You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by Kathey Marsden <km...@sbcglobal.net> on 2007/09/25 18:07:00 UTC

Server tracing not allowed with default security manager policy file

I noticed that server side tracing, setting
derby.drda.traceAll=true
is not allowed with the default network server policy file.  Was this an 
intentional change in behaviour or is it a bug?

Thanks

Kathey


[C:/kmarsden/repro/DERBY-3085] java TestBlob
Access denied (java.io.FilePermission Server1.trace write)
java.security.AccessControlException: Access denied 
(java.io.FilePermission Server1.trace write)
        at 
java.security.AccessController.checkPermission(AccessController.java:104)
        at 
java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
        at java.lang.SecurityManager.checkWrite(SecurityManager.java:977)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:195)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:96)
        at java.io.FileWriter.<init>(FileWriter.java:69)
        at 
org.apache.derby.impl.drda.DssTrace.startComBufferTrace(DssTrace.java:170)
        at org.apache.derby.impl.drda.Session.initTrace(Session.java:137)
        at org.apache.derby.impl.drda.Session.initialize(Session.java:257)
        at org.apache.derby.impl.drda.Session.<init>(Session.java:94)
        at 
org.apache.derby.impl.drda.NetworkServerControlImpl.addSession(NetworkServerControlImpl.java:3673)
        at org.apache.derby.impl.drda.ClientThread.run(ClientThread.java:80)

Re: Server tracing not allowed with default security manager policy file

Posted by Rick Hillegas <Ri...@Sun.COM>.

Hi Kathey,

The change was not intentional. Right now, no file permissions are 
granted to derbynet.jar. I think you don't want to grant blanket write 
permission to derbynet.jar. You should be able to get away with granting 
derbynet.jar something narrow like the following:

permission java.io.FilePermission "${derby.drda.traceDirectory}", "write";

However, you will need to make sure that that property is properly 
defaulted as described in the Admin Guide. The defaulting needs to 
happen before NetworkServerControl installs a security manager.

Regards,
-Rick

Kathey Marsden wrote:
> I noticed that server side tracing, setting
> derby.drda.traceAll=true
> is not allowed with the default network server policy file.  Was this 
> an intentional change in behaviour or is it a bug?
>
> Thanks
>
> Kathey
>
>
> [C:/kmarsden/repro/DERBY-3085] java TestBlob
> Access denied (java.io.FilePermission Server1.trace write)
> java.security.AccessControlException: Access denied 
> (java.io.FilePermission Server1.trace write)
>        at 
> java.security.AccessController.checkPermission(AccessController.java:104)
>        at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
>        at java.lang.SecurityManager.checkWrite(SecurityManager.java:977)
>        at java.io.FileOutputStream.<init>(FileOutputStream.java:195)
>        at java.io.FileOutputStream.<init>(FileOutputStream.java:96)
>        at java.io.FileWriter.<init>(FileWriter.java:69)
>        at 
> org.apache.derby.impl.drda.DssTrace.startComBufferTrace(DssTrace.java:170) 
>
>        at org.apache.derby.impl.drda.Session.initTrace(Session.java:137)
>        at org.apache.derby.impl.drda.Session.initialize(Session.java:257)
>        at org.apache.derby.impl.drda.Session.<init>(Session.java:94)
>        at 
> org.apache.derby.impl.drda.NetworkServerControlImpl.addSession(NetworkServerControlImpl.java:3673) 
>
>        at 
> org.apache.derby.impl.drda.ClientThread.run(ClientThread.java:80)
>
>