Hi everyone,

In case anyone else stumbles upon this: this was a case of using parallel Java streams, which makes use of threads from the Fork-Join pool, for which different security restrictions apply than for the "normal" threads. Modifying our code to not use parallel streams solved the problem.

Kind regards,

Alex

On 09/11/2023 09:29, Alexandros Paramythis wrote:

Hi everyone

We are developing a new TokenFilter which, as part of the analysis of tokens it performs, needs to make an "external" HTTP request. This results in a AccessControlException due to missing "java.net.SocketPermission". A relevant excerpt of the stacktrace:

Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "translation.googleapis.com:443" "connect,resolve")  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]     at java.security.AccessController.checkPermission(AccessController.java:897) ~[?:?]     at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) ~[?:?]     at java.lang.SecurityManager.checkConnect(SecurityManager.java:824) ~[?:?]
    at sun.net.www.http.HttpClient.openServer(HttpClient.java:552) ~[?:?]
    at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:265) ~[?:?]     at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:372) ~[?:?]     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) ~[?:?]     at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1187) ~[?:?]     at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081) ~[?:?]     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) ~[?:?]     at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168) ~[?:?]     at repackaged.com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:151) ~[?:?]     at repackaged.com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84) ~[?:?]     at repackaged.com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1012) ~[?:?]     at repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552) ~[?:?]     at repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493) ~[?:?]     at repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603) ~[?:?]     at repackaged.com.google.cloud.translate.spi.v2.HttpTranslateRpc.translate(HttpTranslateRpc.java:112) ~[?:?]     at repackaged.com.google.cloud.translate.TranslateImpl$4.call(TranslateImpl.java:124) ~[?:?]     at repackaged.com.google.cloud.translate.TranslateImpl$4.call(TranslateImpl.java:121) ~[?:?]     at repackaged.com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103) ~[?:?]     at repackaged.com.google.cloud.RetryHelper.run(RetryHelper.java:76) ~[?:?]     at repackaged.com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50) ~[?:?]     at repackaged.com.google.cloud.translate.TranslateImpl.translate(TranslateImpl.java:120) ~[?:?]
    ... 17 more

What we have tried to address this problem without success:

  * Locating the jar file in different places: in a module dir, in the
    main lib dir of the installation, in the lib dir of a collection.
    The exception is the same in all cases.
  * Changing the security.policy file in solr/server/etc and adding
    permissions like this:
      permission java.net.SocketPermission
    "translation.googleapis.com", "connect,resolve";
      permission java.net.SocketPermission
    "translation.googleapis.com:443", "connect,resolve";
    For reference, we have tried all of the aforementioned locations
    of the jar file with both the original and the modified
    security.policy files.

Does anyone have any suggestions on what additional / different steps are necessary to allow such calls?

Thanks in advance for any input or pointers to relevant documentation that we may have missed!

Best regards,

Alex


Reply via email to