java.security.AccessControlException: access denied - Weblogic

As I read the stack trace, the problem is with Java 2 security when it is
attempting to get the name
of the provider for the SSL ServerSocket Factory. You should check the
documentation from your
JSSE provider to see if they have any special permission that must be
granted.

But as I read the trace, the missing permission is
getProperty.ssl.ServerSocketFactory.provider
So, I believe that the appropriate line in the weblogic.policy file would
be:

grant codebase "<URL to your JAR file>" {
permission java.security.SecurityPermission
"getProperty.ssl.ServerSocketFactory.provider"
};

I would not recommend putting this in the grant sections for
"file:/c:/classes/-" or "file:/weblogic/-",
since it allows any code in the classes or weblogic directories or below to
have access.



Paul Patrick


"Muwon Lum" <mlum@securant.com> wrote in message
news:3A4DAA7A.8C2A67F7@securant.com...
> I'm using WLS 5.1 on NT. My Web Application uses JSSE for SSL
> connection to a 3rd-party server.
>
> I got the following AccessControlException when I tried to access
> the Web Application:
>
> java.security.AccessControlException: access denied
> (java.security.SecurityPermission
> getProperty.ssl.ServerSocketFactory.provider ) at
>
java.security.AccessControlContext.checkPermission(AccessControlContext.jav=
a
,
> Compiled Code) at
> java.security.AccessController.checkPermission(AccessController.java,
> Compiled Code) at
> java.lang.SecurityManager.checkPermission(SecurityManager.java, Compiled
> Code) at java.security.Security.getProperty(Security.java:695) at
> javax.net.ssl.SSLServerSocketFactory$1.run([DashoPro-V1.2-120198]) at
> java.security.AccessController.doPrivileged(Native Method) at
> javax.net.ssl.SSLServerSocketFactory.a([DashoPro-V1.2-120198]) at
> javax.net.ssl.SSLServerSocketFactory.getDefault([DashoPro-V1.2-120198])
> at sirrus.util.net.d.(Unknown Source) at sirrus.util.net.b.a(Unknown
> Source) at sirrus.api.client.APIServerProxy.(APIServerProxy.java:151) at
> sirrus.api.client.APIServerProxy.(APIServerProxy.java:122) at
> sirrus.webgui.SCMSession.(SCMSession.java:185) at
> sirrus.webgui.SCMPage.(SCMPage.java:357) at
> sirrus.webgui.SCMOddPage.(SCMOddPage.java:28) at
> sirrus.webgui.LoginPage.(LoginPage.java:41) at
> sirrus.webgui.SCManager.service(SCManager.java:79) at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:865) at
>
weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.jav=
a
:105)
> at
>
weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextIm=
p
l.java:742)
> at
>
weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextIm=
p
l.java:686)
> at
>
weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContex=
t
Manager.java:247)
> at
>
weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:361)
> at weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:261)
> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)
>
>
> What permission do I need to add to the weblogic.policy file for this to
> work?
>
> My class files and the required 3rd-party jar files are in
> d:\weblogic\myserver\myapp\WEB-INF\classes and
> d:\weblogic\myserver\myapp\WEB-INF\lib, respectively.
>
> I use startWebLogic.bat to startup the server:
> D:\weblogic>.\jre1_2\jre\bin\java -ms64m -mx64m -classpath
> .\classes\boot;.\eval
> \cloudscape\lib\cloudscape.jar;.\lib\weblogic510sp7boot.jar
> -Dweblogic.class.pat
>
h=3D.\license;.\classes;.\lib\weblogicaux.jar;.\lib\weblogic510sp7.jar;.\my=
ser
ver\
>
> serverclasses; -Dweblogic.home=3D. -Djava.security.manager
> -Djava.security.policy=3D
> =3D.\weblogic.policy weblogic.Server
>
> Any help would be appreciated!
>
> -Muwon
>
>

I'm still getting access denied. Here's my weblogic.policy file. What did=
I
miss?

Thanks,
-Muwon

weblogic.policy
----------------
// WEBLOGIC POLICY FILE
// // // // // // // // // // // // // // // // // // // // // // // //
// This file, which conforms to the java.security.Policy file
// definition, configures WebLogic Server for Java 2 security.
// WebLogic Server cannot run without the policies specified here.
//
// Before you can use these policies, edit the URL paths that point to
// your WebLogic installation. The paths you must change are in the
// first two lines following this comment block.
//
// A second grant entry provides an example of setting the permissions
// for your own Java classes. Modify the URL paths in the first two
// lines of that grant entry to point to the location of your classes or
// any third party Java classes you want to use with WebLogic Server.
// You can copy this entry to protect additional class locations you
// may create.
//
// If WebLogic is not installed in a root directory, you must only
// list the first component of the path in the "file:" URL. This is
// because of a bug in JavaSoft JDK 1.2.1. For example, if you
// install WebLogic in the "c:/test/weblogic" directory, the first
// two lines below must be:
//
// grant codeBase "file:/c:/test/-" {
// permission java.io.FilePermission "c:${/}test${/}weblogic${/}-",
"read,write,delete,execute";
//
// See http://www.weblogic.com/docs51/install/startserver.html for
// more information about using this policy file.
//
grant codeBase "file:d:/weblogic/-" {
permission java.io.FilePermission "d:${/}weblogic${/}-",
"read,write,delete,execute";
permission java.net.SocketPermission "localhost:1-9000",
"connect,accept,listen,resolve";
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "accessDeclaredMembers.*";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "createSecurityManager";
permission java.lang.RuntimePermission "defineClassInPackage.*";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "readFileDescriptor";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "setProtectionDomain";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.lang.RuntimePermission "writeFileDescriptor";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.net.NetPermission "requestPasswordAuthentication";
permission java.net.NetPermission "setDefaultAuthenticator";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
permission java.util.PropertyPermission "*", "read,write";
};


//
// Modify the URLs in the two lines below to point to the location of
// additional classes you want to use with WebLogic Server. These could
// include classes you develop or third-party classes you want to use.
// You can copy this grant entry and modify the URLs for additional
// class locations.
//
grant codeBase "file:d:/weblogic/myserver/myapp/WEB-INF/-" {
permission java.io.FilePermission
"d:${/}weblogic${/}myserver${/}myapp${/}WEB-INF${/}-",
"read,write,delete,execute";
permission java.net.SocketPermission "localhost:1-9000",
"connect,accept,listen,resolve";
permission java.awt.AWTPermission "accessClipboard";
permission java.awt.AWTPermission "accessEventQueue";
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "accessDeclaredMembers.*";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "createSecurityManager";
permission java.lang.RuntimePermission "defineClassInPackage.*";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "readFileDescriptor";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "setProtectionDomain";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.lang.RuntimePermission "writeFileDescriptor";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.net.NetPermission "requestPasswordAuthentication";
permission java.net.NetPermission "setDefaultAuthenticator";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
permission java.security.SecurityPermission
"getProperty.ssl.ServerSocketFactory.provider";
permission java.util.PropertyPermission "*", "read,write";
};


grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};

grant {
// Permission "enableSubstitution" needed to run the WebLogic console
permission java.io.SerializablePermission "enableSubstitution";
// Permission "modifyThreadGroup" required to run the WebLogic Server
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setContextClassLoader";
// Permission "setIO" needed to start a server from the WebLogic console
permission java.lang.RuntimePermission "setIO";
// Permission "getClassLoader" needed for many EJB clients
permission java.lang.RuntimePermission "getClassLoader";

permission java.lang.RuntimePermission "stopThread";
permission java.net.SocketPermission "localhost:1024-", "listen";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "re=
ad";
permission java.util.PropertyPermission "java.specification.vendor", "rea=
d";
permission java.util.PropertyPermission "java.specification.name", "read"=
;
permission java.util.PropertyPermission "java.vm.specification.version",
"read";
permission java.util.PropertyPermission "java.vm.specification.vendor",
"read";
permission java.util.PropertyPermission "java.vm.specification.name", "re=
ad";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};









Paul Patrick wrote:

> As I read the stack trace, the problem is with Java 2 security when it is
> attempting to get the name
> of the provider for the SSL ServerSocket Factory. You should check the
> documentation from your
> JSSE provider to see if they have any special permission that must be
> granted.
>
> But as I read the trace, the missing permission is
> getProperty.ssl.ServerSocketFactory.provider
> So, I believe that the appropriate line in the weblogic.policy file would
> be:
>
> grant codebase "<URL to your JAR file>" {
> permission java.security.SecurityPermission
> "getProperty.ssl.ServerSocketFactory.provider"
> };
>
> I would not recommend putting this in the grant sections for
> "file:/c:/classes/-" or "file:/weblogic/-",
> since it allows any code in the classes or weblogic directories or below =
to
> have access.
>
> Paul Patrick
>
> "Muwon Lum" <mlum@securant.com> wrote in message
> news:3A4DAA7A.8C2A67F7@securant.com...
> > I'm using WLS 5.1 on NT. My Web Application uses JSSE for SSL
> > connection to a 3rd-party server.
> >
> > I got the following AccessControlException when I tried to access
> > the Web Application:
> >
> > java.security.AccessControlException: access denied
> > (java.security.SecurityPermission
> > getProperty.ssl.ServerSocketFactory.provider ) at
> >
> java.security.AccessControlContext.checkPermission(AccessControlContext.j=
ava
> ,
> > Compiled Code) at
> > java.security.AccessController.checkPermission(AccessController.java,
> > Compiled Code) at
> > java.lang.SecurityManager.checkPermission(SecurityManager.java, Compile=
d
> > Code) at java.security.Security.getProperty(Security.java:695) at
> > javax.net.ssl.SSLServerSocketFactory$1.run([DashoPro-V1.2-120198]) at
> > java.security.AccessController.doPrivileged(Native Method) at
> > javax.net.ssl.SSLServerSocketFactory.a([DashoPro-V1.2-120198]) at
> > javax.net.ssl.SSLServerSocketFactory.getDefault([DashoPro-V1.2-120198])
> > at sirrus.util.net.d.(Unknown Source) at sirrus.util.net.b.a(Unknown
> > Source) at sirrus.api.client.APIServerProxy.(APIServerProxy.java:151) a=
t
> > sirrus.api.client.APIServerProxy.(APIServerProxy.java:122) at
> > sirrus.webgui.SCMSession.(SCMSession.java:185) at
> > sirrus.webgui.SCMPage.(SCMPage.java:357) at
> > sirrus.webgui.SCMOddPage.(SCMOddPage.java:28) at
> > sirrus.webgui.LoginPage.(LoginPage.java:41) at
> > sirrus.webgui.SCManager.service(SCManager.java:79) at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:865) at
> >
> weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.j=
ava
> :105)
> > at
> >
> weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContext=
Imp
> l.java:742)
> > at
> >
> weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContext=
Imp
> l.java:686)
> > at
> >
> weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletCont=
ext
> Manager.java:247)
> > at
> >
> weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:36=
1)
> > at weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:261=
)
> > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)
> >
> >
> > What permission do I need to add to the weblogic.policy file for this t=
o
> > work?
> >
> > My class files and the required 3rd-party jar files are in
> > d:\weblogic\myserver\myapp\WEB-INF\classes and
> > d:\weblogic\myserver\myapp\WEB-INF\lib, respectively.
> >
> > I use startWebLogic.bat to startup the server:
> > D:\weblogic>.\jre1_2\jre\bin\java -ms64m -mx64m -classpath
> > .\classes\boot;.\eval
> > \cloudscape\lib\cloudscape.jar;.\lib\weblogic510sp7boot.jar
> > -Dweblogic.class.pat
> >
> h=3D.\license;.\classes;.\lib\weblogicaux.jar;.\lib\weblogic510sp7.jar;.\=
myser
> ver\
> >
> > serverclasses; -Dweblogic.home=3D. -Djava.security.manager
> > -Djava.security.policy=3D
> > =3D.\weblogic.policy weblogic.Server
> >
> > Any help would be appreciated!
> >
> > -Muwon
> >
> >