[
https://issues.apache.org/jira/browse/DERBY-6438?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13879334#comment-13879334
]
Myrna van Lunteren commented on DERBY-6438:
-------------------------------------------
The file attached to this issue is only intended as a convenience for our users
using jdk 1.7 u51 - or jdk 18, until we have an official Apache 10.10.(2)
release with the fixes in the default policyfile in it.
I admit I did not test before attaching the file straight from the codebase, I
*assumed* it would work because I thought this is the same policy file that
works as the default policy file included in derbynet.jar
But it was not working as work-around, when you issue the command suggested:
java -Djava.security.manager -Djava.security.policy=[filename]
org.apache.derby.drda.NetworkServerControl start&
you got this error:
java.security.AccessControlException: access denied
("java.util.PropertyPermission" "derby.__serverStartedFromCmdLine" "write")
This permission is apparently not needed in the default policy file.
Rick modified the 1010_server.policy workaround file by adding this permission,
and then went on to add some further permissions needed to get it working under
jdk18 - specifically the deregister permission. This puzzles me too - it seemed
from the original notes that this was only needed for embedded.
And I am still puzzled, I now also got myself jdk17u51, but I cannot get the
command to work with the policy file, even though it has the
"derby.__serverStartedFromCmdLine" permission that it's complaining about...I
have tried modifying my CLASSPATH to have just derbyrun.jar, and to have
derbyclient.jar;derbynet.jar, but I get the same effect...?
I added the permission to the various codebases in the workaround file
(derbyclient.jar, derby.jar, derbytools.jar, derbynet.jar) and still get the
same...
I must be doing something wrong, but what...
> Explicitly grant SocketPermission "listen" in default server policy
> -------------------------------------------------------------------
>
> Key: DERBY-6438
> URL: https://issues.apache.org/jira/browse/DERBY-6438
> Project: Derby
> Issue Type: Improvement
> Components: Network Server
> Affects Versions: 10.11.0.0
> Reporter: Knut Anders Hatlen
> Assignee: Knut Anders Hatlen
> Fix For: 10.5.3.2, 10.6.2.4, 10.7.1.4, 10.8.3.3, 10.9.2.2,
> 10.10.1.4, 10.11.0.0
>
> Attachments: 1010_server.policy, 1010_server.policy,
> 1010_server.policy, 1010_server.policy, d6438-1a.diff, releaseNote.html,
> releaseNote.html
>
>
> The network server needs SocketPermission "listen" on the port that it
> listens to, but this permission is not granted by the basic server policy
> that's installed by default. This doesn't cause any problems in most cases,
> since the JVM's default policy grants all code bases SocketPermission
> "listen" on a range of ports, and Derby's network server port is within that
> range.
> Still, the network server should not rely on this fact. It is possible to run
> the network server on any port, not only those ports that happen be in the
> range that's given carte blanche by the platform's default policy. The
> network server will however not be able to run on those ports with the basic
> policy currently, only with a custom policy or with the security manager
> disabled.
> The default policy should make this permission explicit.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
