden email]

Hi,

I need to extend Java’s aggregate functions to include Median, using the code below

import java.util.ArrayList;
import java.util.Collections;
import org.apache.derby.agg.Aggregator;

public class median<V extends Comparable<V>> 
      implements Aggregator<V,V,median<V>>
{
  private ArrayList<V> _values;

  public median() {}

  public void init() { _values = new ArrayList<V>(); }

  public void accumulate( V value ) { _values.add( value ); }

  public void merge( median<V> other )
  { 
      _values.addAll( other._values ); 
  }

  public V terminate()
  {
      Collections.sort( _values );

      int count = _values.size();

      if ( count == 0 ) { return null; }
      else { return _values.get( count/2 ); }
  }
}

To install I used

CALL SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', 'NWALTON.median',0);
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY ('derby.database.classpath','NWALTON.median’);

CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL NAME 'aggregates.median’ ;

At first this works fine in a trigger or in plain SQL but after a while I get the following error

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException'.
Line 1, column 1

I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under Java version 1.8.0_31-b13.

Thanks in advance

Nick 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security problem with ggregate functions using Java

Rick Hillegas-3
In reply to this post by nicholas walton
Thanks for raising this issue, Nicholas. Can you include the full stack trace for the error? The template policy may need to grant some additional privilege to the engine jar file. It is also possible that you have run into the following defect: https://issues.apache.org/jira/browse/DERBY-4354

Thanks,
-Rick

On 2/17/17, 9:42 AM, nicholas walton wrote:
Hi,

I need to extend Java’s aggregate functions to include Median, using the code below

import java.util.ArrayList;
import java.util.Collections;
import org.apache.derby.agg.Aggregator;

public class median<V extends Comparable<V>> 
      implements Aggregator<V,V,median<V>>
{
  private ArrayList<V> _values;

  public median() {}

  public void init() { _values = new ArrayList<V>(); }

  public void accumulate( V value ) { _values.add( value ); }

  public void merge( median<V> other )
  { 
      _values.addAll( other._values ); 
  }

  public V terminate()
  {
      Collections.sort( _values );

      int count = _values.size();

      if ( count == 0 ) { return null; }
      else { return _values.get( count/2 ); }
  }
}

To install I used

CALL SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', 'NWALTON.median',0);
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY ('derby.database.classpath','NWALTON.median’);

CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL NAME 'aggregates.median’ ;

At first this works fine in a trigger or in plain SQL but after a while I get the following error

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException'.
Line 1, column 1

I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under Java version 1.8.0_31-b13.

Thanks in advance

Nick 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security problem with ggregate functions using Java

nicholas walton
Rick,

Neither Netbeans nor ij dumped the stack,  I’m afraid.

The full message is

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException’.
Line 1, column 1

Did get it working after a while with the security policy below, but ij will not now run complaining 

Exception in thread "main" java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262)
at java.lang.System.getProperties(System.java:630)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.<init>(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.getMain(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
at org.apache.derby.tools.ij.main(Unknown Source)

=========================================================================================

//
//   Licensed to the Apache Software Foundation (ASF) under one or more
//   contributor license agreements.  See the NOTICE file distributed with
//   this work for additional information regarding copyright ownership.
//   The ASF licenses this file to You under the Apache License, Version 2.0
//   (the "License"); you may not use this file except in compliance with
//   the License.  You may obtain a copy of the License at
//
//
//   Unless required by applicable law or agreed to in writing, software
//   distributed under the License is distributed on an "AS IS" BASIS,
//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//   See the License for the specific language governing permissions and
//   limitations under the License.
//

// This template policy file gives examples of how to configure the
// permissions needed to run a Derby network server with the Java
// Security manager.
//
{
  // These permissions are needed for everyday, embedded Derby usage.
  //
  permission java.lang.RuntimePermission "createClassLoader";
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";

  // Next, the permission to read "derby.*" properties is granted to
  // derby.jar. This is necessary for the engine to read derby properties.
  permission java.util.PropertyPermission "derby.*", "read";

  permission java.util.PropertyPermission "user.dir", "read";

  // The next two properties are used to determine if the VM is 32 or 64 bit.
  //
  permission java.util.PropertyPermission "sun.arch.data.model", "read";
  permission java.util.PropertyPermission "os.arch", "read";
  permission java.io.FilePermission "${derby.system.home}","read";
  permission java.io.FilePermission "${derby.system.home}${/}-",
      "read,write,delete";

  // This permission lets a DBA reload the policy file while the server is
  // still running. The policy file is reloaded by invoking the
  // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
  //
  permission java.security.SecurityPermission "getPolicy";

  // This permission lets you backup and restore databases to and from
  // arbitrary locations in your file system.
  //
  // This permission also lets you import/export data to and from arbitrary
  // locations in your file system.
  //
  // You may want to restrict this access to specific directories.
  //
  permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

  // Permissions needed for JMX based management and monitoring.
  //
  // Allows this code to create an MBeanServer:
  //
  permission javax.management.MBeanServerPermission "createMBeanServer";

  // Allows access to Derby's built-in MBeans, within the domain
  // org.apache.derby.  Derby must be allowed to register and unregister these
  // MBeans.  It is possible to allow access only to specific MBeans,
  // attributes or operations. To fine tune this permission, see the javadoc of
  // javax.management.MBeanPermission or the JMX Instrumentation and Agent
  // Specification.
  //
  permission javax.management.MBeanPermission
      "org.apache.derby.*#[org.apache.derby:*]",
      "registerMBean,unregisterMBean";

  // Trusts Derby code to be a source of MBeans and to register these in the
  // MBean server.
  //
  permission javax.management.MBeanTrustPermission "register";

  // getProtectionDomain is an optional permission needed for printing
  // classpath information to derby.log
  //
  permission java.lang.RuntimePermission "getProtectionDomain";

  //
  // The following permission must be granted for Connection.abort(Executor) to
  // work.  Note that this permission must also be granted to outer
  // (application) code domains.
  //
  permission java.sql.SQLPermission "callAbort";

  // Needed by file permissions restriction system:
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";

  // My additions
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
};



{
  // These permissions lets the Network Server manage connections from clients.

  // Accept connections from any host. Derby is listening to the host interface
  // specified via the -h option to "NetworkServerControl start" on the command
  // line, via the address parameter to the
  // org.apache.derby.drda.NetworkServerControl constructor in the API or via
  // the property derby.drda.host; the default is localhost.  You may want to
  // restrict allowed hosts, e.g. to hosts in a specific subdomain,
  // e.g. "*.example.com".
  permission java.net.SocketPermission "*", "accept";

  // Allow the server to listen to the socket on the default port (1527).
  // If you have specified another port number with the -p option to
  // "NetworkServerControl start" on the command line, or with the portNumber
  // parameter to the NetworkServerControl constructor in the API, or with the
  // property derby.drda.portNumber, you should change the port number in the
  // permission statement accordingly.
  permission java.net.SocketPermission "localhost:1527", "listen";

  // Needed for server tracing.
  //
  permission java.io.FilePermission "<a href="file:///Users/nwalton/.derby/dummy/traces${/}-" class="">file:///Users/nwalton/.derby/dummy/traces${/}-",
      "read,write,delete";

  // Needed by file permissions restriction system:
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";
  permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine",
      "read, write";

  // Needed to start the monitoring MBeans
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";

  // JMX: Uncomment this permission to allow the ping operation of the
  //      NetworkServerMBean to connect to the Network Server.
  //
  permission java.net.SocketPermission "*", "connect,resolve";

  // Needed by sysinfo. The file permission is needed to check the existence of
  // jars on the classpath. You can limit this permission to just the locations
  // which hold your jar files.
  //
  // In this template file, this block of permissions is granted to
  // derbynet.jar under the assumption that derbynet.jar is the first jar file
  // in your classpath which contains the sysinfo classes. If that is not the
  // case, then you will want to grant this block of permissions to the first
  // jar file in your classpath which contains the sysinfo classes.  Those
  // classes are bundled into the following Derby jar files:
  //
  //    derbynet.jar
  //    derby.jar
  //    derbyclient.jar
  //    derbytools.jar
  //
  permission java.util.PropertyPermission "user.*", "read";
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "java.class.path", "read";
  permission java.util.PropertyPermission "java.runtime.version", "read";
  permission java.util.PropertyPermission "java.fullversion", "read";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.io.FilePermission "<<ALL FILES>>", "read";

  // My additions
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  //permission java.net.SocketPermission "127.0.0.1:1527" "connect,resolve",
};




Nick

On 19 Feb 2017, at 16:38, Rick Hillegas <[hidden email]> wrote:

Thanks for raising this issue, Nicholas. Can you include the full stack trace for the error? The template policy may need to grant some additional privilege to the engine jar file. It is also possible that you have run into the following defect: https://issues.apache.org/jira/browse/DERBY-4354

Thanks,
-Rick

On 2/17/17, 9:42 AM, nicholas walton wrote:
Hi,

I need to extend Java’s aggregate functions to include Median, using the code below

import java.util.ArrayList;
import java.util.Collections;
import org.apache.derby.agg.Aggregator;

public class median<V extends Comparable<V>> 
      implements Aggregator<V,V,median<V>>
{
  private ArrayList<V> _values;

  public median() {}

  public void init() { _values = new ArrayList<V>(); }

  public void accumulate( V value ) { _values.add( value ); }

  public void merge( median<V> other )
  { 
      _values.addAll( other._values ); 
  }

  public V terminate()
  {
      Collections.sort( _values );

      int count = _values.size();

      if ( count == 0 ) { return null; }
      else { return _values.get( count/2 ); }
  }
}

To install I used

CALL SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', 'NWALTON.median',0);
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY ('derby.database.classpath','NWALTON.median’);

CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL NAME 'aggregates.median’ ;

At first this works fine in a trigger or in plain SQL but after a while I get the following error

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException'.
Line 1, column 1

I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under Java version 1.8.0_31-b13.

Thanks in advance

Nick 


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security problem with ggregate functions using Java

Bryan Pendleton-3
Hello Nick,

The ij code is in derbytools.jar, I believe. Did you define a security
policy that covers derbytools.jar?

In particular, to allow calling System.getProperties, try something like:

grant codeBase "${derbyTesting.codejar}derbytools.jar" {
  // Access all properties using System.getProperties -
  // ij enumerates the properties in order to open connections
  // for any property set in ij.connection.* and set protocols
  // for any property in ij.protocol.*
  permission java.util.PropertyPermission "*", "read, write";

  // Read all files under ${user.dir}
  permission java.io.FilePermission "${user.dir}${/}-", "read";

  // IjTestCases read, write, and delete ij's output in the extinout dir
  permission java.io.FilePermission "${user.dir}${/}extinout${/}-", "read, write, delete";

  // ij needs permission to read the sql files in this jar
  permission java.io.FilePermission "${derbyTesting.testjarpath}", "read";

};

thanks,

bryan

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security problem with ggregate functions using Java

Rick Hillegas-3
In reply to this post by nicholas walton
Hi Nicholas,

I think that the ij permissions problem is a red herring. That problem arises because ij is trying to call System.getProperties() but the security policy does not grant property-reading privilege to derbytools.jar.

Concerning your original problem: What strikes me as significant is your observation that aggregation worked for a while and then broke. The only big state change which occurs during aggregation is when the processing of a large data set causes the engine to dump intermediate results to a temporary file. Eventually, those results must be de-serialized from the temporary file. It is possible that de-serialization can't instantiate your user-defined aggregate without that extra permission.

I am afraid that your environment confuses me, though. According to your original message, you are running Derby 10.6.2.1. However, user-defined aggregates were not introduced until Derby 10.10.1.1.

I have created https://issues.apache.org/jira/browse/DERBY-6922 to investigate the problem raised by this issue.

Hope this helps,
-Rick

On 2/20/17, 1:54 AM, nicholas walton wrote:
Rick,

Neither Netbeans nor ij dumped the stack,  I’m afraid.

The full message is

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException’.
Line 1, column 1

Did get it working after a while with the security policy below, but ij will not now run complaining 

Exception in thread "main" java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262)
at java.lang.System.getProperties(System.java:630)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.<init>(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.getMain(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
at org.apache.derby.tools.ij.main(Unknown Source)

=========================================================================================

//
//   Licensed to the Apache Software Foundation (ASF) under one or more
//   contributor license agreements.  See the NOTICE file distributed with
//   this work for additional information regarding copyright ownership.
//   The ASF licenses this file to You under the Apache License, Version 2.0
//   (the "License"); you may not use this file except in compliance with
//   the License.  You may obtain a copy of the License at
//
//
//   Unless required by applicable law or agreed to in writing, software
//   distributed under the License is distributed on an "AS IS" BASIS,
//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//   See the License for the specific language governing permissions and
//   limitations under the License.
//

// This template policy file gives examples of how to configure the
// permissions needed to run a Derby network server with the Java
// Security manager.
//
{
  // These permissions are needed for everyday, embedded Derby usage.
  //
  permission java.lang.RuntimePermission "createClassLoader";
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";

  // Next, the permission to read "derby.*" properties is granted to
  // derby.jar. This is necessary for the engine to read derby properties.
  permission java.util.PropertyPermission "derby.*", "read";

  permission java.util.PropertyPermission "user.dir", "read";

  // The next two properties are used to determine if the VM is 32 or 64 bit.
  //
  permission java.util.PropertyPermission "sun.arch.data.model", "read";
  permission java.util.PropertyPermission "os.arch", "read";
  permission java.io.FilePermission "${derby.system.home}","read";
  permission java.io.FilePermission "${derby.system.home}${/}-",
      "read,write,delete";

  // This permission lets a DBA reload the policy file while the server is
  // still running. The policy file is reloaded by invoking the
  // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
  //
  permission java.security.SecurityPermission "getPolicy";

  // This permission lets you backup and restore databases to and from
  // arbitrary locations in your file system.
  //
  // This permission also lets you import/export data to and from arbitrary
  // locations in your file system.
  //
  // You may want to restrict this access to specific directories.
  //
  permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

  // Permissions needed for JMX based management and monitoring.
  //
  // Allows this code to create an MBeanServer:
  //
  permission javax.management.MBeanServerPermission "createMBeanServer";

  // Allows access to Derby's built-in MBeans, within the domain
  // org.apache.derby.  Derby must be allowed to register and unregister these
  // MBeans.  It is possible to allow access only to specific MBeans,
  // attributes or operations. To fine tune this permission, see the javadoc of
  // javax.management.MBeanPermission or the JMX Instrumentation and Agent
  // Specification.
  //
  permission javax.management.MBeanPermission
      "org.apache.derby.*#[org.apache.derby:*]",
      "registerMBean,unregisterMBean";

  // Trusts Derby code to be a source of MBeans and to register these in the
  // MBean server.
  //
  permission javax.management.MBeanTrustPermission "register";

  // getProtectionDomain is an optional permission needed for printing
  // classpath information to derby.log
  //
  permission java.lang.RuntimePermission "getProtectionDomain";

  //
  // The following permission must be granted for Connection.abort(Executor) to
  // work.  Note that this permission must also be granted to outer
  // (application) code domains.
  //
  permission java.sql.SQLPermission "callAbort";

  // Needed by file permissions restriction system:
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";

  // My additions
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
};



{
  // These permissions lets the Network Server manage connections from clients.

  // Accept connections from any host. Derby is listening to the host interface
  // specified via the -h option to "NetworkServerControl start" on the command
  // line, via the address parameter to the
  // org.apache.derby.drda.NetworkServerControl constructor in the API or via
  // the property derby.drda.host; the default is localhost.  You may want to
  // restrict allowed hosts, e.g. to hosts in a specific subdomain,
  // e.g. "*.example.com".
  permission java.net.SocketPermission "*", "accept";

  // Allow the server to listen to the socket on the default port (1527).
  // If you have specified another port number with the -p option to
  // "NetworkServerControl start" on the command line, or with the portNumber
  // parameter to the NetworkServerControl constructor in the API, or with the
  // property derby.drda.portNumber, you should change the port number in the
  // permission statement accordingly.
  permission java.net.SocketPermission "localhost:1527", "listen";

  // Needed for server tracing.
  //
  permission java.io.FilePermission "file:///Users/nwalton/.derby/dummy/traces${/}-",
      "read,write,delete";

  // Needed by file permissions restriction system:
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";
  permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine",
      "read, write";

  // Needed to start the monitoring MBeans
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";

  // JMX: Uncomment this permission to allow the ping operation of the
  //      NetworkServerMBean to connect to the Network Server.
  //
  permission java.net.SocketPermission "*", "connect,resolve";

  // Needed by sysinfo. The file permission is needed to check the existence of
  // jars on the classpath. You can limit this permission to just the locations
  // which hold your jar files.
  //
  // In this template file, this block of permissions is granted to
  // derbynet.jar under the assumption that derbynet.jar is the first jar file
  // in your classpath which contains the sysinfo classes. If that is not the
  // case, then you will want to grant this block of permissions to the first
  // jar file in your classpath which contains the sysinfo classes.  Those
  // classes are bundled into the following Derby jar files:
  //
  //    derbynet.jar
  //    derby.jar
  //    derbyclient.jar
  //    derbytools.jar
  //
  permission java.util.PropertyPermission "user.*", "read";
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "java.class.path", "read";
  permission java.util.PropertyPermission "java.runtime.version", "read";
  permission java.util.PropertyPermission "java.fullversion", "read";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.io.FilePermission "<<ALL FILES>>", "read";

  // My additions
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  //permission java.net.SocketPermission "127.0.0.1:1527" "connect,resolve",
};




Nick

On 19 Feb 2017, at 16:38, Rick Hillegas <[hidden email]> wrote:

Thanks for raising this issue, Nicholas. Can you include the full stack trace for the error? The template policy may need to grant some additional privilege to the engine jar file. It is also possible that you have run into the following defect: https://issues.apache.org/jira/browse/DERBY-4354

Thanks,
-Rick

On 2/17/17, 9:42 AM, nicholas walton wrote:
Hi,

I need to extend Java’s aggregate functions to include Median, using the code below

import java.util.ArrayList;
import java.util.Collections;
import org.apache.derby.agg.Aggregator;

public class median<V extends Comparable<V>> 
      implements Aggregator<V,V,median<V>>
{
  private ArrayList<V> _values;

  public median() {}

  public void init() { _values = new ArrayList<V>(); }

  public void accumulate( V value ) { _values.add( value ); }

  public void merge( median<V> other )
  { 
      _values.addAll( other._values ); 
  }

  public V terminate()
  {
      Collections.sort( _values );

      int count = _values.size();

      if ( count == 0 ) { return null; }
      else { return _values.get( count/2 ); }
  }
}

To install I used

CALL SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', 'NWALTON.median',0);
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY ('derby.database.classpath','NWALTON.median’);

CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL NAME 'aggregates.median’ ;

At first this works fine in a trigger or in plain SQL but after a while I get the following error

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException'.
Line 1, column 1

I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under Java version 1.8.0_31-b13.

Thanks in advance

Nick 



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security problem with ggregate functions using Java

nicholas walton
Rick,

Concur with the ij problem, I was caught out by the ij script using DERBY_OPTS and picking up the security policy which left it with no permissions. Easy fix.

As for Derby version I’ve upgraded to Apache Derby Network Server - 10.13.1.1 and that partly fixed things, since before doing that the problem would not go away even with the security policy in place. 

Thanks for the help.

Nick

On 20 Feb 2017, at 15:55, Rick Hillegas <[hidden email]> wrote:

Hi Nicholas,

I think that the ij permissions problem is a red herring. That problem arises because ij is trying to call System.getProperties() but the security policy does not grant property-reading privilege to derbytools.jar.

Concerning your original problem: What strikes me as significant is your observation that aggregation worked for a while and then broke. The only big state change which occurs during aggregation is when the processing of a large data set causes the engine to dump intermediate results to a temporary file. Eventually, those results must be de-serialized from the temporary file. It is possible that de-serialization can't instantiate your user-defined aggregate without that extra permission.

I am afraid that your environment confuses me, though. According to your original message, you are running Derby 10.6.2.1. However, user-defined aggregates were not introduced until Derby 10.10.1.1.

I have created https://issues.apache.org/jira/browse/DERBY-6922 to investigate the problem raised by this issue.

Hope this helps,
-Rick

On 2/20/17, 1:54 AM, nicholas walton wrote:
Rick,

Neither Netbeans nor ij dumped the stack,  I’m afraid.

The full message is

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException’.
Line 1, column 1

Did get it working after a while with the security policy below, but ij will not now run complaining 

Exception in thread "main" java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262)
at java.lang.System.getProperties(System.java:630)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.<init>(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.getMain(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
at org.apache.derby.tools.ij.main(Unknown Source)

=========================================================================================

//
//   Licensed to the Apache Software Foundation (ASF) under one or more
//   contributor license agreements.  See the NOTICE file distributed with
//   this work for additional information regarding copyright ownership.
//   The ASF licenses this file to You under the Apache License, Version 2.0
//   (the "License"); you may not use this file except in compliance with
//   the License.  You may obtain a copy of the License at
//
//
//   Unless required by applicable law or agreed to in writing, software
//   distributed under the License is distributed on an "AS IS" BASIS,
//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//   See the License for the specific language governing permissions and
//   limitations under the License.
//

// This template policy file gives examples of how to configure the
// permissions needed to run a Derby network server with the Java
// Security manager.
//
{
  // These permissions are needed for everyday, embedded Derby usage.
  //
  permission java.lang.RuntimePermission "createClassLoader";
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";

  // Next, the permission to read "derby.*" properties is granted to
  // derby.jar. This is necessary for the engine to read derby properties.
  permission java.util.PropertyPermission "derby.*", "read";

  permission java.util.PropertyPermission "user.dir", "read";

  // The next two properties are used to determine if the VM is 32 or 64 bit.
  //
  permission java.util.PropertyPermission "sun.arch.data.model", "read";
  permission java.util.PropertyPermission "os.arch", "read";
  permission java.io.FilePermission "${derby.system.home}","read";
  permission java.io.FilePermission "${derby.system.home}${/}-",
      "read,write,delete";

  // This permission lets a DBA reload the policy file while the server is
  // still running. The policy file is reloaded by invoking the
  // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
  //
  permission java.security.SecurityPermission "getPolicy";

  // This permission lets you backup and restore databases to and from
  // arbitrary locations in your file system.
  //
  // This permission also lets you import/export data to and from arbitrary
  // locations in your file system.
  //
  // You may want to restrict this access to specific directories.
  //
  permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

  // Permissions needed for JMX based management and monitoring.
  //
  // Allows this code to create an MBeanServer:
  //
  permission javax.management.MBeanServerPermission "createMBeanServer";

  // Allows access to Derby's built-in MBeans, within the domain
  // org.apache.derby.  Derby must be allowed to register and unregister these
  // MBeans.  It is possible to allow access only to specific MBeans,
  // attributes or operations. To fine tune this permission, see the javadoc of
  // javax.management.MBeanPermission or the JMX Instrumentation and Agent
  // Specification.
  //
  permission javax.management.MBeanPermission
      "org.apache.derby.*#[org.apache.derby:*]",
      "registerMBean,unregisterMBean";

  // Trusts Derby code to be a source of MBeans and to register these in the
  // MBean server.
  //
  permission javax.management.MBeanTrustPermission "register";

  // getProtectionDomain is an optional permission needed for printing
  // classpath information to derby.log
  //
  permission java.lang.RuntimePermission "getProtectionDomain";

  //
  // The following permission must be granted for Connection.abort(Executor) to
  // work.  Note that this permission must also be granted to outer
  // (application) code domains.
  //
  permission java.sql.SQLPermission "callAbort";

  // Needed by file permissions restriction system:
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";

  // My additions
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
};



{
  // These permissions lets the Network Server manage connections from clients.

  // Accept connections from any host. Derby is listening to the host interface
  // specified via the -h option to "NetworkServerControl start" on the command
  // line, via the address parameter to the
  // org.apache.derby.drda.NetworkServerControl constructor in the API or via
  // the property derby.drda.host; the default is localhost.  You may want to
  // restrict allowed hosts, e.g. to hosts in a specific subdomain,
  // e.g. "*.example.com".
  permission java.net.SocketPermission "*", "accept";

  // Allow the server to listen to the socket on the default port (1527).
  // If you have specified another port number with the -p option to
  // "NetworkServerControl start" on the command line, or with the portNumber
  // parameter to the NetworkServerControl constructor in the API, or with the
  // property derby.drda.portNumber, you should change the port number in the
  // permission statement accordingly.
  permission java.net.SocketPermission "localhost:1527", "listen";

  // Needed for server tracing.
  //
  permission java.io.FilePermission "file:///Users/nwalton/.derby/dummy/traces${/}-",
      "read,write,delete";

  // Needed by file permissions restriction system:
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";
  permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine",
      "read, write";

  // Needed to start the monitoring MBeans
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";

  // JMX: Uncomment this permission to allow the ping operation of the
  //      NetworkServerMBean to connect to the Network Server.
  //
  permission java.net.SocketPermission "*", "connect,resolve";

  // Needed by sysinfo. The file permission is needed to check the existence of
  // jars on the classpath. You can limit this permission to just the locations
  // which hold your jar files.
  //
  // In this template file, this block of permissions is granted to
  // derbynet.jar under the assumption that derbynet.jar is the first jar file
  // in your classpath which contains the sysinfo classes. If that is not the
  // case, then you will want to grant this block of permissions to the first
  // jar file in your classpath which contains the sysinfo classes.  Those
  // classes are bundled into the following Derby jar files:
  //
  //    derbynet.jar
  //    derby.jar
  //    derbyclient.jar
  //    derbytools.jar
  //
  permission java.util.PropertyPermission "user.*", "read";
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "java.class.path", "read";
  permission java.util.PropertyPermission "java.runtime.version", "read";
  permission java.util.PropertyPermission "java.fullversion", "read";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.io.FilePermission "<<ALL FILES>>", "read";

  // My additions
  permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
  //permission java.net.SocketPermission "127.0.0.1:1527" "connect,resolve",
};




Nick

On 19 Feb 2017, at 16:38, Rick Hillegas <[hidden email]> wrote:

Thanks for raising this issue, Nicholas. Can you include the full stack trace for the error? The template policy may need to grant some additional privilege to the engine jar file. It is also possible that you have run into the following defect: https://issues.apache.org/jira/browse/DERBY-4354

Thanks,
-Rick

On 2/17/17, 9:42 AM, nicholas walton wrote:
Hi,

I need to extend Java’s aggregate functions to include Median, using the code below

import java.util.ArrayList;
import java.util.Collections;
import org.apache.derby.agg.Aggregator;

public class median<V extends Comparable<V>> 
      implements Aggregator<V,V,median<V>>
{
  private ArrayList<V> _values;

  public median() {}

  public void init() { _values = new ArrayList<V>(); }

  public void accumulate( V value ) { _values.add( value ); }

  public void merge( median<V> other )
  { 
      _values.addAll( other._values ); 
  }

  public V terminate()
  {
      Collections.sort( _values );

      int count = _values.size();

      if ( count == 0 ) { return null; }
      else { return _values.get( count/2 ); }
  }
}

To install I used

CALL SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', 'NWALTON.median',0);
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY ('derby.database.classpath','NWALTON.median’);

CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL NAME 'aggregates.median’ ;

At first this works fine in a trigger or in plain SQL but after a while I get the following error

Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException'.
Line 1, column 1

I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under Java version 1.8.0_31-b13.

Thanks in advance

Nick 




Loading...