You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-user@db.apache.org by "John I. Moore, Jr." <so...@att.net> on 2014/01/17 16:23:22 UTC
Network Server Access Permissions and Java 1.7.0_51
Java version 1.7.0_51 (latest version) causes the following error when trying to start the
network server. I can see from the issue tracker that there is a fix to be added that
should correct this problem in the next release, but is there an easy workaround that
exists now? Details would be appreciated.
_________________________________________
John I. Moore, Jr.
C:\Java\db-derby-10.10.1.1-bin\bin>startNetworkServer.bat
Thu Jan 16 16:34:04 EST 2014 : Security manager installed using the Basic server security
policy.
Thu Jan 16 16:34:04 EST 2014 : access denied ("java.net.SocketPermission" "localhost:1527"
"listen,resolve")
java.security.AccessControlException: access denied ("java.net.SocketPermission"
"localhost:1527" "listen,resolve")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1134)
at java.net.ServerSocket.bind(ServerSocket.java:375)
at java.net.ServerSocket.<init>(ServerSocket.java:237)
at
javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:231)
at org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocket(Unknown
Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown
Source)
at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
Re: Network Server Access Permissions and Java 1.7.0_51
Posted by Rick Hillegas <ri...@oracle.com>.
On 1/22/14 4:18 AM, John I. Moore, Jr. wrote:
> -Djava.security.manager
> -Djava.security.policy=C:\Java\db-derby\1010_server.policy
Hi John,
I am able to reproduce the results you are seeing. I have updated the
1010_server.policy attached to
https://issues.apache.org/jira/browse/DERBY-6438. The new version
includes an extra block of permissions needed when running on JDK 7 and
higher. Using the new version of 1010_server.policy, I can boot a server
on Java 1.8.0-ea-b121.
Hope this helps,
-Rick
RE: Network Server Access Permissions and Java 1.7.0_51
Posted by "John I. Moore, Jr." <so...@att.net>.
Thanks to Myrna and Rick for your replies, but I am still having problems. I have been
using derby for several years, but in the past I have used the Window batch files in the
"bin" directory to start/stop the network server. I tried to follow the guidelines for
using derbyrun.jar, but I am still having problems.
I copied the policy file 1010_server.policy to a local directory and tried starting the
network server from the command line as shown below. Perhaps I am misunderstanding how to
use derbyrun.jar with the policy file, but here is the error that I am seeing now:
C:\>java -Djava.security.manager
-Djava.security.policy=C:\Java\db-derby\1010_server.policy -jar
%DERBY_HOME%\lib\derbyrun.jar server start
Wed Jan 22 07:07:51 EST 2014 : access denied ("java.util.PropertyPermission"
"derby.__serverStartedFromCmdLine" "write")
java.security.AccessControlException: access denied ("java.util.PropertyPermission"
"derby.__serverStartedFromCmdLine" "write")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.System.setProperty(System.java:783)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
at org.apache.derby.iapi.tools.run.main(Unknown Source)
Any advice on how to proceed will be appreciated.
_________________________________________
John I. Moore, Jr.
SoftMoore Consulting
email: jmoore@softmoore.com
cell: 843-906-7887
From: Myrna van Lunteren [mailto:m.v.lunteren@gmail.com]
Sent: Friday, January 17, 2014 1:32 PM
To: Derby Discussion
Subject: Re: Network Server Access Permissions and Java 1.7.0_51
Sent from my iPhone
On Jan 17, 2014, at 7:23 AM, "John I. Moore, Jr." <so...@att.net> wrote:
Java version 1.7.0_51 (latest version) causes the following error when trying to start the
network server. I can see from the issue tracker that there is a fix to be added that
should correct this problem in the next release, but is there an easy workaround that
exists now? Details would be appreciated.
_________________________________________
John I. Moore, Jr.
Hi John,
Yesterday we also attached releaseNote.html to DERBY_6438 which also describes this
workaround: you need to use your own policyfile and start networkserver with
java -Djava.security.manager -Djava.security.policy=yourpolicyfilename
org.apache.derby.drda.NetworkServer start
For your convenience, I attach a copy of the updated default 10.10 policyfile to
DERBY-6438 ('1010_server.policy'). You can use that as a starting point.
As an alternative, I guess you *could* mess with the JVMs 'java.policy' file, but I
imagine that's not supported by the JVM vendors, or they'd have added it to the
workarounds. Plus it will get overwritten by the next JVM update.
I think another alternative is to start networkserver at one of the 'ephemeral' port
numbers (i.e. start with java org.apache.derby.drda.NetworkServer -p 50000 start), I tried
at port 50000 and that seemed to work. But then you might need to modify your app to use
that port number.
Regards,
Myrna
Re: Network Server Access Permissions and Java 1.7.0_51
Posted by Myrna van Lunteren <m....@gmail.com>.
Sent from my iPhone
On Jan 17, 2014, at 7:23 AM, "John I. Moore, Jr." <so...@att.net> wrote:
Java version 1.7.0_51 (latest version) causes the following error when
trying to start the network server. I can see from the issue tracker that
there is a fix to be added that should correct this problem in the next
release, but is there an easy workaround that exists now? Details would be
appreciated.
_________________________________________
John I. Moore, Jr.
Hi John,
Yesterday we also attached releaseNote.html to DERBY_6438 which also
describes this workaround: you need to use your own policyfile and start
networkserver with
java -Djava.security.manager -Djava.security.policy=yourpolicyfilename
org.apache.derby.drda.NetworkServer start
For your convenience, I attach a copy of the updated default 10.10
policyfile to DERBY-6438 ('1010_server.policy'). You can use that as a
starting point.
As an alternative, I guess you *could* mess with the JVMs 'java.policy'
file, but I imagine that's not supported by the JVM vendors, or they'd have
added it to the workarounds. Plus it will get overwritten by the next JVM
update.
I think another alternative is to start networkserver at one of the
'ephemeral' port numbers (i.e. start with java
org.apache.derby.drda.NetworkServer -p 50000 start), I tried at port 50000
and that seemed to work. But then you might need to modify your app to use
that port number.
Regards,
Myrna
Re: Network Server Access Permissions and Java 1.7.0_51
Posted by Rick Hillegas <ri...@oracle.com>.
On 1/17/14 7:23 AM, John I. Moore, Jr. wrote:
>
> Java version 1.7.0_51 (latest version) causes the following error when
> trying to start the network server. I can see from the issue tracker
> that there is a fix to be added that should correct this problem in
> the next release, but is there an easy workaround that exists now?
> Details would be appreciated.
>
> _________________________________________
>
> John I. Moore, Jr.
>
> C:\Java\db-derby-10.10.1.1-bin\bin>startNetworkServer.bat
>
> Thu Jan 16 16:34:04 EST 2014 : Security manager installed using the
> Basic server security policy.
>
> Thu Jan 16 16:34:04 EST 2014 : access denied
> ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
>
> java.security.AccessControlException: access denied
> ("java.net.SocketPermission" "localhost:1527" "listen,resolve")
>
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
>
>
> at
> java.security.AccessController.checkPermission(AccessController.java:559)
>
> at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
>
> at
> java.lang.SecurityManager.checkListen(SecurityManager.java:1134)
>
> at java.net.ServerSocket.bind(ServerSocket.java:375)
>
> at java.net.ServerSocket.<init>(ServerSocket.java:237)
>
> at
> javax.net.DefaultServerSocketFactory.createServerSocket(ServerSocketFactory.java:231)
>
>
> at
> org.apache.derby.impl.drda.NetworkServerControlImpl.createServerSocket(Unknown
> Source)
>
> at
> org.apache.derby.impl.drda.NetworkServerControlImpl.access$000(Unknown
> Source)
>
> at
> org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
>
> at
> org.apache.derby.impl.drda.NetworkServerControlImpl$1.run(Unknown Source)
>
> at java.security.AccessController.doPrivileged(Native Method)
>
> at
> org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown
> Source)
>
> at
> org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)
>
>
> at org.apache.derby.drda.NetworkServerControl.main(Unknown
> Source)
>
Hi John,
The release notes for 7u51 should describe this problem and its
solution. The solution is to give the server "listen" permission on the
port where it listens for incoming connection requests. The solution is
described on https://issues.apache.org/jira/browse/DERBY-6438
Hope this helps,
-Rick