# db-derby-dev mailing list archives

##### Site index · List index
Message view
Top
From Kathey Marsden <kmarsdende...@sbcglobal.net>
Subject Questions about policy file and multiple FilePermission lines
Date Thu, 28 May 2009 23:38:42 GMT
I am working with a user that is using the network server default
server.policy file and having an interesting problem.  They create their
database with an absolute path and *sometimes* they get the permission
error below.  When they get the failure and set java.security.debug to
access:failure. They see only two or three of the file permissions
getting loaded instead of the four that we have in the file for derby.jar.

permission java.io.FilePermission "${derby.system.home}","read"; permission java.io.FilePermission "${derby.system.home}${/}-", "read,write,delete"; The user rebuilt derby with only the permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; FilePermission in the server.policy file and doesn't see the issue. I actually haven't reproduced this issue on my machine with almost the same revision JVM. I see all 4 permissions listed and have no problem creating a database with an absolute path. They are using: Java(TM) SE Runtime Environment (build pwi3260sr3-20081106_07(SR3)) IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260-20081105_25433 (JIT enabled, AOT enabled) J9VM - 20081105_025433_lHdSMr JIT - r9_20081031_1330 GC - 20081027_AB) JCL - 20081106_01 They start their network server with an ant script. I wonder how java should handle having permission java.io.FilePermission "<<ALL FILES>>", "read"; and permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; Should the JVM be smart enough to figure out the more liberal one and go with that? Do we need to keep all four of these or would just the one suffice? Here is the error: ERROR XBM0H: Directory D:\<snip path to database> cannot be created. at org.apache.derby.iapi.error.StandardException.newException(Unkno wn Source) at org.apache.derby.impl.services.monitor.StorageFactoryService.cre ateServiceRoot(Unknown Source) at org.apache.derby.impl.services.monitor.BaseMonitor.bootService(U nknown Source) at org.apache.derby.impl.services.monitor.BaseMonitor.createPersist entService(Unknown Source) at org.apache.derby.iapi.services.monitor.Monitor.createPersistentS ervice(Unknown Source) at org.apache.derby.impl.jdbc.EmbedConnection.createDatabase(Unknow n Source) at org.apache.derby.impl.jdbc.EmbedConnection.<init>(Unknown Source) at org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown Source) at org.apache.derby.jdbc.InternalDriver.connect(Unknown Source) at org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source) at org.apache.derby.impl.drda.Database.makeConnection(Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseNam e(Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword(U nknown Source) at org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(Unknown Source) at org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection(Un known Source) at org.apache.derby.impl.drda.DRDAConnThread.processCommands(Unknow n Source) at org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source) Caused by: java.security.AccessControlException: Access denied (java.io.FilePermission D:\<snip path to database> write) at java.security.AccessController.checkPermission(AccessController. java:108) at java.lang.SecurityManager.checkPermission(SecurityManager.java:5 32) at java.lang.SecurityManager.checkWrite(SecurityManager.java:962) at java.io.File.mkdir(File.java:1167) at java.io.File.mkdirs(File.java:1196) at org.apache.derby.impl.services.monitor.StorageFactoryService$9.r
un(Unknown Source)
at
java.security.AccessController.doPrivileged(AccessController.jav
a:251)
at
org.apache.derby.impl.services.monitor.StorageFactoryService.cre
ateServiceRoot(Unknown Source)
at
org.apache.derby.impl.services.monitor.BaseMonitor.bootService(U
nknown Source)

Here is how I am trying to reproduce based on their description:

java -Djava.security.debug="access:failure" -Dderby.system.home=C:/tmp
-classpath
"C:/svn/10.3/jars/sane/derbyclient.jar;C:/svn/10.3/jars/sane/derbytools.jar;C:/svn/10.3/jars/sane/derbynet.jar"

org.apache.derby.drda.NetworkServerControl start -h <my machine>  -p 1692

and connecting with ij with:
connect 'jdbc:derby://<my machine>:1692/C:\path\to\MYDB;create=true';

but like I said I haven't been able to reproduce so far.

Kathey


Mime
View raw message