Hi everyone,
In case anyone else stumbles upon this: this was a case of using
parallel Java streams, which makes use of threads from the Fork-Join
pool, for which different security restrictions apply than for the
"normal" threads. Modifying our code to not use parallel streams solved
the problem.
Kind regards,
Alex
On 09/11/2023 09:29, Alexandros Paramythis wrote:
Hi everyone
We are developing a new TokenFilter which, as part of the analysis of
tokens it performs, needs to make an "external" HTTP request. This
results in a AccessControlException due to missing
"java.net.SocketPermission". A relevant excerpt of the stacktrace:
Caused by: java.security.AccessControlException: access denied
("java.net.SocketPermission" "translation.googleapis.com:443"
"connect,resolve")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
~[?:?]
at
java.security.AccessController.checkPermission(AccessController.java:897)
~[?:?]
at
java.lang.SecurityManager.checkPermission(SecurityManager.java:322) ~[?:?]
at
java.lang.SecurityManager.checkConnect(SecurityManager.java:824) ~[?:?]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:552) ~[?:?]
at
sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:265) ~[?:?]
at
sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:372) ~[?:?]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
~[?:?]
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1187)
~[?:?]
at
sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1081)
~[?:?]
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
~[?:?]
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:168)
~[?:?]
at
repackaged.com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:151)
~[?:?]
at
repackaged.com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:84)
~[?:?]
at
repackaged.com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1012)
~[?:?]
at
repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:552)
~[?:?]
at
repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:493)
~[?:?]
at
repackaged.com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:603)
~[?:?]
at
repackaged.com.google.cloud.translate.spi.v2.HttpTranslateRpc.translate(HttpTranslateRpc.java:112)
~[?:?]
at
repackaged.com.google.cloud.translate.TranslateImpl$4.call(TranslateImpl.java:124)
~[?:?]
at
repackaged.com.google.cloud.translate.TranslateImpl$4.call(TranslateImpl.java:121)
~[?:?]
at
repackaged.com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:103)
~[?:?]
at
repackaged.com.google.cloud.RetryHelper.run(RetryHelper.java:76) ~[?:?]
at
repackaged.com.google.cloud.RetryHelper.runWithRetries(RetryHelper.java:50)
~[?:?]
at
repackaged.com.google.cloud.translate.TranslateImpl.translate(TranslateImpl.java:120)
~[?:?]
... 17 more
What we have tried to address this problem without success:
* Locating the jar file in different places: in a module dir, in the
main lib dir of the installation, in the lib dir of a collection.
The exception is the same in all cases.
* Changing the security.policy file in solr/server/etc and adding
permissions like this:
permission java.net.SocketPermission
"translation.googleapis.com", "connect,resolve";
permission java.net.SocketPermission
"translation.googleapis.com:443", "connect,resolve";
For reference, we have tried all of the aforementioned locations
of the jar file with both the original and the modified
security.policy files.
Does anyone have any suggestions on what additional / different steps
are necessary to allow such calls?
Thanks in advance for any input or pointers to relevant documentation
that we may have missed!
Best regards,
Alex