Skip to main content

Run Derby under the security manager

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
2 replies [Last post]
josealvarezdelara
Offline
Joined: 2008-12-26

Hi,

I have installed derby 10.10.1.1 and jdk1.7.0_51 under my oracle linux system and I am having troubles
to start up derby under the security manager,

java -Djava.security.manager -Djava.security.policy=/path/to/myCustomized.policy
org.apache.derby.drda.NetworkServerControl start -h localhost

because an error with message - did not find org.apache.derby.drda.NetworkServerControl main class

I have set DERBY_HOME and I am wondering if the issue is because the classpath is not set correctly.

Please any help or seggestion should be really apreciated.

Best regards,
jose

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
josealvarezdelara
Offline
Joined: 2008-12-26

Hi,

Here is the policy file,

grant codeBase "file:/path/to/derby-10.10.1.1/lib/derby.jar"
{
//
// These permissions are needed for everyday, embedded Derby usage.
//
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
"write";
// The next two properties are used to determine if the VM is 32 or 64
// bit.
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.io.FilePermission "/path/to/derby-10.10.1.1","read";
permission java.io.FilePermission "/path/to/derby-10.10.1.1/-",
"read,write,delete";

//
// This permission lets a DBA reload the policy file while the server
// is still running. The policy file is reloaded by invoking the
// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
//
permission java.security.SecurityPermission "getPolicy";

//
// This permission lets you backup and restore databases
// to and from arbitrary locations in your file system.
//
// This permission also lets you import/export data to and from
// arbitrary locations in your file system.
//
// You may want to restrict this access to specific directories.
//
permission java.io.FilePermission "/path/to/derby-10.10.1.1/backups/-",
"read,write,delete";

//
// Permissions needed for JMX based management and monitoring, which is
// only available for JVMs supporting "platform management", that is
// Java SE 5.0 or better.
//
// Allows this code to create an MBeanServer:
//
permission javax.management.MBeanServerPermission "createMBeanServer";
//
// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby.
// Derby must be allowed to register and unregister these MBeans.
// It is possible to allow access only to specific MBeans, attributes or
// operations. To fine tune this permission, see the javadoc of
// javax.management.MBeanPermission or the JMX Instrumentation and Agent
// Specification.
//
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
//
// Trusts Derby code to be a source of MBeans and to register these in
// the MBean server.
//
permission javax.management.MBeanTrustPermission "register";

// getProtectionDomain is an optional permission needed for printing
// classpath information to derby.log
permission java.lang.RuntimePermission "getProtectionDomain";

//
// The following permission must be granted for
// Connection.abort(Executor) to work. Note that this permission
// must also be granted to outer (application) code domains.
//
permission java.sql.SQLPermission "callAbort";
};

grant codeBase "file:/path/to/derby-10.10.1.1/lib/derbynet.jar"
{
//
// This permission lets the Network Server manage connections from
// clients.
//

// Accept connections from any host. Derby is listening to the host
// interface specified via the -h option to "NetworkServerControl
// start" on the command line, via the address parameter to the
// org.apache.derby.drda.NetworkServerControl constructor in the API
// or via the property derby.drda.host; the default is localhost.
// You may want to restrict allowed hosts, e.g. to hosts in a specific
// subdomain, e.g. "*.example.com".

permission java.net.SocketPermission "localhost:0-", "accept";

//
// Needed for server tracing.
//
// permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-",
// "read,write,delete";

//
// JMX: Uncomment this permission to allow the ping operation of the
// NetworkServerMBean to connect to the Network Server.
//permission java.net.SocketPermission "*", "connect,resolve";

//
// Needed by sysinfo. The file permission is needed to
// check the existence of jars on the classpath. You can
// limit this permission to just the locations which hold
// your jar files.
//
// In this template file, this block of permissions is granted
// to derbynet.jar under the assumption that derbynet.jar is
// the first jar file in your classpath which contains the
// sysinfo classes. If that is not the case, then you will want
// to grant this block of permissions to the first jar file
// in your classpath which contains the sysinfo classes.
// Those classes are bundled into the following Derby
// jar files:
//
// derbynet.jar
// derby.jar
// derbyclient.jar
// derbytools.jar
//
// permission java.util.PropertyPermission "user.*", "read";
// permission java.util.PropertyPermission "java.home", "read";
// permission java.util.PropertyPermission "java.class.path", "read";
// permission java.util.PropertyPermission "java.runtime.version", "read";
// permission java.util.PropertyPermission "java.fullversion", "read";
// permission java.lang.RuntimePermission "getProtectionDomain";
// permission java.io.FilePermission "<>", "read";
// permission java.io.FilePermission "java.runtime.version", "read";
// permission java.io.FilePermission "java.fullversion", "read";
};

and here is the complete error message,

Fri Mar 21 02:23:39 CET 2014 : access denied ("java.util.PropertyPermission" "derby.__serverStartedFromCmdLine" "write")
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "derby.__serverStartedFromCmdLine" "write")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.System.setProperty(System.java:783)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

Thanks,
jose

josealvarezdelara
Offline
Joined: 2008-12-26

Hi guys,

Here is the solution to resolve my issue,
http://stackoverflow.com/questions/21154400/unable-to-start-derby-databa...
that is valid as well if you want to install derby 10.10.1.1 in your NB 8.0.

In may case the option for grant permission was as follows,
permission java.net.SocketPermission "localhost:1527", "listen,resolve";

Thanks.

Best regards,
jose