Re: Configuring a Server Policy for Derby on Windows
On 01. feb. 2014 17:31, Bryan Pendleton wrote: On 1/31/2014 8:43 AM, John I. Moore, Jr. wrote: One final point of clarification to my original email: John, thanks for sharing all your findings, and thanks all of you for the pointers to detailed information. I've tried to collect it all at: https://wiki.apache.org/db-derby/SecurityPolicyTips Thanks, Bryan! Dag
Re: Configuring a Server Policy for Derby on Windows
On 1/31/2014 8:43 AM, John I. Moore, Jr. wrote: One final point of clarification to my original email: John, thanks for sharing all your findings, and thanks all of you for the pointers to detailed information. I've tried to collect it all at: https://wiki.apache.org/db-derby/SecurityPolicyTips thanks, bryan
RE: Configuring a Server Policy for Derby on Windows
One final point of clarification to my original email:
While the file specifications appear to work with zero, one, or three slashes,
based on the Wikipedia link supplied by Dag below and this MSDN link,
http://blogs.msdn.com/b/ie/archive/2006/12/06/file-uris-in-windows.aspx,
it appears that three slashes is the proper form for files on the localhost,
which, I suspect, is the most common case.
_
John I. Moore, Jr.
SoftMoore Consulting
From: dag wanvik [mailto:dag.wan...@oracle.com]
Sent: Thursday, January 30, 2014 10:48 AM
To: derby-user@db.apache.org; CAMILLA.HAASE
Subject: Re: Configuring a Server Policy for Derby on Windows
The slashes in a file URL is explained in this Wikipedia entry:
http://en.wikipedia.org/wiki/File_URI_scheme#Meaning_of_slash_character
file:// file:///\\ host/path
Things to notice:
* If host is omitted, it is taken to be localhost, the machine from which
the URL is
being interpreted. Note that when omitting host you do not omit the slash (
file:///\\foo.txt file:///foo.txt is okay, while file:///\\foo.txt
file://foo.txt
is not, although some interpreters manage to handle the latter).
* The double slash // should always appear in a file URL according to the
specification,
but in practice many Web browsers http://en.wikipedia.org/wiki/Web_browser
allow you to
omit it)
* the URI as understood by the Windows Shell API is e.g.
file:///c:\WINDOWS\clock.avi
file:///c:/WINDOWS/clock.avi
So, three slashes is OK: it means the host is omitted (default).
Zero and one slash would indicate that the //host part is omitted, cf the
lenience
allowed mentioned above.
Just a double slash followed by the file path (e.g. //C:/), would be wrong,
since C:
is not a host name.
So, our docs are wrong here.
Thanks,
Dag
On 30.01.2014 16:00, Myrna van Lunteren wrote:
Hi John,
Thanks for the write-up!
I'm sorry you had to struggle through the url file: syntax - I did too, and
updated
DERBY-6438 with my findings.
We should probably fix the documentation.
Myrna
On Thu, Jan 30, 2014 at 6:27 AM, John I. Moore, Jr. softmo...@att.net wrote:
I am sending this email to the Derby user list with the hope that I can save
someone time
and frustration when trying to run the Derby network server on Windows with the
latest
version of Java (currently 1.7.0_51). With the latest version of Java, it is
no longer
possible to use the batch file startNetworkServer.bat to start the network
server. If
you run derby under Linux or some variation of Unix, or if you are already
familiar with
how to use a server policy file with Derby, you can probably ignore this
message. (Note
to Derby developers: You might want to add some of the descriptions below to
the
appropriate pages in the Derby documentation, especially
https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservcustom.html.)
To run the Derby network server on Windows, you will need to download a copy of
the server
policy file 1010_server.policy from
https://issues.apache.org/jira/browse/DERBY-6438 and
edit it for your use or define appropriate system properties when starting the
Derby
network server. I will give an example for editing the file.
When editing the file, replace ${derby.install.url} with the full path name
for the
Derby jar files in the four sections that start with grant codebase. The
syntax is a
little tricky. For example, assume that derby has been installed in
C:\Java\db-derby-10.10.1.1-bin. You use a file: specification, but you need
to use
forward slashes, not back slashes. Also, the file specification can contain
zero, one, or
three forward slashes, but not two. Thus, any of the following will work
grant codeBase file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar
file:C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
grant codeBase file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar
file:/C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
grant codeBase file:///C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar
but not
grant codeBase file://C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
file:///C:\Java\db-derby-10.10.1.1-bin\lib\derby.jar
This is an important point since the sample files in the Derby Developer's
Guide seem to
imply that two slashes are acceptable - see
http://db.apache.org/derby/docs/10.10/devguide/cdevcsecure871387.html. If you
use two
slashes in you file specification, you will get an error message similar to the
following:
Thu Jan 30 09:09:33 EST 2014 : access denied (java.util.PropertyPermission
derby.__serverStartedFromCmdLine write)
java.security.AccessControlException: access denied
(java.util.PropertyPermission
derby.__serverStartedFromCmdLine write)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at
Re: Configuring a Server Policy for Derby on Windows
Hi John,
Thanks for the write-up!
I'm sorry you had to struggle through the url file: syntax - I did too,
and updated DERBY-6438 with my findings.
We should probably fix the documentation.
Myrna
On Thu, Jan 30, 2014 at 6:27 AM, John I. Moore, Jr. softmo...@att.netwrote:
I am sending this email to the Derby user list with the hope that I can
save someone time and frustration when trying to run the Derby network
server on Windows with the latest version of Java (currently 1.7.0_51).
With the latest version of Java, it is no longer possible to use the batch
file startNetworkServer.bat to start the network server. If you run
derby under Linux or some variation of Unix, or if you are already familiar
with how to use a server policy file with Derby, you can probably ignore
this message. (Note to Derby developers: You might want to add some of
the descriptions below to the appropriate pages in the Derby documentation,
especially
https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservcustom.html
.)
To run the Derby network server on Windows, you will need to download a
copy of the server policy file 1010_server.policy from
https://issues.apache.org/jira/browse/DERBY-6438 and edit it for your use
or define appropriate system properties when starting the Derby network
server. I will give an example for editing the file.
When editing the file, replace ${derby.install.url} with the full path
name for the Derby jar files in the four sections that start with *grant
codebase*. The syntax is a little tricky. For example, assume that
derby has been installed in C:\Java\db-derby-10.10.1.1-bin. You use a
file: specification, but you need to use forward slashes, not back
slashes. Also, the file specification can contain zero, one, or three
forward slashes, but not two. Thus, any of the following will work
grant codeBase file:C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
grant codeBase file:/C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
grant codeBase file:///C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
but not
grant codeBase file://C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
This is an important point since the sample files in the Derby Developer's
Guide seem to imply that two slashes are acceptable - see
http://db.apache.org/derby/docs/10.10/devguide/cdevcsecure871387.html.
If you use two slashes in you file specification, you will get an error
message similar to the following:
Thu Jan 30 09:09:33 EST 2014 : access denied
(java.util.PropertyPermission derby.__serverStartedFromCmdLine write)
java.security.AccessControlException: access denied
(java.util.PropertyPermission derby.__serverStartedFromCmdLine write)
at java.security.AccessControlContext.checkPermission(Unknown
Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.System.setProperty(Unknown Source)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
at org.apache.derby.iapi.tools.run.main(Unknown Source)
You also need to replace ${derby.security.port} with the appropriate
port number (e.g., 1527). Alternatively, you can define
${derby.security.port} in your call to start the Derby network server,
as in -Dderby.security.port=1527. Other policy file parameters can be
handled similarly, but these are the most important ones, and these changes
are the minimum needed to get the Derby network server started.
I saved the policy file in my DERBY_HOME directory as simply server.policy,
and I edited only the four grant codebase sections as described above.
I can then start the Derby network server using a command similar to the
following (which I placed in a batch file):
start java -Dderby.system.home=%DERBY_HOME% -Dderby.security.port=1527
-Djava.security.manager -Djava.security.policy=%DERBY_HOME%\server.policy
-jar %DERBY_HOME%\lib\derbyrun.jar server start
Alternatively, if your class path contains the appropriate Derby jar files
(which can ensure by running %DERBY_HOME%\bin\setNetworkServerCP.bat),
you can start the Derby network server using the following:
start java -Dderby.system.home=%DERBY_HOME% -Dderby.security.port=1527
-Djava.security.manager -Djava.security.policy=%DERBY_HOME%\server.policy
org.apache.derby.drda.NetworkServerControl start
I hope this helps. I wasted a lot of time before I figured out that the
two forward slashes in the file specification was causing the problem.
_
John I. Moore, Jr.
SoftMoore Consulting
Re: Configuring a Server Policy for Derby on Windows
The slashes in a file URL is explained in this Wikipedia entry:
http://en.wikipedia.org/wiki/File_URI_scheme#Meaning_of_slash_character
*file:///host///path/*
Things to notice:
* If /host/ is omitted, it is taken to be localhost, the machine from
which the URL is being interpreted. Note that when omitting host you do
not omit the slash (file:///foo.txt is okay, while file://foo.txt is
not, although some interpreters manage to handle the latter).
* The double slash // should always appear in a file URL according to
the specification, but in practice many Web browsers
http://en.wikipedia.org/wiki/Web_browser allow you to omit it)
* the URI as understood by the Windows Shell API is e.g.
file:///c:/WINDOWS/clock.avi
So, three slashes is OK: it means the host is omitted (default).
Zero and one slash would indicate that the //host part is omitted, cf
the lenience allowed mentioned above.
Just a double slash followed by the file path (e.g. //C:/), would be
wrong, since C: is not a host name.
So, our docs are wrong here.
Thanks,
Dag
On 30.01.2014 16:00, Myrna van Lunteren wrote:
Hi John,
Thanks for the write-up!
I'm sorry you had to struggle through the url file: syntax - I did
too, and updated DERBY-6438 with my findings.
We should probably fix the documentation.
Myrna
On Thu, Jan 30, 2014 at 6:27 AM, John I. Moore, Jr. softmo...@att.net
mailto:softmo...@att.net wrote:
I am sending this email to the Derby user list with the hope that
I can save someone time and frustration when trying to run the
Derby network server on Windows with the latest version of Java
(currently 1.7.0_51). With the latest version of Java, it is no
longer possible to use the batch file startNetworkServer.bat to
start the network server. If you run derby under Linux or some
variation of Unix, or if you are already familiar with how to use
a server policy file with Derby, you can probably ignore this
message. (Note to Derby developers: You might want to add some
of the descriptions below to the appropriate pages in the Derby
documentation, especially
https://db.apache.org/derby/docs/10.4/adminguide/tadminnetservcustom.html.)
To run the Derby network server on Windows, you will need to
download a copy of the server policy file 1010_server.policy from
https://issues.apache.org/jira/browse/DERBY-6438 and edit it for
your use or define appropriate system properties when starting the
Derby network server. I will give an example for editing the file.
When editing the file, replace ${derby.install.url} with the
full path name for the Derby jar files in the four sections that
start with *grant codebase*. The syntax is a little tricky. For
example, assume that derby has been installed in
C:\Java\db-derby-10.10.1.1-bin. You use a file: specification,
but you need to use forward slashes, not back slashes. Also, the
file specification can contain zero, one, or three forward
slashes, but not two. Thus, any of the following will work
grant codeBase file:C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
grant codeBase file:/C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
grant codeBase file:///C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
but not
grant codeBase
file://C:/Java/db-derby-10.10.1.1-bin/lib/derby.jar
This is an important point since the sample files in the Derby
Developer's Guide seem to imply that two slashes are acceptable --
see
http://db.apache.org/derby/docs/10.10/devguide/cdevcsecure871387.html.
If you use two slashes in you file specification, you will get an
error message similar to the following:
Thu Jan 30 09:09:33 EST 2014 : access denied
(java.util.PropertyPermission derby.__serverStartedFromCmdLine
write)
java.security.AccessControlException: access denied
(java.util.PropertyPermission derby.__serverStartedFromCmdLine
write)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.System.setProperty(Unknown Source)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at org.apache.derby.drda.NetworkServerControl$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)
at org.apache.derby.iapi.tools.run.main(Unknown Source)
You also need to replace ${derby.security.port} with the
appropriate port number (e.g., 1527). Alternatively, you can
define ${derby.security.port} in your call to start the Derby
network server, as in -Dderby.security.port=1527. Other policy
file parameters can be handled similarly, but these are the most
important ones, and these changes are the minimum
