You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Daniel John Debrunner (JIRA)" <ji...@apache.org> on 2007/07/20 20:15:06 UTC
[jira] Created: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
------------------------------------------------------------------------------------------
Key: DERBY-2963
URL: https://issues.apache.org/jira/browse/DERBY-2963
Project: Derby
Issue Type: Bug
Components: Network Server
Affects Versions: 10.3.1.2
Environment: SuseLinux 10
IBM JVM 1.5
Reporter: Daniel John Debrunner
Priority: Critical
I start the server using an ipv4 address
java derbyrun.jar server start -h x.x.x.x
Then I connect from a remote client and hit an AccessControlException
The ip in the exception is that of the *client*, not the server.
This setup works in 10.2.2.0.
Same problem if the hostname is in derby.properties
Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik" <Da...@Sun.COM>.
Manjula Kutty <ma...@gmail.com> writes:
> Thanks Dag for the fix and porting to 10.3. Hope fully we will have
> 10.3.1.4RC soon with this fix
Thanks for your help with testing this one :) I will update the docs
before I close it.
Dag
Re: [jira] Commented: (DERBY-2963) AccessControlException: Access denied java.net.SocketPermission accept,resolve
Posted by Manjula Kutty <ma...@gmail.com>.
Thanks Dag for the fix and porting to 10.3. Hope fully we will have
10.3.1.4RC soon with this fix
Regards
Manjula
On 7/25/07, Dag H. Wanvik (JIRA) <ji...@apache.org> wrote:
>
>
> [
> https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515385]
>
> Dag H. Wanvik commented on DERBY-2963:
> --------------------------------------
>
> Committed on the 10.3 branch as svn 559555.
>
>
> > AccessControlException: Access denied java.net.SocketPermission <client
> ip> accept,resolve
> >
> ------------------------------------------------------------------------------------------
> >
> > Key: DERBY-2963
> > URL: https://issues.apache.org/jira/browse/DERBY-2963
> > Project: Derby
> > Issue Type: Bug
> > Components: Network Server
> > Affects Versions: 10.3.1.2, 10.3.1.3
> > Environment: SuseLinux 10
> > IBM JVM 1.5
> > Reporter: Daniel John Debrunner
> > Assignee: Dag H. Wanvik
> > Priority: Blocker
> > Fix For: 10.3.1.4, 10.4.0.0
> >
> > Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff,
> DERBY-2963-1.stat
> >
> >
> > I start the server using an ipv4 address
> > java derbyrun.jar server start -h x.x.x.x
> > Then I connect from a remote client and hit an AccessControlException
> > The ip in the exception is that of the *client*, not the server.
> > This setup works in 10.2.2.0.
> > Same problem if the hostname is in derby.properties
> > Problem can be worked around by using -noSecurityManager when starting
> the server
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
--
Thanks,
Manjula.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Manjula Kutty (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515084 ]
Manjula Kutty commented on DERBY-2963:
--------------------------------------
This solution looks fine to me. Also I don't think we should allow default policy to allow using previleged ports. I will be applying the patch and will test on both regular and ipv6 machines
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515385 ]
Dag H. Wanvik commented on DERBY-2963:
--------------------------------------
Committed on the 10.3 branch as svn 559555.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4, 10.4.0.0
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Manjula Kutty (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514288 ]
Manjula Kutty commented on DERBY-2963:
--------------------------------------
I found it happening on both Ipv6 and Ipv4 machines. Ipv6 machines gave me the stack trace as follows
java.security.AccessControlException: Access denied (java.net.SocketPermission [2002:92a:8f7a:13:9:42:73:218]:32813 accept,resolve)
at java.security.AccessController.checkPermission(AccessController.java:104)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
at java.lang.SecurityManager.checkAccept(SecurityManager.java:1172)
at java.net.ServerSocket.implAccept(ServerSocket.java:466)
at java.net.ServerSocket.accept(ServerSocket.java:433)
at org.apache.derby.impl.drda.ClientThread$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(AccessController.java:242)
at org.apache.derby.impl.drda.ClientThread.run(Unknown Source)
Ipv4 machine didn't give any exception other the the following error message
ij>connect 'jdbc:derby://incus.rtp.raleigh.ibm.com:1527/ipv6db;create=true;user=user2;password=pass2';
ERROR 58009: Insufficient data while reading from the network - expected a minimum of 6 bytes and received only -1 bytes. The connection has been terminated.
ij>
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Critical
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Myrna van Lunteren (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514473 ]
Myrna van Lunteren commented on DERBY-2963:
-------------------------------------------
:-) See the problem description of this bug:
Dan wrote:
I was pretty sure this is what you'd say, - derbyrun.jar kicks off
NetworkServerControl - but I just wanted to be sure.
My next questions are:
- what is the difference between this approach and the steps you
tested that worked for ipv6 for DERBY-2874?
and to pinpoint the problem better:
- does the current problem happen with 10.3.0.0 beta? 10.3.1.1?
- does the problem occur with 10.2.2.0 when security policy is enabled
(i.e. is it a problem with the security policy being on by default, or
is it a more insidious problem with network server. I'm asking because
Dan reported the problem does not occur with 10.3.1.2 when the server
is started with -noSecurityManager).
I hope someone with access to an IPV6 can go through the hoops of
providing these answers, or someone with understanding of the problem
can come forward and fix it.
I believe Rick, who implemented the secure server by default (&fixed
DERBY-2874) is not available this week to fix anything, so if it's in
that area we may have to wait for more than a week for a fix unless
someone else steps up...
Myrna
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-2963:
---------------------------------
Attachment: DERBY-2963-1.stat
DERBY-2963-1.diff
Uploading a tentative patch against 10.3 trunk widening the
SocketPermission to "*", "accept" (not for commit yet).
Running regression tests now.
If we make this change this we would need to update the documentation
(and preferably the func spec).
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514678 ]
Daniel John Debrunner commented on DERBY-2963:
----------------------------------------------
Does this patch work if localhost is specified as the host to listen on?
Just wondering because the security documentation has the permission "listen" which is only used for localhost, so I wonder if accept works when listening on localhost.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik closed DERBY-2963.
--------------------------------
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.4
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4, 10.4.0.0
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat, DERBY-2963-docs-1.diff, DERBY-2963-docs-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514645 ]
Dag H. Wanvik commented on DERBY-2963:
--------------------------------------
I also see the issue regardless of whether derbyrun.jar is used or not.
It seems the default policy file installed intentionally does *not*
open access to remote clients. I am not sure, but I seem to remember
this being discussed (DERBY-2196) and found to be acceptable? However,
the release notes do not indicate this, which would seem to indicate
it is not the intended behavior, in which case it is a bug, not a
"feature".
Changing this line in server.policy:
permission java.net.SocketPermission "${derby.security.host}", "accept";
to:
permission java.net.SocketPermission "*", "accept";
lets me connect from any host to the interface name given in -h option.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514803 ]
Dag H. Wanvik commented on DERBY-2963:
--------------------------------------
Good question, Dan. My testing indicates it works, but I don't really understand why.
I can't find anywhere that "listen" is implied by "accept". I'll see what I can find out.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Manjula Kutty (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manjula Kutty updated DERBY-2963:
---------------------------------
Priority: Blocker (was: Critical)
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515028 ]
Dag H. Wanvik commented on DERBY-2963:
--------------------------------------
Did some digging on the "listen" privilege and the other socket
privileges.
The default policy file (java.home/lib/security/java.policy) contains
this line:
// allows anyone to listen on un-privileged ports
permission java.net.SocketPermission "localhost:1024-", "listen";
If the user specifies a port below 1024, the default policy file would
not work for any interface. Is this acceptable? For running with root
privileges, privileged ports is a valid use case, otherwise "1024-" is
enough. To handle privileged ports we need to add another line the
policy file:
permission java.net.SocketPermission "localhost", "listen";
or, to tighten it down, add code to produced the correct line e.g. so
for IPv4 (would not work for IPv6 probably..)
permission java.net.SocketPermission "localhost:${derby.security.port}", "listen";
(Note that even if we specify -h x.x.x.x it is still "localhost" that
needs to get the extra privileges for listening.)
Other than "listen" and "accept", we also need "resolve", but that is
implied by "accept".
So in summary, the present patch is sufficient; unless we want the
default policy to allow using privileged ports. What do you think?
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (DERBY-2963) AccessControlException:
Access denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514645 ]
Dag H. Wanvik edited comment on DERBY-2963 at 7/23/07 7:59 AM:
---------------------------------------------------------------
I also see the issue regardless of whether derbyrun.jar is used or not (IPv4,
on Solaris).
It seems the default policy file installed intentionally does *not*
open access to remote clients. I am not sure, but I seem to remember
this being discussed (DERBY-2196) and found to be acceptable? However,
the release notes do not indicate this, which would seem to indicate
it is not the intended behavior, in which case it is a bug, not a
"feature".
Changing this line in server.policy:
permission java.net.SocketPermission "${derby.security.host}", "accept";
to:
permission java.net.SocketPermission "*", "accept";
lets me connect from any host to the interface name given in -h option.
was:
I also see the issue regardless of whether derbyrun.jar is used or not.
It seems the default policy file installed intentionally does *not*
open access to remote clients. I am not sure, but I seem to remember
this being discussed (DERBY-2196) and found to be acceptable? However,
the release notes do not indicate this, which would seem to indicate
it is not the intended behavior, in which case it is a bug, not a
"feature".
Changing this line in server.policy:
permission java.net.SocketPermission "${derby.security.host}", "accept";
to:
permission java.net.SocketPermission "*", "accept";
lets me connect from any host to the interface name given in -h option.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik reassigned DERBY-2963:
------------------------------------
Assignee: Dag H. Wanvik
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515429 ]
Dag H. Wanvik commented on DERBY-2963:
--------------------------------------
Committed doc patch (DERBY-2963-docs-1) to doc trunk as svn 559616.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4, 10.4.0.0
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat, DERBY-2963-docs-1.diff, DERBY-2963-docs-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515443 ]
Dag H. Wanvik commented on DERBY-2963:
--------------------------------------
Merged doc patch to docs 10.3 branch as svn 559632.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4, 10.4.0.0
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat, DERBY-2963-docs-1.diff, DERBY-2963-docs-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-2963:
---------------------------------
Attachment: DERBY-2963-docs-1.stat
DERBY-2963-docs-1.diff
Uploading a diff for the admin guide to it can stay in synch
with the policy template file.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4, 10.4.0.0
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat, DERBY-2963-docs-1.diff, DERBY-2963-docs-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-2963:
---------------------------------
Derby Info: [Patch Available, Regression] (was: [Regression, Patch Available])
Fix Version/s: 10.4.0.0
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4, 10.4.0.0
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Manjula Kutty (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514461 ]
Manjula Kutty commented on DERBY-2963:
--------------------------------------
No, it is not with the derbyrun.jar. I haven't used derbyrun.jar at all. It is from using the NetworkServerControl command. Is there a known problem with the derbyrun.jar ?
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515318 ]
Dag H. Wanvik commented on DERBY-2963:
--------------------------------------
Committed on trunk as svn 559436. I will merge to the 10.3 branch
as soon as my tests are done.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-2963:
---------------------------------
Attachment: DERBY-2963-1.diff
Uploading the the version I committed. I improved the
comment a bit relative to the first version, since the
tempate policy file will go into the manual, too.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Myrna van Lunteren (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514439 ]
Myrna van Lunteren commented on DERBY-2963:
-------------------------------------------
Just to make sure - is this only when using derbyrun.jar, or also when using NetworkServerControl directly?
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Manjula Kutty (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12514795 ]
Manjula Kutty commented on DERBY-2963:
--------------------------------------
This was working with 551289M with Rick's fix for DERBY-2874 on Ipv6 machines.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-2963) AccessControlException: Access
denied java.net.SocketPermission accept,resolve
Posted by "Manjula Kutty (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515126 ]
Manjula Kutty commented on DERBY-2963:
--------------------------------------
This patch works fine. I tested the following scenarios
1. starting the server by giving -h option with ipaddress
java org.apache.derby.drda.NetworkServerControl start -h 9.72.143.153
2. Starting the server with -h 0.0.0.0
java org.apache.derby.drda.NetworkServerControl start -h 0.0.0.0
3. starting the server by giving -h option with ipaddress on ipv6 machines
java org.apache.derby.drda.NetworkServerControl start -h 2002:92a:8f7a:13:9:42:74:19
All of them works fine. I would appreciate if we could include this patch in our release candidate
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik resolved DERBY-2963.
----------------------------------
Resolution: Fixed
Derby Info: [Regression] (was: [Regression, Patch Available])
Fixed in source and docs on trunk and 10.3, resolving.
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Assignee: Dag H. Wanvik
> Priority: Blocker
> Fix For: 10.3.1.4, 10.4.0.0
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.diff, DERBY-2963-1.stat, DERBY-2963-docs-1.diff, DERBY-2963-docs-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2963) AccessControlException: Access denied
java.net.SocketPermission accept,resolve
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-2963:
---------------------------------
Derby Info: [Patch Available, Regression] (was: [Regression])
Affects Version/s: 10.3.1.3
Fix Version/s: 10.3.1.4
> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-2963
> URL: https://issues.apache.org/jira/browse/DERBY-2963
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.3.1.2, 10.3.1.3
> Environment: SuseLinux 10
> IBM JVM 1.5
> Reporter: Daniel John Debrunner
> Priority: Blocker
> Fix For: 10.3.1.4
>
> Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
>
>
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in 10.2.2.0.
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.