db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Myrna van Lunteren (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DERBY-6438) Explicitly grant SocketPermission "listen" in default server policy
Date Thu, 23 Jan 2014 21:39:37 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13880392#comment-13880392
] 

Myrna van Lunteren edited comment on DERBY-6438 at 1/23/14 9:38 PM:
--------------------------------------------------------------------

Thanks Knut for the explanations. 

I probably should have grabbed the template.policy file from the source code anyway - that
one works without changes if I pass the correct parameter for derby.install.url.

And I did figure out what I was doing wrong, mostly mistyping the url path for the 'derby.install.url'
property. For a while I missed the final '/', in a long path i.e., in the end I passed in
-Dderby.install.url=file:///c:/[blahblahetc]/1010jars
instead of 
-Dderby.install.url=file:///c:/[blahblahetc]/1010jars/
so it never found the jar files.

Also, I had trouble with the number of slashes after the file url protocol identifier.
One, or three worked:
  -Dderby.install.url=file:///c:/jars/1010jars/ 
  -Dderby.install.url=file:/c:/jars/1010jars/
but two did not. 

One more warning for possible users picking  up the 1010_server.policy file attached to this
issue; if you have tracing on, you may need to resolve/pass in the property derby.drda.traceDirectory.


Finally, this just a note, if I successfully started the server using the command identified:
     java -Djava.security.manager -Djava.security.policy=c:/policytst/1010_server.policy -Dderby.security.port=1527
-Dderby.install.url=file:///c:/jars/1010jars/ org.apache.derby.drda.NetworkServerControl start
&
I could shutdown the server with just:
     java org.apache.derby.drda.NetworkServerControl shutdown
But when I tried to use the same policy file for the shutdown, I needed to add "connect, resolve"
for the localhost:${derby.security.port}.



was (Author: myrna):
Thanks Knut for the explanations. 

I probably should have grabbed the template.policy file from the source code anyway - that
one works without changes if I pass the correct parameter for derby.install.url.

And I did figure out what I was doing wrong, mostly mistyping the url path for the 'derby.install.url'
property. For a while I missed the final '/', in a long path i.e., in the end I passed in
-Dderby.install.url=file:///c:/[blahblahetc]/1010jars
instead of 
-Dderby.install.url=file:///c:/[blahblahetc]/1010jars/
so it never found the jar files.

Also, I had trouble with the number of slashes after the file parameter.
One, or three worked:
  -Dderby.install.url=file:///c:/jars/1010jars/ 
  -Dderby.install.url=file:/c:/jars/1010jars/
but two did not. 

One more warning for possible users picking  up the 1010_server.policy file attached to this
issue; if you have tracing on, you may need to resolve/pass in the property derby.drda.traceDirectory.


Finally, this just a note, if I successfully started the server using the command identified:
     java -Djava.security.manager -Djava.security.policy=c:/policytst/1010_server.policy -Dderby.security.port=1527
-Dderby.install.url=file:///c:/jars/1010jars/ org.apache.derby.drda.NetworkServerControl start
&
I could shutdown the server with just:
     java org.apache.derby.drda.NetworkServerControl shutdown
But when I tried to use the same policy file for the shutdown, I needed to add "connect, resolve"
for the localhost:${derby.security.port}.


> Explicitly grant SocketPermission "listen" in default server policy
> -------------------------------------------------------------------
>
>                 Key: DERBY-6438
>                 URL: https://issues.apache.org/jira/browse/DERBY-6438
>             Project: Derby
>          Issue Type: Improvement
>          Components: Network Server
>    Affects Versions: 10.11.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>             Fix For: 10.5.3.2, 10.6.2.4, 10.7.1.4, 10.8.3.3, 10.9.2.2, 10.10.1.4, 10.11.0.0
>
>         Attachments: 1010_server.policy, 1010_server.policy, 1010_server.policy, 1010_server.policy,
d6438-1a.diff, releaseNote.html, releaseNote.html
>
>
> The network server needs SocketPermission "listen" on the port that it listens to, but
this permission is not granted by the basic server policy that's installed by default. This
doesn't cause any problems in most cases, since the JVM's default policy grants all code bases
SocketPermission "listen" on a range of ports, and Derby's network server port is within that
range.
> Still, the network server should not rely on this fact. It is possible to run the network
server on any port, not only those ports that happen be in the range that's given carte blanche
by the platform's default policy. The network server will however not be able to run on those
ports with the basic policy currently, only with a custom policy or with the security manager
disabled.
> The default policy should make this permission explicit.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message