Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 83177 invoked from network); 27 Jun 2007 13:11:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 27 Jun 2007 13:11:01 -0000 Received: (qmail 79575 invoked by uid 500); 27 Jun 2007 13:10:52 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 79547 invoked by uid 500); 27 Jun 2007 13:10:52 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 79521 invoked by uid 99); 27 Jun 2007 13:10:52 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jun 2007 06:10:51 -0700 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Jun 2007 06:10:46 -0700 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 2D38A71418E for ; Wed, 27 Jun 2007 06:10:26 -0700 (PDT) Message-ID: <18220198.1182949826182.JavaMail.jira@brutus> Date: Wed, 27 Jun 2007 06:10:26 -0700 (PDT) From: "Rick Hillegas (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Commented: (DERBY-2874) NetworkServer not accepting connections with default security manager on Ipv6 machines In-Reply-To: <17219752.1182881845919.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-2874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12508534 ] Rick Hillegas commented on DERBY-2874: -------------------------------------- Thanks for test-driving this patch, Manjula. It also works for me on my personal laptop, which runs a version of Suse with dual v4 and v6 protocol stacks. I think that it would be better to restrict the socket permission as much as possible just as it would be better to restrict the file permissions as much as possible. However, I think this more liberal socket permission is fine for the default policy just as the liberal file permission is ok. The liberal socket permission is only granted to derbynet.jar and the server limits itself to addresses specified at boot time. Socket permission continues to be denied to code outside the server, such as user-written functions and procedures. > NetworkServer not accepting connections with default security manager on Ipv6 machines > -------------------------------------------------------------------------------------- > > Key: DERBY-2874 > URL: https://issues.apache.org/jira/browse/DERBY-2874 > Project: Derby > Issue Type: Bug > Components: Security > Affects Versions: 10.3.0.0 > Environment: Ipv6 machine with ibm jvm 15 > Reporter: Manjula Kutty > Assignee: Rick Hillegas > Fix For: 10.3.0.0 > > Attachments: derby-2874-01.diff, derby-2874-wildcard-01.diff, server.policy > > > While running tests on Ipv6 machines using the 10.3 jars with the default security manager, I had the following findings/questions > I started the server like this java org.apache.derby.drda.NetworkServerControl start -h 2002:92a:8f7a:13:9:42:74:19 > and the server started with the following command > Security manager installed using the Basic server security policy. > Apache Derby Network Server - 10.3.1.0 beta - (548006) started and ready to accept connections on port 1527 at 2007-06-25 23:44: 36.835 GMT > > So I think the server is using the default security manager. Then when I tried to get conenction though ij > > got the following error message > Access denied (java.net.SocketPermission [2002:92a:8f7a:13:9:42:73:218]:34016 accept,resolve) > java.security.AccessControlException: Access denied (java.net.SocketPermission [2002:92a:8f7a:13:9:42:73:218]:34016 accept,resolve) > at java.security.AccessController.checkPermission(AccessController.java:104) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:547) > at java.lang.SecurityManager.checkAccept (SecurityManager.java:1172) > at java.net.ServerSocket.implAccept(ServerSocket.java:466) > at java.net.ServerSocket.accept(ServerSocket.java:433) > at org.apache.derby.impl.drda.ClientThread$1.run (Unknown Source) > at java.security.AccessController.doPrivileged(AccessController.java:242) > at org.apache.derby.impl.drda.ClientThread.run(Unknown Source) > > I had the derby.properties file like this > > derby.database.sqlAuthorization=true > derby.connection.requireAuthentication=true > derby.infolog.append=true > derby.authentication.provider=BUILTIN > derby.stream.error.logSeverityLevel=0 > #derby.language.logStatementText=true > # User's Definitions > derby.user.user2=pass2 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.