[
https://issues.apache.org/jira/browse/DERBY-6438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13852810#comment-13852810
]
Knut Anders Hatlen commented on DERBY-6438:
-------------------------------------------
For example, if you attempt to start a network server that listens to a port
number lower than 1024 (given that the user has the required OS privileges to
listen to such ports), the network server will fail on startup:
{noformat}
$ java -jar derbynet.jar start -p 1000
Thu Dec 19 11:56:26 CET 2013 : Security manager installed using the Basic
server security policy.
Thu Dec 19 11:56:27 CET 2013 : access denied ("java.net.SocketPermission"
"localhost:1000" "listen,resolve")
java.security.AccessControlException: access denied
("java.net.SocketPermission" "localhost:1000" "listen,resolve")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at
java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1137)
at java.net.ServerSocket.bind(ServerSocket.java:375)
at java.net.ServerSocket.<init>(ServerSocket.java:237)
at
javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:231)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocket(NetworkServerControlImpl.java:698)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(NetworkServerControlImpl.java:94)
at
org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(NetworkServerControlImpl.java:748)
at
org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(NetworkServerControlImpl.java:745)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(NetworkServerControlImpl.java:744)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(NetworkServerControlImpl.java:2277)
at
org.apache.derby.drda.NetworkServerControl.main(NetworkServerControl.java:353)
{noformat}
> Explicitly grant SocketPermission "listen" in default server policy
> -------------------------------------------------------------------
>
> Key: DERBY-6438
> URL: https://issues.apache.org/jira/browse/DERBY-6438
> Project: Derby
> Issue Type: Improvement
> Components: Network Server
> Affects Versions: 10.11.0.0
> Reporter: Knut Anders Hatlen
> Assignee: Knut Anders Hatlen
>
> The network server needs SocketPermission "listen" on the port that it
> listens to, but this permission is not granted by the basic server policy
> that's installed by default. This doesn't cause any problems in most cases,
> since the JVM's default policy grants all code bases SocketPermission
> "listen" on a range of ports, and Derby's network server port is within that
> range.
> Still, the network server should not rely on this fact. It is possible to run
> the network server on any port, not only those ports that happen be in the
> range that's given carte blanche by the platform's default policy. The
> network server will however not be able to run on those ports with the basic
> policy currently, only with a custom policy or with the security manager
> disabled.
> The default policy should make this permission explicit.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)
