db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kathey Marsden <kmarsdende...@sbcglobal.net>
Subject Questions about policy file and multiple FilePermission lines
Date Thu, 28 May 2009 23:38:42 GMT
I am working with a user that is using the network server default 
server.policy file and having an interesting problem.  They create their 
database with an absolute path and *sometimes* they get the permission 
error below.  When they get the failure and set java.security.debug to 
access:failure. They see only two or three of the file permissions 
getting loaded instead of the four that we have in the file for derby.jar.

 permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
 permission java.io.FilePermission "<<ALL FILES>>", "read";
 permission java.io.FilePermission "${derby.system.home}","read";  
permission java.io.FilePermission "${derby.system.home}${/}-", 
"read,write,delete";

The user rebuilt derby with only the permission java.io.FilePermission 
"<<ALL FILES>>", "read,write,delete";  FilePermission  in the 
server.policy file and doesn't see the issue. 


I actually  haven't reproduced this issue on my machine with almost the 
same revision JVM. I see all 4  permissions listed and have no problem 
creating a database with an absolute path.
They are using:
Java(TM) SE Runtime Environment (build pwi3260sr3-20081106_07(SR3))
IBM J9 VM (build 2.4, J2RE 1.6.0 IBM J9 2.4 Windows XP x86-32 
jvmwi3260-20081105_25433 (JIT enabled, AOT enabled)
J9VM - 20081105_025433_lHdSMr
JIT  - r9_20081031_1330
GC   - 20081027_AB)
JCL  - 20081106_01

They start their network server with an ant script.

I wonder how java should handle having  permission
java.io.FilePermission "<<ALL FILES>>", "read"; and  
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

Should the JVM be smart enough to figure out the more liberal one and go 
with that?  Do we need to keep all four of these or would just the one 
suffice?

Here is the error:

ERROR XBM0H: Directory 
D:\<snip path to database> 
cannot be created.
        at 
org.apache.derby.iapi.error.StandardException.newException(Unkno
wn Source)
        at 
org.apache.derby.impl.services.monitor.StorageFactoryService.cre
ateServiceRoot(Unknown Source)
        at 
org.apache.derby.impl.services.monitor.BaseMonitor.bootService(U
nknown Source)
        at 
org.apache.derby.impl.services.monitor.BaseMonitor.createPersist
entService(Unknown Source)
        at 
org.apache.derby.iapi.services.monitor.Monitor.createPersistentS
ervice(Unknown Source)
        at 
org.apache.derby.impl.jdbc.EmbedConnection.createDatabase(Unknow
n Source)
        at 
org.apache.derby.impl.jdbc.EmbedConnection.<init>(Unknown 
Source)
        at 
org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown 
Source)
        at org.apache.derby.jdbc.InternalDriver.connect(Unknown 
Source)
        at 
org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source)
        at 
org.apache.derby.impl.drda.Database.makeConnection(Unknown 
Source)
        at 
org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseNam
e(Unknown Source)
        at 
org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword(U
nknown Source)
        at 
org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(Unknown 
Source)
        at 
org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection(Un
known Source)
        at 
org.apache.derby.impl.drda.DRDAConnThread.processCommands(Unknow
n Source)
        at 
org.apache.derby.impl.drda.DRDAConnThread.run(Unknown Source)
Caused by: java.security.AccessControlException: Access denied 
(java.io.FilePermission 
D:\<snip path to database> 
write)
        at 
java.security.AccessController.checkPermission(AccessController.
java:108)
        at 
java.lang.SecurityManager.checkPermission(SecurityManager.java:5
32)
        at 
java.lang.SecurityManager.checkWrite(SecurityManager.java:962)
        at java.io.File.mkdir(File.java:1167)
        at java.io.File.mkdirs(File.java:1196)
        at 
org.apache.derby.impl.services.monitor.StorageFactoryService$9.r
un(Unknown Source)
        at 
java.security.AccessController.doPrivileged(AccessController.jav
a:251)
        at 
org.apache.derby.impl.services.monitor.StorageFactoryService.cre
ateServiceRoot(Unknown Source)
        at 
org.apache.derby.impl.services.monitor.BaseMonitor.bootService(U
nknown Source)


Here is how I am trying to reproduce based on their description:
start with:

java -Djava.security.debug="access:failure" -Dderby.system.home=C:/tmp  
-classpath 
"C:/svn/10.3/jars/sane/derbyclient.jar;C:/svn/10.3/jars/sane/derbytools.jar;C:/svn/10.3/jars/sane/derbynet.jar"

org.apache.derby.drda.NetworkServerControl start -h <my machine>  -p 1692

and connecting with ij with:
connect 'jdbc:derby://<my machine>:1692/C:\path\to\MYDB;create=true';

but like I said I haven't been able to reproduce so far.

Kathey


Mime
View raw message