Re: Configuring a Server Policy for Derby on Windows
On 01. feb. 2014 17:31, Bryan Pendleton wrote: On 1/31/2014 8:43 AM, John I. Moore, Jr. wrote: One final point of clarification to my original email: John, thanks for sharing all your findings, and thanks all of you for the pointers to detailed information. I've tried to collect it all at: https://wiki.apache.org/db-derby/SecurityPolicyTips Thanks, Bryan! Dag
Re: Configuring a Server Policy for Derby on Windows
On 1/31/2014 8:43 AM, John I. Moore, Jr. wrote: One final point of clarification to my original email: John, thanks for sharing all your findings, and thanks all of you for the pointers to detailed information. I've tried to collect it all at: https://wiki.apache.org/db-derby/SecurityPolicyTips thanks, bryan
RE: Configuring a Server Policy for Derby on Windows
One final point of clarification to my original email: While the file specifications appear to work with zero, one, or three slashes, based on the Wikipedia link supplied by Dag below and this MSDN link, http://blogs.msdn.com/b/ie/archive/2006/12/06/file-uris-in-windows.aspx, it appears that three slashes is the proper form for files on the localhost, which, I suspect, is the most common case. _ John I. Moore, Jr. SoftMoore Consulting From: dag wanvik [mailto:dag.wan...@oracle.com] Sent: Thursday, January 30, 2014 10:48 AM To: derby-user@db.apache.org; CAMILLA.HAASE Subject: Re: Configuring a Server Policy for Derby on Windows The slashes in a file URL is explained in this Wikipedia entry: http://en.wikipedia.org/wiki/File_URI_scheme#Meaning_of_slash_character file:// file:///\\ host/path Things to notice: * If host is omitted, it is taken to be localhost, the machine from which the URL is being interpreted. Note that when omitting host you do not omit the slash ( file:///\\foo.txt file:///foo.txt is okay, while file:///\\foo.txt file://foo.txt is not, although some interpreters manage to handle the latter). * The double slash // should always appear in a file URL according to the specification, but in practice many Web browsers http://en.wikipedia.org/wiki/Web_browser allow you to omit it) * the URI as understood by the Windows Shell API is e.g. file:///c:\WINDOWS\clock.avi file:///c:/WINDOWS/clock.avi So, three slashes is OK: it means the host is omitted (default). Zero and one slash would indicate that the //host part is omitted, cf the lenience allowed mentioned above. Just a double slash followed by the file path (e.g. //C:/), would be wrong, since C: is not a host name. So, our docs are wrong here. Thanks, Dag On 30.01.2014 16:00, Myrna van Lunteren wrote: Hi John, Thanks for the write-up! I'm sorry you had to struggle through the url file: syntax - I did too, and updated DERBY-6438 with my findings. We should probably fix the documentation. Myrna On Thu, Jan 30, 2014 at 6:27 AM, John I. Moore, Jr. softmo...@att.net wrote: I am sending this email to the Derby user list with the hope that I can save someone time and frustration when trying to run the Derby network server on Windows with the latest version of Java (currently 1.7.0_51). With the latest version of Java, it is no longer possible to use the batch file startNetworkServer.bat to start the network server. If you run derby under Linux or some variation of Unix, or if you are already familiar with how to use a server policy file with Derby, you can probably ignore this message. (Note to Derby developers: You might want to add some of the descriptions below to the appropriate pages in the Derby documentation, especially https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservcustom.html.) To run the Derby network server on Windows, you will need to download a copy of the server policy file 1010_server.policy from https://issues.apache.org/jira/browse/DERBY-6438 and edit it for your use or define appropriate system properties when starting the Derby network server. I will give an example for editing the file. When editing the file, replace ${derby.install.url} with the full path name for the Derby jar files in the four sections that start with grant codebase. The syntax is a little tricky. For example, assume that derby has been installed in C:\Java\db-derby-10.10.1.1-bin. You use a file: specification, but you need to use forward slashes, not back slashes. Also, the file specification can contain zero, one, or three forward slashes, but not two. Thus, any of the following will work grant codeBase file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar file:C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar grant codeBase file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar file:/C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar grant codeBase file:///C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar but not grant codeBase file://C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar This is an important point since the sample files in the Derby Developer's Guide seem to imply that two slashes are acceptable - see http://db.apache.org/derby/docs/10.10/devguide/cdevcsecure871387.html. If you use two slashes in you file specification, you will get an error message similar to the following: Thu Jan 30 09:09:33 EST 2014 : access denied (java.util.PropertyPermission derby.__serverStartedFromCmdLine write) java.security.AccessControlException: access denied (java.util.PropertyPermission derby.__serverStartedFromCmdLine write) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at
Re: Configuring a Server Policy for Derby on Windows
Hi John, Thanks for the write-up! I'm sorry you had to struggle through the url file: syntax - I did too, and updated DERBY-6438 with my findings. We should probably fix the documentation. Myrna On Thu, Jan 30, 2014 at 6:27 AM, John I. Moore, Jr. softmo...@att.netwrote: I am sending this email to the Derby user list with the hope that I can save someone time and frustration when trying to run the Derby network server on Windows with the latest version of Java (currently 1.7.0_51). With the latest version of Java, it is no longer possible to use the batch file startNetworkServer.bat to start the network server. If you run derby under Linux or some variation of Unix, or if you are already familiar with how to use a server policy file with Derby, you can probably ignore this message. (Note to Derby developers: You might want to add some of the descriptions below to the appropriate pages in the Derby documentation, especially https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservcustom.html .) To run the Derby network server on Windows, you will need to download a copy of the server policy file 1010_server.policy from https://issues.apache.org/jira/browse/DERBY-6438 and edit it for your use or define appropriate system properties when starting the Derby network server. I will give an example for editing the file. When editing the file, replace ${derby.install.url} with the full path name for the Derby jar files in the four sections that start with *grant codebase*. The syntax is a little tricky. For example, assume that derby has been installed in C:\Java\db-derby-10.10.1.1-bin. You use a file: specification, but you need to use forward slashes, not back slashes. Also, the file specification can contain zero, one, or three forward slashes, but not two. Thus, any of the following will work grant codeBase file:C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar grant codeBase file:/C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar grant codeBase file:///C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar but not grant codeBase file://C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar This is an important point since the sample files in the Derby Developer's Guide seem to imply that two slashes are acceptable - see http://db.apache.org/derby/docs/10.10/devguide/cdevcsecure871387.html. If you use two slashes in you file specification, you will get an error message similar to the following: Thu Jan 30 09:09:33 EST 2014 : access denied (java.util.PropertyPermission derby.__serverStartedFromCmdLine write) java.security.AccessControlException: access denied (java.util.PropertyPermission derby.__serverStartedFromCmdLine write) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.System.setProperty(Unknown Source) at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source) at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at org.apache.derby.drda.NetworkServerControl.main(Unknown Source) at org.apache.derby.iapi.tools.run.main(Unknown Source) You also need to replace ${derby.security.port} with the appropriate port number (e.g., 1527). Alternatively, you can define ${derby.security.port} in your call to start the Derby network server, as in -Dderby.security.port=1527. Other policy file parameters can be handled similarly, but these are the most important ones, and these changes are the minimum needed to get the Derby network server started. I saved the policy file in my DERBY_HOME directory as simply server.policy, and I edited only the four grant codebase sections as described above. I can then start the Derby network server using a command similar to the following (which I placed in a batch file): start java -Dderby.system.home=%DERBY_HOME% -Dderby.security.port=1527 -Djava.security.manager -Djava.security.policy=%DERBY_HOME%\server.policy -jar %DERBY_HOME%\lib\derbyrun.jar server start Alternatively, if your class path contains the appropriate Derby jar files (which can ensure by running %DERBY_HOME%\bin\setNetworkServerCP.bat), you can start the Derby network server using the following: start java -Dderby.system.home=%DERBY_HOME% -Dderby.security.port=1527 -Djava.security.manager -Djava.security.policy=%DERBY_HOME%\server.policy org.apache.derby.drda.NetworkServerControl start I hope this helps. I wasted a lot of time before I figured out that the two forward slashes in the file specification was causing the problem. _ John I. Moore, Jr. SoftMoore Consulting
Re: Configuring a Server Policy for Derby on Windows
The slashes in a file URL is explained in this Wikipedia entry: http://en.wikipedia.org/wiki/File_URI_scheme#Meaning_of_slash_character *file:///host///path/* Things to notice: * If /host/ is omitted, it is taken to be localhost, the machine from which the URL is being interpreted. Note that when omitting host you do not omit the slash (file:///foo.txt is okay, while file://foo.txt is not, although some interpreters manage to handle the latter). * The double slash // should always appear in a file URL according to the specification, but in practice many Web browsers http://en.wikipedia.org/wiki/Web_browser allow you to omit it) * the URI as understood by the Windows Shell API is e.g. file:///c:/WINDOWS/clock.avi So, three slashes is OK: it means the host is omitted (default). Zero and one slash would indicate that the //host part is omitted, cf the lenience allowed mentioned above. Just a double slash followed by the file path (e.g. //C:/), would be wrong, since C: is not a host name. So, our docs are wrong here. Thanks, Dag On 30.01.2014 16:00, Myrna van Lunteren wrote: Hi John, Thanks for the write-up! I'm sorry you had to struggle through the url file: syntax - I did too, and updated DERBY-6438 with my findings. We should probably fix the documentation. Myrna On Thu, Jan 30, 2014 at 6:27 AM, John I. Moore, Jr. softmo...@att.net mailto:softmo...@att.net wrote: I am sending this email to the Derby user list with the hope that I can save someone time and frustration when trying to run the Derby network server on Windows with the latest version of Java (currently 1.7.0_51). With the latest version of Java, it is no longer possible to use the batch file startNetworkServer.bat to start the network server. If you run derby under Linux or some variation of Unix, or if you are already familiar with how to use a server policy file with Derby, you can probably ignore this message. (Note to Derby developers: You might want to add some of the descriptions below to the appropriate pages in the Derby documentation, especially https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservcustom.html.) To run the Derby network server on Windows, you will need to download a copy of the server policy file 1010_server.policy from https://issues.apache.org/jira/browse/DERBY-6438 and edit it for your use or define appropriate system properties when starting the Derby network server. I will give an example for editing the file. When editing the file, replace ${derby.install.url} with the full path name for the Derby jar files in the four sections that start with *grant codebase*. The syntax is a little tricky. For example, assume that derby has been installed in C:\Java\db-derby-10.10.1.1-bin. You use a file: specification, but you need to use forward slashes, not back slashes. Also, the file specification can contain zero, one, or three forward slashes, but not two. Thus, any of the following will work grant codeBase file:C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar grant codeBase file:/C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar grant codeBase file:///C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar but not grant codeBase file://C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar This is an important point since the sample files in the Derby Developer's Guide seem to imply that two slashes are acceptable -- see http://db.apache.org/derby/docs/10.10/devguide/cdevcsecure871387.html. If you use two slashes in you file specification, you will get an error message similar to the following: Thu Jan 30 09:09:33 EST 2014 : access denied (java.util.PropertyPermission derby.__serverStartedFromCmdLine write) java.security.AccessControlException: access denied (java.util.PropertyPermission derby.__serverStartedFromCmdLine write) at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.System.setProperty(Unknown Source) at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source) at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at org.apache.derby.drda.NetworkServerControl.main(Unknown Source) at org.apache.derby.iapi.tools.run.main(Unknown Source) You also need to replace ${derby.security.port} with the appropriate port number (e.g., 1527). Alternatively, you can define ${derby.security.port} in your call to start the Derby network server, as in -Dderby.security.port=1527. Other policy file parameters can be handled similarly, but these are the most important ones, and these changes are the minimum