Hi George,
I don't see this problem with release 10.10.2.0 when I run the network
server this way...
java org.apache.derby.drda.NetworkServerControl start -p 8246
...and run the following script...
connect 'jdbc:derby://localhost:8246/memory:db;create=true';
call sqlj.install_jar( 'helloWorld.jar', 'APP.HELLO_WORLD', 0 );
call syscs_util.syscs_set_database_property( 'derby.database.classpath',
'APP.HELLO_WORLD' );
create procedure helloWorld( args varchar( 32672 )... )
language java parameter style derby no sql
external name 'HelloWorld.main';
call helloWorld();
In this experiment, Derby uses the default server policy which is
bundled inside derbynet.jar at
org/apache/derby/drda/server.policy
I have attached that policy to this message. As you can see, that policy
does NOT grant the following permissions to any protection domain:
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
We might be able to say more if you could include the full stack trace
which you are seeing.
Thanks,
-Rick
On 7/21/14 12:21 PM, spykee wrote:
Hi folks,
I have a problem and I hope someone can help me.
- I added a specific jar file in derby, and every time I execute a stored
procedure from that jar I encounter:
-- java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "getClassLoader")
* I searched on internet a solution for this, and the problem reside in the
security policy.
* I don't want to use as an argument a specific security politicy
(-D...=myPolicy) while starting derby (network server).
* I searched my Java policy ( C:\Program Files\Java\jre8\lib\security ) and
I added the followings(java.policy file):
grant codeBase "file://C:/Program Files/Java/jdk1.8.0/db/lib/derby.jar"
{
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "user.dir", "read";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
"write";
permission java.io.FilePermission"C:/Users/myUser/.netbeans-derby",
"read,write,delete";
permission java.io.FilePermission"C:/Users/myUser/.netbeans-derby{/}-",
"read,write,delete";
};
I tried to use the Linux separator (/), the windows one(\) for the file
path... same errors on my Netbeans. I start/stop Apache Derby from Netbeans.
Can someone give me a hint ?
Cheers,
George
--
View this message in context:
http://apache-database.10148.n7.nabble.com/java-security-AccessControlException-access-denied-java-lang-RuntimePermission-getClassLoader-tp140900.html
Sent from the Apache Derby Users mailing list archive at Nabble.com.
//
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
grant codeBase "${derby.install.url}derby.jar"
{
//
// These permissions are needed for everyday, embedded Derby usage.
//
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
"write";
// The next two properties are used to determine if the VM is 32 or 64 bit.
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${derby.system.home}${/}-",
"read,write,delete";
//
// This permission lets you backup and restore databases
// to and from arbitrary locations in your file system.
//
// This permission also lets you import/export data to and from
// arbitrary locations in your file system.
//
// You may want to restrict this access to specific directories.
//
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
//
// Needed by sysinfo. The file permission is needed to
// check the existence of jars on the classpath. You can
// limit this permission to just the locations which hold
// your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax
// does not let you grant permissions to several codebases
// all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
//
// Permissions needed for JMX based management and monitoring, which is only
// available for JVMs supporting "platform management", that is J2SE 5.0 or
better.
//
// Allows this code to create an MBeanServer:
//
permission javax.management.MBeanServerPermission "createMBeanServer";
//
// Allows access to Derby's built-in MBeans, within the domain org.apache.derby.
// Derby must be allowed to register and unregister these MBeans.
// To fine tune this permission, see the javadoc of
javax.management.MBeanPermission
// or the JMX Instrumentation and Agent Specification.
//
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]","registerMBean,unregisterMBean";
//
// Trusts Derby code to be a source of MBeans and to register these in the
MBean server.
//
permission javax.management.MBeanTrustPermission "register";
// Gives permission for jmx to be used against Derby but
// only if JMX authentication is not being used.
// In that case the application would need to create
// a whole set of fine-grained permissions to allow specific
// users access to MBeans and actions they perform.
permission org.apache.derby.security.SystemPermission "jmx", "control";
permission org.apache.derby.security.SystemPermission "engine", "monitor";
permission org.apache.derby.security.SystemPermission "server", "monitor";
// getProtectionDomain is an optional permission needed for printing classpath
// information to derby.log
permission java.lang.RuntimePermission "getProtectionDomain";
//
// The following permission must be granted for Connection.abort(Executor) to
work.
// Note that this permission must also be granted to outer (application) code
domains.
//
permission java.sql.SQLPermission "callAbort";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "${derby.install.url}derbynet.jar"
{
//
// This permission lets the Network Server manage connections from clients.
//
// Accept connections from any host. Derby is listening to the host
// interface specified via the -h option to "NetworkServerControl
// start" on the command line, via the address parameter to the
// org.apache.derby.drda.NetworkServerControl constructor in the API
// or via the property derby.drda.host; the default is localhost.
// You may want to restrict allowed hosts, e.g. to hosts in a specific
// subdomain, e.g. "*.example.com".
permission java.net.SocketPermission "*", "accept";
// Allow the server to listen to the socket on the port specified with the
// -p option to "NetworkServerControl start" on the command line, or with
// the portNumber parameter to the NetworkServerControl constructor in the
// API, or with the property derby.drda.portNumber. The default is 1527.
permission java.net.SocketPermission "localhost:${derby.security.port}",
"listen";
//
// Needed for server tracing.
//
permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-",
"read,write,delete";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
// Needed for NetworkServerMBean access (see JMX section above)
permission org.apache.derby.security.SystemPermission "server",
"control,monitor";
//
// Needed by sysinfo. The file permission is needed to
// check the existence of jars on the classpath. You can
// limit this permission to just the locations which hold
// your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax
// does not let you grant permissions to several codebases
// all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
};
grant codeBase "${derby.install.url}derbytools.jar"
{
//
// Needed by sysinfo. The file permission is needed to
// check the existence of jars on the classpath. You can
// limit this permission to just the locations which hold
// your jar files. This block is for all codebases
// which include the sysinfo classes--the policy file syntax
// does not let you grant permissions to several codebases
// all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
};
grant codeBase "${derby.install.url}derbyclient.jar"
{
//
// Needed by sysinfo. The file permission is needed to
// check the existence of jars on the classpath. You can
// limit this permission to just the locations which hold
// your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax
// does not let you grant permissions to several codebases
// all at once.
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
//
// The following permission must be granted for Connection.abort(Executor) to
work.
// Note that this permission must also be granted to outer (application) code
domains.
//
permission java.sql.SQLPermission "callAbort";
};
