Rick,
Neither Netbeans nor ij dumped the stack, I’m afraid.
The full message is
Error code 30000, SQL state 38000: The exception
'java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")'
was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied
("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"):
java.security.AccessControlException’.
Line 1, column 1
Did get it working after a while with the security policy below, but
ij will not now run complaining
Exception in thread "main" java.security.AccessControlException:
access denied ("java.util.PropertyPermission" "*" "read,write")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262)
at java.lang.System.getProperties(System.java:630)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(Unknown
Source)
at org.apache.derby.impl.tools.ij.Main.<init>(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.getMain(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
at org.apache.derby.tools.ij.main(Unknown Source)
=========================================================================================
//
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License,
Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// This template policy file gives examples of how to configure the
// permissions needed to run a Derby network server with the Java
// Security manager.
//
grant codeBase
"file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derby.jar"
{
// These permissions are needed for everyday, embedded Derby usage.
//
permission java.lang.RuntimePermission "createClassLoader";
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
// Next, the permission to read "derby.*" properties is granted to
// derby.jar. This is necessary for the engine to read derby properties.
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
// The next two properties are used to determine if the VM is 32 or
64 bit.
//
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${derby.system.home}${/}-",
"read,write,delete";
// This permission lets a DBA reload the policy file while the server is
// still running. The policy file is reloaded by invoking the
// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
//
permission java.security.SecurityPermission "getPolicy";
// This permission lets you backup and restore databases to and from
// arbitrary locations in your file system.
//
// This permission also lets you import/export data to and from
arbitrary
// locations in your file system.
//
// You may want to restrict this access to specific directories.
//
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
// Permissions needed for JMX based management and monitoring.
//
// Allows this code to create an MBeanServer:
//
permission javax.management.MBeanServerPermission "createMBeanServer";
// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby. Derby must be allowed to register and
unregister these
// MBeans. It is possible to allow access only to specific MBeans,
// attributes or operations. To fine tune this permission, see the
javadoc of
// javax.management.MBeanPermission or the JMX Instrumentation and Agent
// Specification.
//
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
// Trusts Derby code to be a source of MBeans and to register these
in the
// MBean server.
//
permission javax.management.MBeanTrustPermission "register";
// getProtectionDomain is an optional permission needed for printing
// classpath information to derby.log
//
permission java.lang.RuntimePermission "getProtectionDomain";
//
// The following permission must be granted for
Connection.abort(Executor) to
// work. Note that this permission must also be granted to outer
// (application) code domains.
//
permission java.sql.SQLPermission "callAbort";
// Needed by file permissions restriction system:
//
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
// My additions
permission java.lang.RuntimePermission
"accessClassInPackage.sun.reflect";
};
grant codeBase
"file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derbynet.jar"
{
// These permissions lets the Network Server manage connections from
clients.
// Accept connections from any host. Derby is listening to the host
interface
// specified via the -h option to "NetworkServerControl start" on
the command
// line, via the address parameter to the
// org.apache.derby.drda.NetworkServerControl constructor in the API
or via
// the property derby.drda.host; the default is localhost. You may
want to
// restrict allowed hosts, e.g. to hosts in a specific subdomain,
// e.g. "*.example.com <http://example.com>".
permission java.net.SocketPermission "*", "accept";
// Allow the server to listen to the socket on the default port (1527).
// If you have specified another port number with the -p option to
// "NetworkServerControl start" on the command line, or with the
portNumber
// parameter to the NetworkServerControl constructor in the API, or
with the
// property derby.drda.portNumber, you should change the port number
in the
// permission statement accordingly.
permission java.net.SocketPermission "localhost:1527", "listen";
// Needed for server tracing.
//
permission java.io.FilePermission
"file:///Users/nwalton/.derby/dummy/traces${/}-
<file:///Users/nwalton/.derby/dummy/traces$%7B/%7D->",
"read,write,delete";
// Needed by file permissions restriction system:
//
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
permission java.util.PropertyPermission
"derby.__serverStartedFromCmdLine",
"read, write";
// Needed to start the monitoring MBeans
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
// JMX: Uncomment this permission to allow the ping operation of the
// NetworkServerMBean to connect to the Network Server.
//
permission java.net.SocketPermission "*", "connect,resolve";
// Needed by sysinfo. The file permission is needed to check the
existence of
// jars on the classpath. You can limit this permission to just the
locations
// which hold your jar files.
//
// In this template file, this block of permissions is granted to
// derbynet.jar under the assumption that derbynet.jar is the first
jar file
// in your classpath which contains the sysinfo classes. If that is
not the
// case, then you will want to grant this block of permissions to
the first
// jar file in your classpath which contains the sysinfo classes. Those
// classes are bundled into the following Derby jar files:
//
// derbynet.jar
// derby.jar
// derbyclient.jar
// derbytools.jar
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "<<ALL FILES>>", "read";
// My additions
permission java.lang.RuntimePermission
"accessClassInPackage.sun.reflect";
//permission java.net.SocketPermission "127.0.0.1:1527"
"connect,resolve",
};
Nick
On 19 Feb 2017, at 16:38, Rick Hillegas <rick.hille...@gmail.com
<mailto:rick.hille...@gmail.com>> wrote:
Thanks for raising this issue, Nicholas. Can you include the full
stack trace for the error? The template policy may need to grant some
additional privilege to the engine jar file. It is also possible that
you have run into the following defect:
https://issues.apache.org/jira/browse/DERBY-4354
Thanks,
-Rick
On 2/17/17, 9:42 AM, nicholas walton wrote:
Hi,
I need to extend Java’s aggregate functions to include Median, using
the code below
import java.util.ArrayList;
import java.util.Collections;
import org.apache.derby.agg.Aggregator;
public class median<V extends Comparable<V>>
implements Aggregator<V,V,median<V>>
{
private ArrayList<V> _values;
public median() {}
public void init() { _values = new ArrayList<V>(); }
public void accumulate( V value ) { _values.add( value ); }
public void merge( median<V> other )
{
_values.addAll( other._values );
}
public V terminate()
{
Collections.sort( _values );
int count = _values.size();
if ( count == 0 ) { return null; }
else { return _values.get( count/2 ); }
}
}
To install I used
CALL
SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar',
'NWALTON.median',0);
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY
('derby.database.classpath','NWALTON.median’);
CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE
EXTERNAL NAME 'aggregates.median’ ;
At first this works fine in a trigger or in plain SQL but after a
while I get the following error
Error code 30000, SQL state 38000: The exception
'java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")'
was thrown while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied
("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"):
java.security.AccessControlException'.
Line 1, column 1
I’ve Googled to no avail for an answer! Can anyone suggest a
solution. I’m running OS X Sierra Apache Derby Network Server -
10.6.2.1 - (999685) under Java version 1.8.0_31-b13.
Thanks in advance
Nick