You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-user@db.apache.org by bradm6406 <br...@hotmail.com> on 2008/02/15 22:39:33 UTC

java.security.AccessControlException doing a file write

Hi,

I am trying to add a custom procedure to my Derby database that will backup
the database and then zip the resulting backup folder.  I can call the
procedure with no problems and it creates the database backup using a call
to SYSCS_UTIL.SYSCS_BACKUP_DATABASE().  The problem comes when I try to zip
the resulting folder.

I took the zipping code from this URL:
http://www.acm.org/crossroads/xrds6-3/ovp63.html and added the SimpleZip
class to my package.  I then added the makeZip procedure to my database.  I
can call the makeZip procedure with no problems so I know it is registered
properly in Derby but I get an exception when the code tries to create the
zip file on the hard drive.

This is the error I am getting:
java.sql.SQLException: The exception 'java.security.AccessControlException:
access denied (java.io.FilePermission D:\derby_database\backups\20080215.zip
write)' was thrown while evaluating an expression.

I was assuming that I needed to add additional permissions to my policy
file, so I added this:

grant codeBase "file:${derby.system.home}${/}lib${/}DerbyHelpers.jar"
{
  permission java.io.FilePermission "${derby.system.home}${/}backups${/}-",
"read,write,delete";
};

That didn't work.  I still got the same error.  So I decided to try creating
a new policy file that gave all permissions to everything and see what
happened.  My new policy file looks like this:

// Give permissions to all of my Derby jar files, and my custom jar file
grant codeBase "file:${derby.system.home}/lib/-" {
  permission java.security.AllPermission;
};

// I have a copy of the Sun JRE in d:\derby\database\java\ that I am using,
give all permissions to all of the java libraries
grant codeBase "file:D:/derby_database/java/lib/-"{
  permission java.security.AllPermission;
};


This still doesn't work.  Now I'm stumped.  I'm very new to Java and just
struggling through it because we decided to use Derby for our program.  I
would have thought that giving the FilePermissions to my custom jar file
would have worked but it isn't.  Each time I made a change to the policy
file I restarted the network server just to be sure that the new policy file
has been reloaded.  I am 100% sure the policy file is being used because if
I change it so that the wrapper.jar file doesn't have the needed permissions
then I get errors when starting the service using the wrapper.

If i call the makeZip function directly from Eclipse then it creates a zip
file with no problems.  The error is only occurring when I am running the
code from within Derby.

Any suggestions?


Thanks,

Brad
-- 
View this message in context: http://www.nabble.com/java.security.AccessControlException-doing-a-file-write-tp15510576p15510576.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.

RE: java.security.AccessControlException doing a file write

Posted by Brad Moore <br...@hotmail.com>.
Hi Kathey,

I think you may be right.  As I said, I'm VERY new to Java.  I think it's time to go take a course.  I just looked at the priviledged block stuff and that sounds like it may be the ticket.  Now I'll have to see if I can figure that out.

Thanks for your help.  I'll keep you posted.


Brad

> Date: Fri, 15 Feb 2008 15:00:37 -0800
> From: kmarsdenderby@sbcglobal.net
> To: derby-user@db.apache.org
> Subject: Re: java.security.AccessControlException doing a file write
> 
> bradm6406 wrote:
> >  The problem comes when I try to zip
> > the resulting folder.
> >
> >   
> I wonder if you need a privileged block around your code to create the zip.
> http://java.sun.com/j2se/1.4.2/docs/api/java/security/AccessController.html
> 
> Kathey
> 

_________________________________________________________________

Re: java.security.AccessControlException doing a file write

Posted by Kathey Marsden <km...@sbcglobal.net>.
bradm6406 wrote:
>  The problem comes when I try to zip
> the resulting folder.
>
>   
I wonder if you need a privileged block around your code to create the zip.
http://java.sun.com/j2se/1.4.2/docs/api/java/security/AccessController.html

Kathey

Re: java.security.AccessControlException doing a file write

Posted by Rick Hillegas <Ri...@Sun.COM>.
Hi Brad,

Writing a valid security policy file can be a bit tricky. I am not sure 
that you have identified the codebase of your jar file with a legal URL. 
I would expect to see some double slashes in the URL. The following kind 
of URL works for me:

grant codeBase "file:///opt/DerbyTrunk/jars/sane/derby.jar"
{
...


};

Hope this helps,
-Rick

bradm6406 wrote:
> Hi,
>
> I am trying to add a custom procedure to my Derby database that will backup
> the database and then zip the resulting backup folder.  I can call the
> procedure with no problems and it creates the database backup using a call
> to SYSCS_UTIL.SYSCS_BACKUP_DATABASE().  The problem comes when I try to zip
> the resulting folder.
>
> I took the zipping code from this URL:
> http://www.acm.org/crossroads/xrds6-3/ovp63.html and added the SimpleZip
> class to my package.  I then added the makeZip procedure to my database.  I
> can call the makeZip procedure with no problems so I know it is registered
> properly in Derby but I get an exception when the code tries to create the
> zip file on the hard drive.
>
> This is the error I am getting:
> java.sql.SQLException: The exception 'java.security.AccessControlException:
> access denied (java.io.FilePermission D:\derby_database\backups\20080215.zip
> write)' was thrown while evaluating an expression.
>
> I was assuming that I needed to add additional permissions to my policy
> file, so I added this:
>
> grant codeBase "file:${derby.system.home}${/}lib${/}DerbyHelpers.jar"
> {
>   permission java.io.FilePermission "${derby.system.home}${/}backups${/}-",
> "read,write,delete";
> };
>
> That didn't work.  I still got the same error.  So I decided to try creating
> a new policy file that gave all permissions to everything and see what
> happened.  My new policy file looks like this:
>
> // Give permissions to all of my Derby jar files, and my custom jar file
> grant codeBase "file:${derby.system.home}/lib/-" {
>   permission java.security.AllPermission;
> };
>
> // I have a copy of the Sun JRE in d:\derby\database\java\ that I am using,
> give all permissions to all of the java libraries
> grant codeBase "file:D:/derby_database/java/lib/-"{
>   permission java.security.AllPermission;
> };
>
>
> This still doesn't work.  Now I'm stumped.  I'm very new to Java and just
> struggling through it because we decided to use Derby for our program.  I
> would have thought that giving the FilePermissions to my custom jar file
> would have worked but it isn't.  Each time I made a change to the policy
> file I restarted the network server just to be sure that the new policy file
> has been reloaded.  I am 100% sure the policy file is being used because if
> I change it so that the wrapper.jar file doesn't have the needed permissions
> then I get errors when starting the service using the wrapper.
>
> If i call the makeZip function directly from Eclipse then it creates a zip
> file with no problems.  The error is only occurring when I am running the
> code from within Derby.
>
> Any suggestions?
>
>
> Thanks,
>
> Brad
>

Re: java.security.AccessControlException doing a file write

Posted by bradm6406 <br...@hotmail.com>.
Okay, I just tried one more thing and it worked... sort of.

I changed the policy file to this:

grant {
  permission java.security.AllPermission;
};

And now the zip file gets created properly.  I would have thought that
giving AllPermission to the entire lib directory that contained my Derby jar
files and my custom jar file, as well as giving AllPermission to the entire
lib directory of the jre that I am using would have been equivalent to what
I just tried.  But apparently there is some difference that I'm not
understanding.

The above policy file works, but obviously I don't want to grant all
permissions to everything.  Can anyone give me some guidance as to how to
change my policy file to just give the appropriate permissions that I need
to create files from my custom jar?


Thanks,

Brad


bradm6406 wrote:
> 
> That didn't work.  I still got the same error.  So I decided to try
> creating a new policy file that gave all permissions to everything and see
> what happened.  My new policy file looks like this:
> 
> // Give permissions to all of my Derby jar files, and my custom jar file
> grant codeBase "file:${derby.system.home}/lib/-" {
>   permission java.security.AllPermission;
> };
> 
> // I have a copy of the Sun JRE in d:\derby\database\java\ that I am
> using, give all permissions to all of the java libraries
> grant codeBase "file:D:/derby_database/java/lib/-"{
>   permission java.security.AllPermission;
> };
> 

-- 
View this message in context: http://www.nabble.com/java.security.AccessControlException-doing-a-file-write-tp15510576p15510956.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.