Hey Mark,
I have reproduced some of your security policy problems with Derby
10.14.2.0 on Java 11. I used the server.policy bundled with the product.
I had to adjust the policy file as follows:
1) Grant derbynet.jar the following additional permissions:
permission java.util.PropertyPermission "derby.*", "read,write";
permission java.net.SocketPermission
"localhost:${derby.security.port}", "connect,resolve";
2) Grant derbytools.jar the following additional permission:
permission java.util.PropertyPermission "*", "read,write";
3) Grant derbyclient.jar the following additional permission:
permission java.net.SocketPermission
"localhost:${derby.security.port}", "connect,resolve";
With those adjustments, the experiments ran successfully. I have
attached the files which I used for these experiments:
zstart - script to boot the server
zij - script to run a simple ij script using the client driver
zstop - script to shutdown the server
zz.policy - policy file used by all of the scripts
Hope this helps,
-Rick
On 8/20/18 5:49 AM, Michael Remijan wrote:
Hi Derby users.
I need some help getting the security policy right.
First, here is the command line with all the options for when I start
Derby. I’m pretty sure I got all these correct.
/home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0
-Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527
-Dderby.install.url=file:/home/derby/opt/derby/lib/
-Djava.security.manager
-Djava.security.policy=/var/local/derby/1527/security.policy
-classpath
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
org.apache.derby.drda.NetworkServerControl start
My Java version is:
OpenJDK 64-Bit Server VM Zulu11.1+23 (build 11-ea+22, mixed mode)
My Derby version is:
10.14.2.0
My Derby sysinfo is:
------------------ Java Information ------------------
Java Version: 11-ea
Java Vendor: Azul Systems, Inc.
Java home: /opt/zulu11.1+23-ea-jdk11-linux_x64
Java classpath:
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
OS name: Linux
OS architecture: amd64
OS version: 4.15.0-20-generic
Java user name: derby
Java user home: /home/derby
Java user dir: /opt/db-derby-10.14.2.0-bin/bin
java.specification.name: Java Platform API Specification
java.specification.version: 11
java.runtime.version: 11-ea+22
--------- Derby Information --------
[/opt/db-derby-10.14.2.0-bin/lib/derby.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbytools.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbynet.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbyclient.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbyoptionaltools.jar] 10.14.2.0 -
(1828579)
------------------------------------------------------
----------------- Locale Information -----------------
------------------------------------------------------
------------------------------------------------------
I copied the demo file from /demo/templates/server.policy/ and I use
it as my //var/local/derby/1527/security//./ The only change I made to
the demo file was to **uncomment** the following permission:
permission java.io.FilePermission "<<ALL FILES>>",
"read,write,delete";
After running Derby with this security policy (see attached), the
Derby network server is able to start fine and I can connect remote
clients successfully. However, I have 2 problems which I haven’t been
able to resolve.
(1)
The first big problem is I cannot shutdown the the Derby network
server while it’s running the security policy! Here is the commanline
of the shutdown command:
derby 5503 5498 0 07:43 pts/2 00:00:00
/home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0
-Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527
-Dderby.install.url=file:/home/derby/opt/derby/lib/
-Djava.security.manager
-Djava.security.policy=/var/local/derby/1527/security.policy
-classpath
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
org.apache.derby.drda.NetworkServerControl shutdown
Here is the StackTrace I get trying to shutdown:
Mon Aug 20 07:43:45 CDT 2018 : access denied
("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")
java.security.AccessControlException: access denied
("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")
at
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:895)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at
java.base/java.lang.SecurityManager.checkConnect(SecurityManager.java:824)
at java.base/java.net.Socket.connect(Socket.java:586)
at java.base/java.net.Socket.connect(Socket.java:540)
at java.base/java.net.Socket.<init>(Socket.java:436)
at java.base/java.net.Socket.<init>(Socket.java:246)
at
java.base/javax.net.DefaultSocketFactory.createSocket(SocketFactory.java:277)
at
org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)
at
org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)
at
java.base/java.security.AccessController.doPrivileged(Native Method)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.setUpSocket(Unknown
Source)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.shutdown(Unknown
Source)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown
Source)
at
org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
Any help with this permission problem would be greatly appreciated.
(2)
When I try to run a database backup, I get a file permission exception.
Exception in thread "main" java.security.AccessControlException:
access denied ("java.io.FilePermission"
"/tmp/resiste-backup/1527/resiste-backup.sql" "read")
at
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:895)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at
java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
at
java.base/java.io.FileInputStream.<init>(FileInputStream.java:146)
at
java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
at org.apache.derby.impl.tools.ij.Main$1.run(Unknown
Source)
at org.apache.derby.impl.tools.ij.Main$1.run(Unknown
Source)
at
java.base/java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown
Source)
at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
at org.apache.derby.tools.ij.main(Unknown Source)
I’m surprised at this exception because I specifically set the
permission in my security.policy file /permission
java.io.FilePermission "<<ALL FILES>>", "read,write,delete";/
So I’m not sure what’s going on with this exception either. Any help
would be appreciated.
Mike
@mjremijan
#! /bin/bash
#
# Run a derby test
derbyJarDir=/Users/rh161140/derby/upgradeReleases/10.14.2.0
for jarfile in $derbyJarDir/*
do
export CLASSPATH=$CLASSPATH:$jarfile
done
java -version
java -cp $CLASSPATH \
-Dderby.stream.error.logSeverityLevel=0 \
-Dderby.system.home=/Users/rhillegas/derby/mainline \
-Dderby.security.port=8246 \
-Djava.security.manager \
-Djava.security.policy=/Users/rhillegas/derby/mainline/zz.policy \
-Dderby.install.url=file:$derbyJarDir/ \
org.apache.derby.drda.NetworkServerControl start -p 8246
#! /bin/bash
#
# Run a derby test
derbyJarDir=/Users/rh161140/derby/upgradeReleases/10.14.2.0
for jarfile in $derbyJarDir/*
do
export CLASSPATH=$CLASSPATH:$jarfile
done
java -version
java -cp $CLASSPATH \
-Dderby.stream.error.logSeverityLevel=0 \
-Dderby.system.home=/Users/rhillegas/derby/mainline \
-Dderby.security.port=8246 \
-Djava.security.manager \
-Djava.security.policy=/Users/rhillegas/derby/mainline/zz.policy \
-Dderby.install.url=file:$derbyJarDir/ \
org.apache.derby.tools.ij /Users/rhillegas/sql/znet.sql
#! /bin/bash
#
# Run a derby test
derbyJarDir=/Users/rh161140/derby/upgradeReleases/10.14.2.0
for jarfile in $derbyJarDir/*
do
export CLASSPATH=$CLASSPATH:$jarfile
done
java -version
java -cp $CLASSPATH \
-Dderby.stream.error.logSeverityLevel=0 \
-Dderby.system.home=/Users/rhillegas/derby/mainline \
-Dderby.security.port=8246 \
-Djava.security.manager \
-Djava.security.policy=/Users/rhillegas/derby/mainline/zz.policy \
-Dderby.install.url=file:$derbyJarDir/ \
org.apache.derby.drda.NetworkServerControl shutdown -p 8246
//
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
grant codeBase "${derby.install.url}derby.jar"
{
// These permissions are needed for everyday, embedded Derby usage.
//
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
// The next two properties are used to determine if the VM is 32 or 64 bit.
//
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${derby.system.home}${/}-",
"read,write,delete";
// Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax does not let you
// grant permissions to several codebases all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
permission java.io.FilePermission "${derby.install.path}${/}-", "read";
// Permissions needed for JMX based management and monitoring.
//
// Allows this code to create an MBeanServer:
//
permission javax.management.MBeanServerPermission "createMBeanServer";
// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby. Derby must be allowed to register and unregister these
// MBeans. To fine tune this permission, see the javadoc of
// javax.management.MBeanPermission or the JMX Instrumentation and Agent
// Specification.
//
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
// Trusts Derby code to be a source of MBeans and to register these in the
// MBean server.
//
permission javax.management.MBeanTrustPermission "register";
// Gives permission for jmx to be used against Derby but only if JMX
// authentication is not being used. In that case the application would need
// to create a whole set of fine-grained permissions to allow specific users
// access to MBeans and actions they perform.
//
permission org.apache.derby.security.SystemPermission "jmx", "control";
permission org.apache.derby.security.SystemPermission "engine", "monitor";
permission org.apache.derby.security.SystemPermission "server", "monitor";
// getProtectionDomain is an optional permission needed for printing
// classpath information to derby.log
//
permission java.lang.RuntimePermission "getProtectionDomain";
// The following permission must be granted for Connection.abort(Executor) to
// work. Note that this permission must also be granted to outer
// (application) code domains.
//
permission java.sql.SQLPermission "callAbort";
// Needed by FileUtil#limitAccessToOwner
//
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "${derby.install.url}derbynet.jar"
{
// These permissions lets the Network Server manage connections from clients.
// Accept connections from any host. Derby is listening to the host interface
// specified via the -h option to "NetworkServerControl start" on the command
// line, via the address parameter to the
// org.apache.derby.drda.NetworkServerControl constructor in the API or via
// the property derby.drda.host; the default is localhost. You may want to
// restrict allowed hosts, e.g. to hosts in a specific subdomain,
// e.g. "*.example.com".
//
permission java.net.SocketPermission "*", "accept";
// Allow the server to listen to the socket on the port specified with the
// -p option to "NetworkServerControl start" on the command line, or with
// the portNumber parameter to the NetworkServerControl constructor in the
// API, or with the property derby.drda.portNumber. The default is 1527.
permission java.net.SocketPermission "localhost:${derby.security.port}",
"listen";
// Needed for server tracing.
//
permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-",
"read,write,delete";
// Needed by FileUtil#limitAccessToOwner
//
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
// Needed for NetworkServerMBean access (see JMX section above)
//
permission org.apache.derby.security.SystemPermission "server",
"control,monitor";
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
// Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax does not let you
// grant permissions to several codebases all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
permission java.io.FilePermission "${derby.install.path}${/}-", "read";
permission java.util.PropertyPermission "derby.*", "read,write";
permission java.net.SocketPermission "localhost:${derby.security.port}",
"connect,resolve";
};
grant codeBase "${derby.install.url}derbytools.jar"
{
// Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is for all codebases which include
// the sysinfo classes--the policy file syntax does not let you grant
// permissions to several codebases all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
permission java.util.PropertyPermission "*", "read,write";
};
grant codeBase "${derby.install.url}derbyclient.jar"
{
// Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax does not let you
// grant permissions to several codebases all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "${derby.install.path}${/}-", "read";
// The following permission must be granted for Connection.abort(Executor) to
// work. Note that this permission must also be granted to outer
// (application) code domains.
//
permission java.sql.SQLPermission "callAbort";
permission java.net.SocketPermission "localhost:${derby.security.port}",
"connect,resolve";
};
