java.security.AccessControlException: access denied - Weblogic

This is a discussion on java.security.AccessControlException: access denied - Weblogic ; I'm using WLS 5.1 on NT. My Web Application uses JSSE for SSL connection to a 3rd-party server. I got the following AccessControlException when I tried to access the Web Application: java.security.AccessControlException: access denied (java.security.SecurityPermission getProperty.ssl.ServerSocketFactory.provider ) at java.security.AccessControlContext.checkPermission(AccessControlContext.jav= a, ...

+ Reply to Thread
Results 1 to 3 of 3

java.security.AccessControlException: access denied

  1. Default java.security.AccessControlException: access denied

    I'm using WLS 5.1 on NT. My Web Application uses JSSE for SSL
    connection to a 3rd-party server.

    I got the following AccessControlException when I tried to access
    the Web Application:

    java.security.AccessControlException: access denied
    (java.security.SecurityPermission
    getProperty.ssl.ServerSocketFactory.provider ) at
    java.security.AccessControlContext.checkPermission(AccessControlContext.jav=
    a,
    Compiled Code) at
    java.security.AccessController.checkPermission(AccessController.java,
    Compiled Code) at
    java.lang.SecurityManager.checkPermission(SecurityManager.java, Compiled
    Code) at java.security.Security.getProperty(Security.java:695) at
    javax.net.ssl.SSLServerSocketFactory$1.run([DashoPro-V1.2-120198]) at
    java.security.AccessController.doPrivileged(Native Method) at
    javax.net.ssl.SSLServerSocketFactory.a([DashoPro-V1.2-120198]) at
    javax.net.ssl.SSLServerSocketFactory.getDefault([DashoPro-V1.2-120198])
    at sirrus.util.net.d.(Unknown Source) at sirrus.util.net.b.a(Unknown
    Source) at sirrus.api.client.APIServerProxy.(APIServerProxy.java:151) at
    sirrus.api.client.APIServerProxy.(APIServerProxy.java:122) at
    sirrus.webgui.SCMSession.(SCMSession.java:185) at
    sirrus.webgui.SCMPage.(SCMPage.java:357) at
    sirrus.webgui.SCMOddPage.(SCMOddPage.java:28) at
    sirrus.webgui.LoginPage.(LoginPage.java:41) at
    sirrus.webgui.SCManager.service(SCManager.java:79) at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:865) at
    weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.jav=
    a:105)
    at
    weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextIm=
    pl.java:742)
    at
    weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextIm=
    pl.java:686)
    at
    weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContex=
    tManager.java:247)
    at
    weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:361)
    at weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:261)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)


    What permission do I need to add to the weblogic.policy file for this to
    work?

    My class files and the required 3rd-party jar files are in
    d:\weblogic\myserver\myapp\WEB-INF\classes and
    d:\weblogic\myserver\myapp\WEB-INF\lib, respectively.

    I use startWebLogic.bat to startup the server:
    D:\weblogic>.\jre1_2\jre\bin\java -ms64m -mx64m -classpath
    ..\classes\boot;.\eval
    \cloudscape\lib\cloudscape.jar;.\lib\weblogic510sp7boot.jar
    -Dweblogic.class.pat
    h=3D.\license;.\classes;.\lib\weblogicaux.jar;.\lib\weblogic510sp7.jar;.\my=
    server\

    serverclasses; -Dweblogic.home=3D. -Djava.security.manager
    -Djava.security.policy=3D
    =3D.\weblogic.policy weblogic.Server

    Any help would be appreciated!

    -Muwon





  2. Default Re: java.security.AccessControlException: access denied

    As I read the stack trace, the problem is with Java 2 security when it is
    attempting to get the name
    of the provider for the SSL ServerSocket Factory. You should check the
    documentation from your
    JSSE provider to see if they have any special permission that must be
    granted.

    But as I read the trace, the missing permission is
    getProperty.ssl.ServerSocketFactory.provider
    So, I believe that the appropriate line in the weblogic.policy file would
    be:

    grant codebase "<URL to your JAR file>" {
    permission java.security.SecurityPermission
    "getProperty.ssl.ServerSocketFactory.provider"
    };

    I would not recommend putting this in the grant sections for
    "file:/c:/classes/-" or "file:/weblogic/-",
    since it allows any code in the classes or weblogic directories or below to
    have access.



    Paul Patrick


    "Muwon Lum" <mlum@securant.com> wrote in message
    news:3A4DAA7A.8C2A67F7@securant.com...
    > I'm using WLS 5.1 on NT. My Web Application uses JSSE for SSL
    > connection to a 3rd-party server.
    >
    > I got the following AccessControlException when I tried to access
    > the Web Application:
    >
    > java.security.AccessControlException: access denied
    > (java.security.SecurityPermission
    > getProperty.ssl.ServerSocketFactory.provider ) at
    >

    java.security.AccessControlContext.checkPermission(AccessControlContext.jav=
    a
    ,
    > Compiled Code) at
    > java.security.AccessController.checkPermission(AccessController.java,
    > Compiled Code) at
    > java.lang.SecurityManager.checkPermission(SecurityManager.java, Compiled
    > Code) at java.security.Security.getProperty(Security.java:695) at
    > javax.net.ssl.SSLServerSocketFactory$1.run([DashoPro-V1.2-120198]) at
    > java.security.AccessController.doPrivileged(Native Method) at
    > javax.net.ssl.SSLServerSocketFactory.a([DashoPro-V1.2-120198]) at
    > javax.net.ssl.SSLServerSocketFactory.getDefault([DashoPro-V1.2-120198])
    > at sirrus.util.net.d.(Unknown Source) at sirrus.util.net.b.a(Unknown
    > Source) at sirrus.api.client.APIServerProxy.(APIServerProxy.java:151) at
    > sirrus.api.client.APIServerProxy.(APIServerProxy.java:122) at
    > sirrus.webgui.SCMSession.(SCMSession.java:185) at
    > sirrus.webgui.SCMPage.(SCMPage.java:357) at
    > sirrus.webgui.SCMOddPage.(SCMOddPage.java:28) at
    > sirrus.webgui.LoginPage.(LoginPage.java:41) at
    > sirrus.webgui.SCManager.service(SCManager.java:79) at
    > javax.servlet.http.HttpServlet.service(HttpServlet.java:865) at
    >

    weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.jav=
    a
    :105)
    > at
    >

    weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextIm=
    p
    l.java:742)
    > at
    >

    weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContextIm=
    p
    l.java:686)
    > at
    >

    weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletContex=
    t
    Manager.java:247)
    > at
    >

    weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:361)
    > at weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:261)
    > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)
    >
    >
    > What permission do I need to add to the weblogic.policy file for this to
    > work?
    >
    > My class files and the required 3rd-party jar files are in
    > d:\weblogic\myserver\myapp\WEB-INF\classes and
    > d:\weblogic\myserver\myapp\WEB-INF\lib, respectively.
    >
    > I use startWebLogic.bat to startup the server:
    > D:\weblogic>.\jre1_2\jre\bin\java -ms64m -mx64m -classpath
    > .\classes\boot;.\eval
    > \cloudscape\lib\cloudscape.jar;.\lib\weblogic510sp7boot.jar
    > -Dweblogic.class.pat
    >

    h=3D.\license;.\classes;.\lib\weblogicaux.jar;.\lib\weblogic510sp7.jar;.\my=
    ser
    ver\
    >
    > serverclasses; -Dweblogic.home=3D. -Djava.security.manager
    > -Djava.security.policy=3D
    > =3D.\weblogic.policy weblogic.Server
    >
    > Any help would be appreciated!
    >
    > -Muwon
    >
    >





  3. Default Re: java.security.AccessControlException: access denied

    I'm still getting access denied. Here's my weblogic.policy file. What did=
    I
    miss?

    Thanks,
    -Muwon

    weblogic.policy
    ----------------
    // WEBLOGIC POLICY FILE
    // // // // // // // // // // // // // // // // // // // // // // // //
    // This file, which conforms to the java.security.Policy file
    // definition, configures WebLogic Server for Java 2 security.
    // WebLogic Server cannot run without the policies specified here.
    //
    // Before you can use these policies, edit the URL paths that point to
    // your WebLogic installation. The paths you must change are in the
    // first two lines following this comment block.
    //
    // A second grant entry provides an example of setting the permissions
    // for your own Java classes. Modify the URL paths in the first two
    // lines of that grant entry to point to the location of your classes or
    // any third party Java classes you want to use with WebLogic Server.
    // You can copy this entry to protect additional class locations you
    // may create.
    //
    // If WebLogic is not installed in a root directory, you must only
    // list the first component of the path in the "file:" URL. This is
    // because of a bug in JavaSoft JDK 1.2.1. For example, if you
    // install WebLogic in the "c:/test/weblogic" directory, the first
    // two lines below must be:
    //
    // grant codeBase "file:/c:/test/-" {
    // permission java.io.FilePermission "c:${/}test${/}weblogic${/}-",
    "read,write,delete,execute";
    //
    // See http://www.weblogic.com/docs51/install/startserver.html for
    // more information about using this policy file.
    //
    grant codeBase "file:d:/weblogic/-" {
    permission java.io.FilePermission "d:${/}weblogic${/}-",
    "read,write,delete,execute";
    permission java.net.SocketPermission "localhost:1-9000",
    "connect,accept,listen,resolve";
    permission java.awt.AWTPermission "accessClipboard";
    permission java.awt.AWTPermission "accessEventQueue";
    permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
    permission java.io.SerializablePermission "enableSubclassImplementation";
    permission java.io.SerializablePermission "enableSubstitution";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission java.lang.RuntimePermission "accessDeclaredMembers.*";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "createSecurityManager";
    permission java.lang.RuntimePermission "defineClassInPackage.*";
    permission java.lang.RuntimePermission "exitVM";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "loadLibrary.*";
    permission java.lang.RuntimePermission "modifyThread";
    permission java.lang.RuntimePermission "modifyThreadGroup";
    permission java.lang.RuntimePermission "readFileDescriptor";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.lang.RuntimePermission "setFactory";
    permission java.lang.RuntimePermission "setIO";
    permission java.lang.RuntimePermission "setProtectionDomain";
    permission java.lang.RuntimePermission "setSecurityManager";
    permission java.lang.RuntimePermission "writeFileDescriptor";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.net.NetPermission "requestPasswordAuthentication";
    permission java.net.NetPermission "setDefaultAuthenticator";
    permission java.security.SecurityPermission "getPolicy";
    permission java.security.SecurityPermission "setPolicy";
    permission java.util.PropertyPermission "*", "read,write";
    };


    //
    // Modify the URLs in the two lines below to point to the location of
    // additional classes you want to use with WebLogic Server. These could
    // include classes you develop or third-party classes you want to use.
    // You can copy this grant entry and modify the URLs for additional
    // class locations.
    //
    grant codeBase "file:d:/weblogic/myserver/myapp/WEB-INF/-" {
    permission java.io.FilePermission
    "d:${/}weblogic${/}myserver${/}myapp${/}WEB-INF${/}-",
    "read,write,delete,execute";
    permission java.net.SocketPermission "localhost:1-9000",
    "connect,accept,listen,resolve";
    permission java.awt.AWTPermission "accessClipboard";
    permission java.awt.AWTPermission "accessEventQueue";
    permission java.awt.AWTPermission "showWindowWithoutWarningBanner";
    permission java.io.SerializablePermission "enableSubclassImplementation";
    permission java.io.SerializablePermission "enableSubstitution";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission java.lang.RuntimePermission "accessDeclaredMembers.*";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "createSecurityManager";
    permission java.lang.RuntimePermission "defineClassInPackage.*";
    permission java.lang.RuntimePermission "exitVM";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "loadLibrary.*";
    permission java.lang.RuntimePermission "modifyThread";
    permission java.lang.RuntimePermission "modifyThreadGroup";
    permission java.lang.RuntimePermission "readFileDescriptor";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.lang.RuntimePermission "setFactory";
    permission java.lang.RuntimePermission "setIO";
    permission java.lang.RuntimePermission "setProtectionDomain";
    permission java.lang.RuntimePermission "setSecurityManager";
    permission java.lang.RuntimePermission "writeFileDescriptor";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.net.NetPermission "requestPasswordAuthentication";
    permission java.net.NetPermission "setDefaultAuthenticator";
    permission java.security.SecurityPermission "getPolicy";
    permission java.security.SecurityPermission "setPolicy";
    permission java.security.SecurityPermission
    "getProperty.ssl.ServerSocketFactory.provider";
    permission java.util.PropertyPermission "*", "read,write";
    };


    grant codeBase "file:${java.home}/lib/ext/-" {
    permission java.security.AllPermission;
    };

    grant {
    // Permission "enableSubstitution" needed to run the WebLogic console
    permission java.io.SerializablePermission "enableSubstitution";
    // Permission "modifyThreadGroup" required to run the WebLogic Server
    permission java.lang.RuntimePermission "modifyThreadGroup";
    permission java.lang.RuntimePermission "setContextClassLoader";
    // Permission "setIO" needed to start a server from the WebLogic console
    permission java.lang.RuntimePermission "setIO";
    // Permission "getClassLoader" needed for many EJB clients
    permission java.lang.RuntimePermission "getClassLoader";

    permission java.lang.RuntimePermission "stopThread";
    permission java.net.SocketPermission "localhost:1024-", "listen";
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";
    permission java.util.PropertyPermission "java.specification.version", "re=
    ad";
    permission java.util.PropertyPermission "java.specification.vendor", "rea=
    d";
    permission java.util.PropertyPermission "java.specification.name", "read"=
    ;
    permission java.util.PropertyPermission "java.vm.specification.version",
    "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor",
    "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "re=
    ad";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";
    };









    Paul Patrick wrote:

    > As I read the stack trace, the problem is with Java 2 security when it is
    > attempting to get the name
    > of the provider for the SSL ServerSocket Factory. You should check the
    > documentation from your
    > JSSE provider to see if they have any special permission that must be
    > granted.
    >
    > But as I read the trace, the missing permission is
    > getProperty.ssl.ServerSocketFactory.provider
    > So, I believe that the appropriate line in the weblogic.policy file would
    > be:
    >
    > grant codebase "<URL to your JAR file>" {
    > permission java.security.SecurityPermission
    > "getProperty.ssl.ServerSocketFactory.provider"
    > };
    >
    > I would not recommend putting this in the grant sections for
    > "file:/c:/classes/-" or "file:/weblogic/-",
    > since it allows any code in the classes or weblogic directories or below =

    to
    > have access.
    >
    > Paul Patrick
    >
    > "Muwon Lum" <mlum@securant.com> wrote in message
    > news:3A4DAA7A.8C2A67F7@securant.com...
    > > I'm using WLS 5.1 on NT. My Web Application uses JSSE for SSL
    > > connection to a 3rd-party server.
    > >
    > > I got the following AccessControlException when I tried to access
    > > the Web Application:
    > >
    > > java.security.AccessControlException: access denied
    > > (java.security.SecurityPermission
    > > getProperty.ssl.ServerSocketFactory.provider ) at
    > >

    > java.security.AccessControlContext.checkPermission(AccessControlContext.j=

    ava
    > ,
    > > Compiled Code) at
    > > java.security.AccessController.checkPermission(AccessController.java,
    > > Compiled Code) at
    > > java.lang.SecurityManager.checkPermission(SecurityManager.java, Compile=

    d
    > > Code) at java.security.Security.getProperty(Security.java:695) at
    > > javax.net.ssl.SSLServerSocketFactory$1.run([DashoPro-V1.2-120198]) at
    > > java.security.AccessController.doPrivileged(Native Method) at
    > > javax.net.ssl.SSLServerSocketFactory.a([DashoPro-V1.2-120198]) at
    > > javax.net.ssl.SSLServerSocketFactory.getDefault([DashoPro-V1.2-120198])
    > > at sirrus.util.net.d.(Unknown Source) at sirrus.util.net.b.a(Unknown
    > > Source) at sirrus.api.client.APIServerProxy.(APIServerProxy.java:151) a=

    t
    > > sirrus.api.client.APIServerProxy.(APIServerProxy.java:122) at
    > > sirrus.webgui.SCMSession.(SCMSession.java:185) at
    > > sirrus.webgui.SCMPage.(SCMPage.java:357) at
    > > sirrus.webgui.SCMOddPage.(SCMOddPage.java:28) at
    > > sirrus.webgui.LoginPage.(LoginPage.java:41) at
    > > sirrus.webgui.SCManager.service(SCManager.java:79) at
    > > javax.servlet.http.HttpServlet.service(HttpServlet.java:865) at
    > >

    > weblogic.servlet.internal.ServletStubImpl.invokeServlet(ServletStubImpl.j=

    ava
    > :105)
    > > at
    > >

    > weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContext=

    Imp
    > l.java:742)
    > > at
    > >

    > weblogic.servlet.internal.ServletContextImpl.invokeServlet(ServletContext=

    Imp
    > l.java:686)
    > > at
    > >

    > weblogic.servlet.internal.ServletContextManager.invokeServlet(ServletCont=

    ext
    > Manager.java:247)
    > > at
    > >

    > weblogic.socket.MuxableSocketHTTP.invokeServlet(MuxableSocketHTTP.java:36=

    1)
    > > at weblogic.socket.MuxableSocketHTTP.execute(MuxableSocketHTTP.java:261=

    )
    > > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java, Compiled Code)
    > >
    > >
    > > What permission do I need to add to the weblogic.policy file for this t=

    o
    > > work?
    > >
    > > My class files and the required 3rd-party jar files are in
    > > d:\weblogic\myserver\myapp\WEB-INF\classes and
    > > d:\weblogic\myserver\myapp\WEB-INF\lib, respectively.
    > >
    > > I use startWebLogic.bat to startup the server:
    > > D:\weblogic>.\jre1_2\jre\bin\java -ms64m -mx64m -classpath
    > > .\classes\boot;.\eval
    > > \cloudscape\lib\cloudscape.jar;.\lib\weblogic510sp7boot.jar
    > > -Dweblogic.class.pat
    > >

    > h=3D.\license;.\classes;.\lib\weblogicaux.jar;.\lib\weblogic510sp7.jar;.\=

    myser
    > ver\
    > >
    > > serverclasses; -Dweblogic.home=3D. -Djava.security.manager
    > > -Djava.security.policy=3D
    > > =3D.\weblogic.policy weblogic.Server
    > >
    > > Any help would be appreciated!
    > >
    > > -Muwon
    > >
    > >




+ Reply to Thread