Rick, Neither Netbeans nor ij dumped the stack, I’m afraid.
The full message is Error code 30000, SQL state 38000: The exception 'java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown while evaluating an expression. Error code 99999, SQL state XJ001: Java exception: 'access denied ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): java.security.AccessControlException’. Line 1, column 1 Did get it working after a while with the security policy below, but ij will not now run complaining Exception in thread "main" java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) at java.lang.System.getProperties(System.java:630) at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source) at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(Unknown Source) at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(Unknown Source) at org.apache.derby.impl.tools.ij.Main.<init>(Unknown Source) at org.apache.derby.impl.tools.ij.Main.getMain(Unknown Source) at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source) at org.apache.derby.impl.tools.ij.Main.main(Unknown Source) at org.apache.derby.tools.ij.main(Unknown Source) ========================================================================================= // // Licensed to the Apache Software Foundation (ASF) under one or more // contributor license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright ownership. // The ASF licenses this file to You under the Apache License, Version 2.0 // (the "License"); you may not use this file except in compliance with // the License. You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // This template policy file gives examples of how to configure the // permissions needed to run a Derby network server with the Java // Security manager. // grant codeBase "file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derby.jar" { // These permissions are needed for everyday, embedded Derby usage. // permission java.lang.RuntimePermission "createClassLoader"; permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals"; // Next, the permission to read "derby.*" properties is granted to // derby.jar. This is necessary for the engine to read derby properties. permission java.util.PropertyPermission "derby.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; // The next two properties are used to determine if the VM is 32 or 64 bit. // permission java.util.PropertyPermission "sun.arch.data.model", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.io.FilePermission "${derby.system.home}","read"; permission java.io.FilePermission "${derby.system.home}${/}-", "read,write,delete"; // This permission lets a DBA reload the policy file while the server is // still running. The policy file is reloaded by invoking the // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure. // permission java.security.SecurityPermission "getPolicy"; // This permission lets you backup and restore databases to and from // arbitrary locations in your file system. // // This permission also lets you import/export data to and from arbitrary // locations in your file system. // // You may want to restrict this access to specific directories. // permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; // Permissions needed for JMX based management and monitoring. // // Allows this code to create an MBeanServer: // permission javax.management.MBeanServerPermission "createMBeanServer"; // Allows access to Derby's built-in MBeans, within the domain // org.apache.derby. Derby must be allowed to register and unregister these // MBeans. It is possible to allow access only to specific MBeans, // attributes or operations. To fine tune this permission, see the javadoc of // javax.management.MBeanPermission or the JMX Instrumentation and Agent // Specification. // permission javax.management.MBeanPermission "org.apache.derby.*#[org.apache.derby:*]", "registerMBean,unregisterMBean"; // Trusts Derby code to be a source of MBeans and to register these in the // MBean server. // permission javax.management.MBeanTrustPermission "register"; // getProtectionDomain is an optional permission needed for printing // classpath information to derby.log // permission java.lang.RuntimePermission "getProtectionDomain"; // // The following permission must be granted for Connection.abort(Executor) to // work. Note that this permission must also be granted to outer // (application) code domains. // permission java.sql.SQLPermission "callAbort"; // Needed by file permissions restriction system: // permission java.lang.RuntimePermission "accessUserInformation"; permission java.lang.RuntimePermission "getFileStoreAttributes"; // My additions permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; }; grant codeBase "file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derbynet.jar" { // These permissions lets the Network Server manage connections from clients. // Accept connections from any host. Derby is listening to the host interface // specified via the -h option to "NetworkServerControl start" on the command // line, via the address parameter to the // org.apache.derby.drda.NetworkServerControl constructor in the API or via // the property derby.drda.host; the default is localhost. You may want to // restrict allowed hosts, e.g. to hosts in a specific subdomain, // e.g. "*.example.com". permission java.net.SocketPermission "*", "accept"; // Allow the server to listen to the socket on the default port (1527). // If you have specified another port number with the -p option to // "NetworkServerControl start" on the command line, or with the portNumber // parameter to the NetworkServerControl constructor in the API, or with the // property derby.drda.portNumber, you should change the port number in the // permission statement accordingly. permission java.net.SocketPermission "localhost:1527", "listen"; // Needed for server tracing. // permission java.io.FilePermission "file:///Users/nwalton/.derby/dummy/traces${/}-", "read,write,delete"; // Needed by file permissions restriction system: // permission java.lang.RuntimePermission "accessUserInformation"; permission java.lang.RuntimePermission "getFileStoreAttributes"; permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine", "read, write"; // Needed to start the monitoring MBeans permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals"; // JMX: Uncomment this permission to allow the ping operation of the // NetworkServerMBean to connect to the Network Server. // permission java.net.SocketPermission "*", "connect,resolve"; // Needed by sysinfo. The file permission is needed to check the existence of // jars on the classpath. You can limit this permission to just the locations // which hold your jar files. // // In this template file, this block of permissions is granted to // derbynet.jar under the assumption that derbynet.jar is the first jar file // in your classpath which contains the sysinfo classes. If that is not the // case, then you will want to grant this block of permissions to the first // jar file in your classpath which contains the sysinfo classes. Those // classes are bundled into the following Derby jar files: // // derbynet.jar // derby.jar // derbyclient.jar // derbytools.jar // permission java.util.PropertyPermission "user.*", "read"; permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.runtime.version", "read"; permission java.util.PropertyPermission "java.fullversion", "read"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.io.FilePermission "<<ALL FILES>>", "read"; // My additions permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; //permission java.net.SocketPermission "127.0.0.1:1527" "connect,resolve", }; Nick > On 19 Feb 2017, at 16:38, Rick Hillegas <rick.hille...@gmail.com> wrote: > > Thanks for raising this issue, Nicholas. Can you include the full stack trace > for the error? The template policy may need to grant some additional > privilege to the engine jar file. It is also possible that you have run into > the following defect: https://issues.apache.org/jira/browse/DERBY-4354 > <https://issues.apache.org/jira/browse/DERBY-4354> > > Thanks, > -Rick > > On 2/17/17, 9:42 AM, nicholas walton wrote: >> >> Hi, >> >> I need to extend Java’s aggregate functions to include Median, using the >> code below >> >> import java.util.ArrayList; >> import java.util.Collections; >> import org.apache.derby.agg.Aggregator; >> >> public class median<V extends Comparable<V>> >> implements Aggregator<V,V,median<V>> >> { >> private ArrayList<V> _values; >> >> public median() {} >> >> public void init() { _values = new ArrayList<V>(); } >> >> public void accumulate( V value ) { _values.add( value ); } >> >> public void merge( median<V> other ) >> { >> _values.addAll( other._values ); >> } >> >> public V terminate() >> { >> Collections.sort( _values ); >> >> int count = _values.size(); >> >> if ( count == 0 ) { return null; } >> else { return _values.get( count/2 ); } >> } >> } >> >> To install I used >> >> CALL >> SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', >> 'NWALTON.median',0); >> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY >> ('derby.database.classpath','NWALTON.median’); >> >> CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL >> NAME 'aggregates.median’ ; >> >> At first this works fine in a trigger or in plain SQL but after a while I >> get the following error >> >> Error code 30000, SQL state 38000: The exception >> 'java.security.AccessControlException: access denied >> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was >> thrown while evaluating an expression. >> Error code 99999, SQL state XJ001: Java exception: 'access denied >> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): >> java.security.AccessControlException'. >> Line 1, column 1 >> >> I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m >> running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under >> Java version 1.8.0_31-b13. >> >> Thanks in advance >> >> Nick >