This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal



~Mary Bretooflar
Apr 11, 2011, 11:46 PM
8 Posts
topic has been resolvedResolved

java.security.AccessControlException: Access denied Error

  • Category: Server Side JavaScript
  • Platform: All
  • Release: 8.5.2
  • Role:
  • Tags:
  • Replies: 4
I have got my own JAR file which is stored in the database in the WEB-INF/lib folder. It calls hsqldb.jar that is in the jvm/ext/lib folder.
 
The following code works perfectly in a JAVA agent, when I call the java agent from a notes client:
 
 protected void startHsqlDb(String uri) throws Exception{

try {

//Class.forName("org.hsqldb.jdbcDriver" );

Class.forName("org.hsqldb.jdbc.JDBCDriver" );

} catch (Exception e) {

System.out.println("ERROR: failed to load HSQLDB JDBC driver.");

e.printStackTrace();

throw e;

}

//if we do not have the following line we get a security exception in the agent

System.setProperty("hsqldb.reconfig_logging","false");

c=DriverManager.getConnection(uri+";shutdown=true","sa","");

System.out.println("Connected to uri");

}

The agent is set up to allow restricted operations with full administration rights.
 
When I use the same code in a jar that is located in the Web-inf/lib folder, it no longer works and I get the following error on the System.setProperty("hsqldb.reconfig_logging","false") line.
04/12/2011 12:58:26 AM  HTTP JVM: java.security.AccessControlException: Access denied (java.util.PropertyPermission hsqldb.reconfig_logging write)
 
If I omit the line I get another exception from the hsqldb database, which I tested both with the agent and with the xpage.
 
Any help is appreciated. 
 
~Manny Fronusterakoi
Apr 12, 2011, 6:12 AM
38 Posts
Re: java.security.AccessControlException: Access denied Error
Probably it's a java policy problem.
Goto <<program directory>> of your Domino server and find the following directory '\jvm\lib\security' 
 
There is a java policy file. 
You should open the file and add another rule 
grant { 
     permission java.security.AllPermission; 
};
 
close file 
restart server 
 
and see what happens 
~Mary Bretooflar
Apr 12, 2011, 7:23 AM
8 Posts
Re: java.security.AccessControlException: Access denied Error
I have got the following in the java.policy file on the server:
 
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
 
Should this not be sufficient? If not, can you suggest something more restrictive than your original solution, which appears to work. Thank you
 
 
~Manny Fronusterakoi
Apr 12, 2011, 7:54 AM
38 Posts
Re: java.security.AccessControlException: Access denied Error
 Try it the way I descriped, and you will know if it was enough ;-)
~Mary Bretooflar
Apr 12, 2011, 8:25 AM
8 Posts
Re: java.security.AccessControlException: Access denied Error
The way you described it was enough. I no longer got the exception. However, I was somewhat uneasy about security implication.
 
After carefully reading the error:
          04/12/2011 12:58:26 AM HTTP JVM: java.security.AccessControlException: Access denied (java.util.PropertyPermission hsqldb.reconfig_logging write)
I then figured out another solution which I hope, being no java security expert, is more secure. 
 
I added the following line to the java policy file:
 
grant { 
  permission java.util.PropertyPermission "hsqldb.reconfig_logging", "write";
}; 
 
This seems to work OK. 
 
The conclusion is as follows: Running an agent with unrestricted access does not require this line. Running a JAR file from WEB-INF/lib folder  requires the line. Is there a way to mark a JAR file in the WEB-INF/lib folder as having unrestricted access in a similar way as notes agent?
 
 

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal