You can disable the security manager, and it will work for you. Your
deployment will be vulnerable to security attacks, though, hence doing this
is not recommended.
On Thu, 9 Nov, 2023, 2:00 pm Alexandros Paramythis,
<alexandros.paramyt...@contexity.ch.invalid> wrote:
> Hi everyone
>
> We are developing a new TokenFilter which, as part of the analysis of
> tokens it performs, needs to make an "external" HTTP request. This
> results in a AccessControlException due to missing
> "java.net.SocketPermission". A relevant excerpt of the stacktrace:
>
> Caused by: java.security.AccessControlException: access denied
> ("java.net.SocketPermission" "translation.googleapis.com:443"
> "connect,resolve")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>
> ~[?:?]
> at
> java.security.AccessController.checkPermission(AccessController.java:897)
> ~[?:?]
> at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:322) ~[?:?]
> at java.lang.SecurityManager.checkConnect(SecurityManager.java:824)
> ~[?:?]
> at sun.net.www.http.HttpClient.openServer(HttpClient.java:552) ~[?:?]
> at
> sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:265) ~[?:?]
> at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:372)
> ~[?:?]
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
>
> ~[?:?]
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1187)
>
> ~[?:?]
> at
> sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081)
>
> ~[?:?]
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
>
> ~[?:?]
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
>
> ~[?:?]
> at
> repackaged.com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:151)
>
> ~[?:?]
> at
> repackaged.com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
>
> ~[?:?]
> at
> repackaged.com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1012)
>
> ~[?:?]
> at
> repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552)
>
> ~[?:?]
> at
> repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493)
>
> ~[?:?]
> at
> repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603)
>
> ~[?:?]
> at
> repackaged.com.google.cloud.translate.spi.v2.HttpTranslateRpc.translate(HttpTranslateRpc.java:112)
>
> ~[?:?]
> at
> repackaged.com.google.cloud.translate.TranslateImpl$4.call(TranslateImpl.java:124)
>
> ~[?:?]
> at
> repackaged.com.google.cloud.translate.TranslateImpl$4.call(TranslateImpl.java:121)
>
> ~[?:?]
> at
> repackaged.com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
>
> ~[?:?]
> at repackaged.com.google.cloud.RetryHelper.run(RetryHelper.java:76)
> ~[?:?]
> at
> repackaged.com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
>
> ~[?:?]
> at
> repackaged.com.google.cloud.translate.TranslateImpl.translate(TranslateImpl.java:120)
>
> ~[?:?]
> ... 17 more
>
> What we have tried to address this problem without success:
>
> * Locating the jar file in different places: in a module dir, in the
> main lib dir of the installation, in the lib dir of a collection.
> The exception is the same in all cases.
> * Changing the security.policy file in solr/server/etc and adding
> permissions like this:
> permission java.net.SocketPermission
> "translation.googleapis.com", "connect,resolve";
> permission java.net.SocketPermission
> "translation.googleapis.com:443", "connect,resolve";
> For reference, we have tried all of the aforementioned locations of
> the jar file with both the original and the modified security.policy
> files.
>
> Does anyone have any suggestions on what additional / different steps
> are necessary to allow such calls?
>
> Thanks in advance for any input or pointers to relevant documentation
> that we may have missed!
>
> Best regards,
>
> Alex
>
