Re: Questions about policy file and multiple FilePermission lines

[Rick Hillegas]

Hi Kathey,

Some comments inline...
Kathey Marsden wrote:
I am working with a user that is using the network server default 
server.policy file and having an interesting problem.  They create 
their database with an absolute path and *sometimes* they get the 
permission error below.  When they get the failure and set 
java.security.debug to access:failure. They see only two or three of 
the file permissions getting loaded instead of the four that we have 
in the file for derby.jar.

permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "${derby.system.home}","read";  
permission java.io.FilePermission "${derby.system.home}${/}-", 
"read,write,delete";

The user rebuilt derby with only the permission java.io.FilePermission 
"<<ALL FILES>>", "read,write,delete";  FilePermission  in the 
server.policy file and doesn't see the issue.

I actually  haven't reproduced this issue on my machine with almost 
the same revision JVM. I see all 4  permissions listed and have no 
problem creating a database with an absolute path.
They are using:
Java(TM) SE Runtime Environment (build pwi3260sr3-20081106_07(SR3))
IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows XP x86-32 
jvmwi3260-20081105_25433 (JIT enabled, AOT enabled)
J9VM - 20081105_025433_lHdSMr
JIT  - r9_20081031_1330
GC   - 20081027_AB)
JCL  - 20081106_01

They start their network server with an ant script.

I wonder how java should handle having  permission
java.io.FilePermission "<<ALL FILES>>", "read"; and  permission 
java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

Should the JVM be smart enough to figure out the more liberal one and 
go with that?  
Yes. Please see the following description from section 3.3.4 (Assigning 
Permissions) of the Java security spec ( 
http://java.sun.com/j2se/1.5.0/docs/guide/security/spec/security-spec.doc3.html 
):

"If multiple entries are matched, then all the permissions given in 
those entries are granted. In other words, permission assignment is 
additive."

Do we need to keep all four of these or would just the one suffice?
For the default security file, we only need the most liberal permission. 
For the template security file, we should keep all of the permissions as 
examples of what can/should be customized.

Hope this is useful,
-Rick

Here is the error:

ERROR XBM0H: Directory D:\<snip path to database> cannot be created.
       at 
org.apache.derby.iapi.error.StandardException.newException(Unkno
wn Source)
       at 
org.apache.derby.impl.services.monitor.StorageFactoryService.cre
ateServiceRoot(Unknown Source)
       at 
org.apache.derby.impl.services.monitor.BaseMonitor.bootService(U
nknown Source)
       at 
org.apache.derby.impl.services.monitor.BaseMonitor.createPersist
entService(Unknown Source)
       at 
org.apache.derby.iapi.services.monitor.Monitor.createPersistentS
ervice(Unknown Source)
       at 
org.apache.derby.impl.jdbc.EmbedConnection.createDatabase(Unknow
n Source)
       at org.apache.derby.impl.jdbc.EmbedConnection.<init>(Unknown 
Source)
       at org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown 
Source)
       at org.apache.derby.jdbc.InternalDriver.connect(Unknown Source)
       at org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source)
       at org.apache.derby.impl.drda.Database.makeConnection(Unknown 
Source)
       at 
org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseNam
e(Unknown Source)
       at 
org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword(U
nknown Source)
       at 
org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(Unknown Source)
       at 
org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection(Un
known Source)
       at 
org.apache.derby.impl.drda.DRDAConnThread.processCommands(Unknow
n Source)
       at org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source)
Caused by: java.security.AccessControlException: Access denied 
(java.io.FilePermission D:\<snip path to database> write)
       at 
java.security.AccessController.checkPermission(AccessController.
java:108)
       at 
java.lang.SecurityManager.checkPermission(SecurityManager.java:5
32)
       at java.lang.SecurityManager.checkWrite(SecurityManager.java:962)
       at java.io.File.mkdir(File.java:1167)
       at java.io.File.mkdirs(File.java:1196)
       at 
org.apache.derby.impl.services.monitor.StorageFactoryService$9.r
un(Unknown Source)
       at 
java.security.AccessController.doPrivileged(AccessController.jav
a:251)
       at 
org.apache.derby.impl.services.monitor.StorageFactoryService.cre
ateServiceRoot(Unknown Source)
       at 
org.apache.derby.impl.services.monitor.BaseMonitor.bootService(U
nknown Source)


Here is how I am trying to reproduce based on their description:
start with:

java -Djava.security.debug="access:failure" 
-Dderby.system.home=C:/tmp  -classpath 
"C:/svn/10.3/jars/sane/derbyclient.jar;C:/svn/10.3/jars/sane/derbytools.jar;C:/svn/10.3/jars/sane/derbynet.jar" 
org.apache.derby.drda.NetworkServerControl start -h <my machine>  -p 1692

and connecting with ij with:
connect 'jdbc:derby://<my machine>:1692/C:\path\to\MYDB;create=true';

but like I said I haven't been able to reproduce so far.

Kathey