Re: -Djava.security.manager=problems for service providers

Tue, 27 Mar 2018 07:09:06 -0700 

Hi,

On 27/03/2018 14:06, Alan Bateman wrote:

Moving this to security-dev.
From the stack trace, it looks like you are using JDK 8 or older. There are several changes in JDK 9 and newer in the PolicyFile code to how it loads its resources that may help with the issues you are seeing. 

-Alan


[snip]


     [java]     at java.util.logging.Logger.log(Logger.java:788)
     [java]     at 
org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:496)


In what logging is concerned, it's probably not a good idea to
use java.util.logging in a Policy/SecurityManager implementation
supplied on the command line as java.util.logging uses
doPrivileged and checks for permissions.

For the record the line that throws in the first stack trace
seems to be this one at LogManager.java:965

    Class<?> clz = ClassLoader.getSystemClassLoader().loadClass(word);

The exception is caught and printed on System.err at line 981
allowing the caller to proceed - so it's not what is
causing the ExceptionInInitializerError, but it shows that
ClassLoader.getSystemClassLoader() is probably returning null
at this point, and it looks like it is the same issue you're
seeing at ResourceBundle.java:502 later on, which prevents the
CombinerSecurityManager to initialize.


Hopes this helps,

-- daniel




On 27/03/2018 13:56, Peter Firmstone wrote:

Not sure if this is the right place to mention this.
Anyone notice that specifying a custom security manager at jvm start up causes issues with service providers loading?   If using the sun PolicyFile implementation, the policy doesn't load due to the provider failure, I have a custom policy implementation that will allow the jvm to run in this state, and other providers are also not loading, such as the logger and JCE.
Note that it doesn't occur if the security manager is set programmatically in the main method at start up, only if it's set via command line option. 

Examples of providers not loading:

     [java] java.lang.NullPointerException
     [java] Can't load log handler "java.util.logging.ConsoleHandler"
     [java] java.lang.NullPointerException
     [java] java.lang.NullPointerException
     [java]     at java.util.logging.LogManager$5.run(LogManager.java:965)      [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at java.util.logging.LogManager.loadLoggerHandlers(LogManager.java:958)      [java]     at java.util.logging.LogManager.initializeGlobalHandlers(LogManager.java:1578)      [java]     at java.util.logging.LogManager.access$1500(LogManager.java:145)      [java]     at java.util.logging.LogManager$RootLogger.accessCheckedHandlers(LogManager.java:1667) 
     [java]     at java.util.logging.Logger.getHandlers(Logger.java:1777)
     [java]     at java.util.logging.Logger.log(Logger.java:735)
     [java]     at java.util.logging.Logger.doLog(Logger.java:765)
     [java]     at java.util.logging.Logger.log(Logger.java:788)
     [java]     at org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:496)      [java]     at org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:469)      [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at org.apache.river.api.security.ConcurrentPolicyFile.readPoliciesNoCheckGuard(ConcurrentPolicyFile.java:468)      [java]     at org.apache.river.api.security.ConcurrentPolicyFile.readPolicyPermissionGrants(ConcurrentPolicyFile.java:243)      [java]     at org.apache.river.api.security.ConcurrentPolicyFile.<init>(ConcurrentPolicyFile.java:253)      [java]     at org.apache.river.api.security.ConcurrentPolicyFile.<init>(ConcurrentPolicyFile.java:226)      [java]     at org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:154)      [java]     at org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:133)      [java]     at org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)      [java]     at org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:162)      [java]     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)      [java]     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)      [java]     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)      [java]     at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
     [java]     at java.lang.Class.newInstance(Class.java:442)
     [java]     at sun.misc.Launcher.<init>(Launcher.java:93)
     [java]     at sun.misc.Launcher.<clinit>(Launcher.java:54)
     [java]     at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)      [java]     at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436) 


     [java] Error occurred during initialization of VM
     [java] java.lang.ExceptionInInitializerError
     [java]     at java.util.ResourceBundle.getLoader(ResourceBundle.java:482)      [java]     at java.util.ResourceBundle.getBundle(ResourceBundle.java:783)      [java]     at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)      [java]     at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)      [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)      [java]     at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)      [java]     at sun.security.provider.PolicyFile.init(PolicyFile.java:626)      [java]     at sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)      [java]     at sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)      [java]     at sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)      [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)      [java]     at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)      [java]     at sun.security.provider.PolicyFile.init(PolicyFile.java:439)      [java]     at sun.security.provider.PolicyFile.<init>(PolicyFile.java:297) 
     [java]     at java.security.Policy.getPolicyNoCheck(Policy.java:196)
     [java]     at java.security.Policy.getPolicy(Policy.java:154)
     [java]     at net.jini.security.Security$7.run(Security.java:1054)
     [java]     at net.jini.security.Security$7.run(Security.java:1052)
     [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at net.jini.security.Security.getPolicy(Security.java:1052)      [java]     at net.jini.security.Security.getContext(Security.java:506)      [java]     at org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:140)      [java]     at org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:132)      [java]     at org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)      [java]     at org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:160)      [java]     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)      [java]     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)      [java]     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)      [java]     at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
     [java]     at java.lang.Class.newInstance(Class.java:442)
     [java]     at sun.misc.Launcher.<init>(Launcher.java:93)
     [java]     at sun.misc.Launcher.<clinit>(Launcher.java:54)
     [java]     at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)      [java]     at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436) 
     [java] Caused by: java.lang.NullPointerException
     [java]     at java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:502)      [java]     at java.util.ResourceBundle.getLoader(ResourceBundle.java:482)      [java]     at java.util.ResourceBundle.getBundle(ResourceBundle.java:783)      [java]     at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)      [java]     at sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)      [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)      [java]     at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)      [java]     at sun.security.provider.PolicyFile.init(PolicyFile.java:626)      [java]     at sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)      [java]     at sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)      [java]     at sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)      [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)      [java]     at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)      [java]     at sun.security.provider.PolicyFile.init(PolicyFile.java:439)      [java]     at sun.security.provider.PolicyFile.<init>(PolicyFile.java:297) 
     [java]     at java.security.Policy.getPolicyNoCheck(Policy.java:196)
     [java]     at java.security.Policy.getPolicy(Policy.java:154)
     [java]     at net.jini.security.Security$7.run(Security.java:1054)
     [java]     at net.jini.security.Security$7.run(Security.java:1052)
     [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at net.jini.security.Security.getPolicy(Security.java:1052)      [java]     at net.jini.security.Security.getContext(Security.java:506) 
     [java] Unexpected exception:
     [java]     at org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:140)      [java]     at org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:132)      [java]     at org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)      [java]     at org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:160)      [java]     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)      [java]     at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)      [java]     at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)      [java]     at java.lang.reflect.Constructor.newInstance(Constructor.java:423) 
     [java]     at java.lang.Class.newInstance(Class.java:442)
     [java]     at sun.misc.Launcher.<init>(Launcher.java:93)
     [java]     at sun.misc.Launcher.<clinit>(Launcher.java:54)
     [java]     at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)      [java]     at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436) 



     [java] java.lang.ExceptionInInitializerError
     [java]     at javax.crypto.JceSecurityManager.<clinit>(JceSecurityManager.java:65)      [java]     at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2586)      [java]     at javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2610)      [java]     at sun.security.ssl.CipherSuite$BulkCipher.isUnlimited(CipherSuite.java:535)      [java]     at sun.security.ssl.CipherSuite$BulkCipher.<init>(CipherSuite.java:507)      [java]     at sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:614)      [java]     at sun.security.ssl.SSLContextImpl.getApplicableCipherSuiteList(SSLContextImpl.java:294)      [java]     at sun.security.ssl.SSLContextImpl.access$100(SSLContextImpl.java:42)      [java]     at sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:425) 
     [java]     at java.lang.Class.forName0(Native Method)
     [java]     at java.lang.Class.forName(Class.java:264)
     [java]     at java.security.Provider$Service.getImplClass(Provider.java:1634)      [java]     at java.security.Provider$Service.newInstance(Provider.java:1592)      [java]     at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)      [java]     at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)      [java]     at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)      [java]     at net.jini.jeri.ssl.Utilities.getServerSSLContextInfo(Utilities.java:712)      [java]     at net.jini.jeri.ssl.Utilities.getSupportedCipherSuites(Utilities.java:284)      [java]     at net.jini.jeri.ssl.SslEndpointImpl.getConnectionContexts(SslEndpointImpl.java:750)      [java]     at net.jini.jeri.ssl.SslEndpointImpl.getCallContext(SslEndpointImpl.java:326)      [java]     at net.jini.jeri.ssl.SslEndpointImpl.newRequest(SslEndpointImpl.java:185)      [java]     at net.jini.jeri.ssl.SslEndpoint.newRequest(SslEndpoint.java:550)      [java]     at net.jini.jeri.BasicObjectEndpoint.newCall(BasicObjectEndpoint.java:421)      [java]     at net.jini.jeri.BasicInvocationHandler.invokeRemoteMethod(BasicInvocationHandler.java:688)      [java]     at net.jini.jeri.BasicInvocationHandler.invoke(BasicInvocationHandler.java:571) 
     [java]     at com.sun.proxy.$Proxy2.registerGroup(Unknown Source)
     [java]     at org.apache.river.start.SharedActivationGroupDescriptor.create(SharedActivationGroupDescriptor.java:370)      [java]     at org.apache.river.qa.harness.SharedGroupAdmin.start(SharedGroupAdmin.java:204)      [java]     at org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:639)      [java]     at org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:660)      [java]     at org.apache.river.qa.harness.ActivatableServiceStarterAdmin.getServiceSharedLogDir(ActivatableServiceStarterAdmin.java:388)      [java]     at org.apache.river.qa.harness.ActivatableServiceStarterAdmin.start(ActivatableServiceStarterAdmin.java:224)      [java]     at org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:639)      [java]     at org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:660)      [java]     at org.apache.river.qa.harness.AdminManager.startLookupService(AdminManager.java:679)      [java]     at org.apache.river.test.spec.lookupservice.QATestRegistrar.construct(QATestRegistrar.java:458)      [java]     at org.apache.river.test.spec.lookupservice.test_set00.EvntLeaseExpiration.construct(EvntLeaseExpiration.java:88)      [java]     at org.apache.river.qa.harness.MasterTest.doTest(MasterTest.java:228)      [java]     at org.apache.river.qa.harness.MasterTest.access$000(MasterTest.java:48)      [java]     at org.apache.river.qa.harness.MasterTest$1.run(MasterTest.java:174)      [java]     at java.security.AccessController.doPrivileged(Native Method)      [java]     at javax.security.auth.Subject.doAsPrivileged(Subject.java:483)      [java]     at org.apache.river.qa.harness.MasterTest.doTestWithLogin(MasterTest.java:171)      [java]     at org.apache.river.qa.harness.MasterTest.main(MasterTest.java:150)      [java] Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism 
     [java]     at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:93)
     [java]     ... 44 more
     [java] Caused by: java.lang.SecurityException: Cannot locate policy or framework files!      [java]     at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:316)      [java]     at javax.crypto.JceSecurity.access$000(JceSecurity.java:50) 
     [java]     at javax.crypto.JceSecurity$1.run(JceSecurity.java:85)
     [java]     at java.security.AccessController.doPrivileged(Native Method) 
     [java]     at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)

Reply via email to