Rick, Concur with the ij problem, I was caught out by the ij script using DERBY_OPTS and picking up the security policy which left it with no permissions. Easy fix.
As for Derby version I’ve upgraded to Apache Derby Network Server - 10.13.1.1 and that partly fixed things, since before doing that the problem would not go away even with the security policy in place. Thanks for the help. Nick > On 20 Feb 2017, at 15:55, Rick Hillegas <rick.hille...@gmail.com> wrote: > > Hi Nicholas, > > I think that the ij permissions problem is a red herring. That problem arises > because ij is trying to call System.getProperties() but the security policy > does not grant property-reading privilege to derbytools.jar. > > Concerning your original problem: What strikes me as significant is your > observation that aggregation worked for a while and then broke. The only big > state change which occurs during aggregation is when the processing of a > large data set causes the engine to dump intermediate results to a temporary > file. Eventually, those results must be de-serialized from the temporary > file. It is possible that de-serialization can't instantiate your > user-defined aggregate without that extra permission. > > I am afraid that your environment confuses me, though. According to your > original message, you are running Derby 10.6.2.1. However, user-defined > aggregates were not introduced until Derby 10.10.1.1. > > I have created https://issues.apache.org/jira/browse/DERBY-6922 > <https://issues.apache.org/jira/browse/DERBY-6922> to investigate the problem > raised by this issue. > > Hope this helps, > -Rick > > On 2/20/17, 1:54 AM, nicholas walton wrote: >> >> Rick, >> >> Neither Netbeans nor ij dumped the stack, I’m afraid. >> >> The full message is >> >> Error code 30000, SQL state 38000: The exception >> 'java.security.AccessControlException: access denied >> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was >> thrown while evaluating an expression. >> Error code 99999, SQL state XJ001: Java exception: 'access denied >> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): >> java.security.AccessControlException’. >> Line 1, column 1 >> >> Did get it working after a while with the security policy below, but ij will >> not now run complaining >> >> Exception in thread "main" java.security.AccessControlException: access >> denied ("java.util.PropertyPermission" "*" "read,write") >> at >> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) >> at java.security.AccessController.checkPermission(AccessController.java:884) >> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) >> at >> java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262) >> at java.lang.System.getProperties(System.java:630) >> at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source) >> at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source) >> at java.security.AccessController.doPrivileged(Native Method) >> at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(Unknown Source) >> at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(Unknown >> Source) >> at org.apache.derby.impl.tools.ij.Main.<init>(Unknown Source) >> at org.apache.derby.impl.tools.ij.Main.getMain(Unknown Source) >> at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source) >> at org.apache.derby.impl.tools.ij.Main.main(Unknown Source) >> at org.apache.derby.tools.ij.main(Unknown Source) >> >> ========================================================================================= >> >> // >> // Licensed to the Apache Software Foundation (ASF) under one or more >> // contributor license agreements. See the NOTICE file distributed with >> // this work for additional information regarding copyright ownership. >> // The ASF licenses this file to You under the Apache License, Version 2.0 >> // (the "License"); you may not use this file except in compliance with >> // the License. You may obtain a copy of the License at >> // >> // http://www.apache.org/licenses/LICENSE-2.0 >> <http://www.apache.org/licenses/LICENSE-2.0> >> // >> // Unless required by applicable law or agreed to in writing, software >> // distributed under the License is distributed on an "AS IS" BASIS, >> // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >> // See the License for the specific language governing permissions and >> // limitations under the License. >> // >> >> // This template policy file gives examples of how to configure the >> // permissions needed to run a Derby network server with the Java >> // Security manager. >> // >> grant codeBase >> "file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derby.jar >> >> <file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derby.jar>" >> { >> // These permissions are needed for everyday, embedded Derby usage. >> // >> permission java.lang.RuntimePermission "createClassLoader"; >> permission org.apache.derby.security.SystemPermission "engine", >> "usederbyinternals"; >> >> // Next, the permission to read "derby.*" properties is granted to >> // derby.jar. This is necessary for the engine to read derby properties. >> permission java.util.PropertyPermission "derby.*", "read"; >> >> permission java.util.PropertyPermission "user.dir", "read"; >> >> // The next two properties are used to determine if the VM is 32 or 64 bit. >> // >> permission java.util.PropertyPermission "sun.arch.data.model", "read"; >> permission java.util.PropertyPermission "os.arch", "read"; >> permission java.io.FilePermission "${derby.system.home}","read"; >> permission java.io.FilePermission "${derby.system.home}${/}-", >> "read,write,delete"; >> >> // This permission lets a DBA reload the policy file while the server is >> // still running. The policy file is reloaded by invoking the >> // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure. >> // >> permission java.security.SecurityPermission "getPolicy"; >> >> // This permission lets you backup and restore databases to and from >> // arbitrary locations in your file system. >> // >> // This permission also lets you import/export data to and from arbitrary >> // locations in your file system. >> // >> // You may want to restrict this access to specific directories. >> // >> permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; >> >> // Permissions needed for JMX based management and monitoring. >> // >> // Allows this code to create an MBeanServer: >> // >> permission javax.management.MBeanServerPermission "createMBeanServer"; >> >> // Allows access to Derby's built-in MBeans, within the domain >> // org.apache.derby. Derby must be allowed to register and unregister >> these >> // MBeans. It is possible to allow access only to specific MBeans, >> // attributes or operations. To fine tune this permission, see the javadoc >> of >> // javax.management.MBeanPermission or the JMX Instrumentation and Agent >> // Specification. >> // >> permission javax.management.MBeanPermission >> "org.apache.derby.*#[org.apache.derby:*]", >> "registerMBean,unregisterMBean"; >> >> // Trusts Derby code to be a source of MBeans and to register these in the >> // MBean server. >> // >> permission javax.management.MBeanTrustPermission "register"; >> >> // getProtectionDomain is an optional permission needed for printing >> // classpath information to derby.log >> // >> permission java.lang.RuntimePermission "getProtectionDomain"; >> >> // >> // The following permission must be granted for Connection.abort(Executor) >> to >> // work. Note that this permission must also be granted to outer >> // (application) code domains. >> // >> permission java.sql.SQLPermission "callAbort"; >> >> // Needed by file permissions restriction system: >> // >> permission java.lang.RuntimePermission "accessUserInformation"; >> permission java.lang.RuntimePermission "getFileStoreAttributes"; >> >> // My additions >> permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; >> }; >> >> >> >> grant codeBase >> "file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derbynet.jar >> >> <file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derbynet.jar>" >> { >> // These permissions lets the Network Server manage connections from >> clients. >> >> // Accept connections from any host. Derby is listening to the host >> interface >> // specified via the -h option to "NetworkServerControl start" on the >> command >> // line, via the address parameter to the >> // org.apache.derby.drda.NetworkServerControl constructor in the API or via >> // the property derby.drda.host; the default is localhost. You may want to >> // restrict allowed hosts, e.g. to hosts in a specific subdomain, >> // e.g. "*.example.com <http://example.com/>". >> permission java.net.SocketPermission "*", "accept"; >> >> // Allow the server to listen to the socket on the default port (1527). >> // If you have specified another port number with the -p option to >> // "NetworkServerControl start" on the command line, or with the portNumber >> // parameter to the NetworkServerControl constructor in the API, or with >> the >> // property derby.drda.portNumber, you should change the port number in the >> // permission statement accordingly. >> permission java.net.SocketPermission "localhost:1527", "listen"; >> >> // Needed for server tracing. >> // >> permission java.io.FilePermission >> "file:///Users/nwalton/.derby/dummy/traces${/}- >> <file:///Users/nwalton/.derby/dummy/traces$%7B/%7D->", >> "read,write,delete"; >> >> // Needed by file permissions restriction system: >> // >> permission java.lang.RuntimePermission "accessUserInformation"; >> permission java.lang.RuntimePermission "getFileStoreAttributes"; >> permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine", >> "read, write"; >> >> // Needed to start the monitoring MBeans >> permission org.apache.derby.security.SystemPermission "engine", >> "usederbyinternals"; >> >> // JMX: Uncomment this permission to allow the ping operation of the >> // NetworkServerMBean to connect to the Network Server. >> // >> permission java.net.SocketPermission "*", "connect,resolve"; >> >> // Needed by sysinfo. The file permission is needed to check the existence >> of >> // jars on the classpath. You can limit this permission to just the >> locations >> // which hold your jar files. >> // >> // In this template file, this block of permissions is granted to >> // derbynet.jar under the assumption that derbynet.jar is the first jar >> file >> // in your classpath which contains the sysinfo classes. If that is not the >> // case, then you will want to grant this block of permissions to the first >> // jar file in your classpath which contains the sysinfo classes. Those >> // classes are bundled into the following Derby jar files: >> // >> // derbynet.jar >> // derby.jar >> // derbyclient.jar >> // derbytools.jar >> // >> permission java.util.PropertyPermission "user.*", "read"; >> permission java.util.PropertyPermission "java.home", "read"; >> permission java.util.PropertyPermission "java.class.path", "read"; >> permission java.util.PropertyPermission "java.runtime.version", "read"; >> permission java.util.PropertyPermission "java.fullversion", "read"; >> permission java.lang.RuntimePermission "getProtectionDomain"; >> permission java.io.FilePermission "<<ALL FILES>>", "read"; >> >> // My additions >> permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect"; >> //permission java.net.SocketPermission "127.0.0.1:1527" "connect,resolve", >> }; >> >> >> >> >> Nick >> >>> On 19 Feb 2017, at 16:38, Rick Hillegas <rick.hille...@gmail.com >>> <mailto:rick.hille...@gmail.com>> wrote: >>> >>> Thanks for raising this issue, Nicholas. Can you include the full stack >>> trace for the error? The template policy may need to grant some additional >>> privilege to the engine jar file. It is also possible that you have run >>> into the following defect: https://issues.apache.org/jira/browse/DERBY-4354 >>> <https://issues.apache.org/jira/browse/DERBY-4354> >>> >>> Thanks, >>> -Rick >>> >>> On 2/17/17, 9:42 AM, nicholas walton wrote: >>>> >>>> Hi, >>>> >>>> I need to extend Java’s aggregate functions to include Median, using the >>>> code below >>>> >>>> import java.util.ArrayList; >>>> import java.util.Collections; >>>> import org.apache.derby.agg.Aggregator; >>>> >>>> public class median<V extends Comparable<V>> >>>> implements Aggregator<V,V,median<V>> >>>> { >>>> private ArrayList<V> _values; >>>> >>>> public median() {} >>>> >>>> public void init() { _values = new ArrayList<V>(); } >>>> >>>> public void accumulate( V value ) { _values.add( value ); } >>>> >>>> public void merge( median<V> other ) >>>> { >>>> _values.addAll( other._values ); >>>> } >>>> >>>> public V terminate() >>>> { >>>> Collections.sort( _values ); >>>> >>>> int count = _values.size(); >>>> >>>> if ( count == 0 ) { return null; } >>>> else { return _values.get( count/2 ); } >>>> } >>>> } >>>> >>>> To install I used >>>> >>>> CALL >>>> SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar', >>>> 'NWALTON.median',0); >>>> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY >>>> ('derby.database.classpath','NWALTON.median’); >>>> >>>> CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE >>>> EXTERNAL NAME 'aggregates.median’ ; >>>> >>>> At first this works fine in a trigger or in plain SQL but after a while I >>>> get the following error >>>> >>>> Error code 30000, SQL state 38000: The exception >>>> 'java.security.AccessControlException: access denied >>>> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was >>>> thrown while evaluating an expression. >>>> Error code 99999, SQL state XJ001: Java exception: 'access denied >>>> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"): >>>> java.security.AccessControlException'. >>>> Line 1, column 1 >>>> >>>> I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m >>>> running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) >>>> under Java version 1.8.0_31-b13. >>>> >>>> Thanks in advance >>>> >>>> Nick >>> >> >
