Problem with SecurityManager

Patrik
Posts: 280
Joined: Thu Nov 28, 2013 9:32 am
Location: Hamburg/Germany
Contact:

Problem with SecurityManager

Post by Patrik » Mon Dec 14, 2020 1:21 pm

Hi,

I need to call another webservice from my custom framework which is currently not working. After changing the log level I found this error:

Code: Select all

60477 DEBUG [ http-nio-8080-exec-1 ] ro.sync.security.manager.SandboxSecurityManager - Security permission exception: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
java.security.AccessControlException: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
	at java.security.AccessControlContext.checkPermission(Unknown Source) ~[?:1.8.0_202]
	at java.security.AccessController.checkPermission(Unknown Source) ~[?:1.8.0_202]
	at java.lang.SecurityManager.checkPermission(Unknown Source) ~[?:1.8.0_202]
	at ro.sync.security.manager.SandboxSecurityManager.checkPermissionInternal(SandboxSecurityManager.java:304) ~[oxygen-sandbox.jar:?]
	at ro.sync.security.manager.SandboxSecurityManager.checkPermission(SandboxSecurityManager.java:255) ~[oxygen-sandbox.jar:?]
	at sun.misc.URLClassPath.check(Unknown Source) ~[?:1.8.0_202]
	at sun.misc.URLClassPath$JarLoader.checkResource(Unknown Source) ~[?:1.8.0_202]
	at sun.misc.URLClassPath$JarLoader.getResource(Unknown Source) ~[?:1.8.0_202]
	at sun.misc.URLClassPath.getResource(Unknown Source) ~[?:1.8.0_202]
	at sun.misc.URLClassPath.getResource(Unknown Source) ~[?:1.8.0_202]
	at java.lang.ClassLoader.getBootstrapResource(Unknown Source) ~[?:1.8.0_202]
	at java.lang.ClassLoader.getResource(Unknown Source) ~[?:1.8.0_202]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1271) ~[catalina.jar:9.0.31]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188) ~[catalina.jar:9.0.31]
	at java.lang.ClassLoader.defineClass1(Native Method) ~[?:1.8.0_202]
	at java.lang.ClassLoader.defineClass(Unknown Source) ~[?:1.8.0_202]
	at java.security.SecureClassLoader.defineClass(Unknown Source) ~[?:1.8.0_202]
	at org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2419) ~[catalina.jar:9.0.31]
	at org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:865) ~[catalina.jar:9.0.31]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1334) ~[catalina.jar:9.0.31]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188) ~[catalina.jar:9.0.31]
	at java.lang.Class.getDeclaredMethods0(Native Method) ~[?:1.8.0_202]
	at java.lang.Class.privateGetDeclaredMethods(Unknown Source) ~[?:1.8.0_202]
	at java.lang.Class.privateGetMethodRecursive(Unknown Source) ~[?:1.8.0_202]
	at java.lang.Class.getMethod0(Unknown Source) ~[?:1.8.0_202]
	at java.lang.Class.getMethod(Unknown Source) ~[?:1.8.0_202]
	at javax.xml.bind.ContextFinder.newInstance(Unknown Source) ~[?:1.8.0_202]
	at javax.xml.bind.ContextFinder.newInstance(Unknown Source) ~[?:1.8.0_202]
	at javax.xml.bind.ContextFinder.find(Unknown Source) ~[?:1.8.0_202]
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source) ~[?:1.8.0_202]
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source) ~[?:1.8.0_202]
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader$3.run(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader$3.run(Unknown Source) ~[?:1.8.0_202]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.createJAXBContext(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.loadMetroConfig(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.init(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.<init>(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.TubelineAssemblyController.getTubeCreators(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.assembler.MetroTubelineAssembler.createClient(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.Stub.createPipeline(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.sei.SEIStub.<init>(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getStubHandler(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source) ~[?:1.8.0_202]
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source) ~[?:1.8.0_202]
	at javax.xml.ws.Service.getPort(Unknown Source) ~[?:1.8.0_202]
	at de.tgic.gdv.itc.nutzerverwaltung._2_0.wsdl.NutzerVerwaltung_Service.getNutzerVerwaltungSOAP(NutzerVerwaltung_Service.java:68) ~[Ists-UserAgent-2.0-small.jar:?]
	at de.gdv.ists.UserAgentSample.istsNutzerverwaltung.IstsNutzerverwaltungProvider.instantiateIstsServicePorts(IstsNutzerverwaltungProvider.java:131) ~[Ists-UserAgent-2.0-small.jar:?]
	[...]
So far i failed to avoid this error.

According to https://www.oxygenxml.com/doc/versions/ ... nager.html I should be able to remove "-Djava.security.manager" (for Windows) but it is not there.

I also tried to modify the policy-files:
  • oXygen XML Web Author\jre\lib\security\java.policy
  • oXygen XML Web Author\jre\lib\security\javaws.policy
  • oXygen XML Web Author\tomcat\conf\catalina.policy
It had no effect even when I changed the content to

Code: Select all

grant {
  permission java.security.AllPermission;
};
What do I have to do to I grant permission to the java standard class to load its configuration?

Thanks and regards,
Patrik

cristi_talau
Posts: 341
Joined: Thu Sep 04, 2014 4:22 pm

Re: Problem with SecurityManager

Post by cristi_talau » Mon Dec 14, 2020 3:28 pm

Hello,

We tested the Windows installer and the security manager system property is present by default in the service configuration dialog. The SecurityManager is configured in a file called tomcat/conf/catalina.policy.

As you can see in this file, the code from the framework has all the security permissions. However, the Java SecurityManager checks all the code that is on the stack to have the required permissions. If you invoke other libraries, they should also have these permissions.

One approach that might help is to use AccessController.doPrivileged() to execute the code with the permissions of the framework's code (i.e. all permissions).

To find exactly what piece of code lacks the required permission, you can turn on the -Djava.security.debug=access,failure flag and look in the standard error of Web Author. When using the Windows Installer this log is found in tomcat/logs/oxygen xml web author-stderr.<date>.log.

Best,
Cristian

Patrik
Posts: 280
Joined: Thu Nov 28, 2013 9:32 am
Location: Hamburg/Germany
Contact:

Re: Problem with SecurityManager

Post by Patrik » Tue Dec 15, 2020 2:40 pm

Hi again,

I don't know why the option wasn't initially present fo rme - but it actually doesn't matter.

For testing I activated the security manager so my java options look like this:

Code: Select all

-Dcatalina.home=C:\Program Files\oXygen XML Web Author\tomcat
-Dcatalina.base=C:\Program Files\oXygen XML Web Author\tomcat
-Djava.endorsed.dirs=C:\Program Files\oXygen XML Web Author\tomcat\endorsed
-Djava.io.tmpdir=C:\Program Files\oXygen XML Web Author\tomcat\temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=C:\Program Files\oXygen XML Web Author\tomcat\conf\logging.properties
-Dcom.oxygenxml.webapp.product=true
-Djava.security.policy==C:\Program Files\oXygen XML Web Author\tomcat\conf\catalina.policy
-Doxygen.data.dir=C:\Program Files\oXygen XML Web Author\tomcat\work\Catalina\localhost\oxygen-xml-web-author
-Doxygen.ssl.trusted.keystore=C:\Program Files\oXygen XML Web Author\tomcat\conf\web-author.keystore
-Djava.security.debug=access,failure
-Djava.security.manager
-Xms256m
-Xmx3072m
And I added this to the end of catalina.policy (removing all other entries also didn't change anything):

Code: Select all

grant {
    permission java.security.AllPermission;
};
Still I got denied permissions:

Code: Select all

access: access denied ("java.io.FilePermission" "C:\Program Files\oXygen XML Web Author\tomcat\webapps\oxygen-xml-web-author\WEB-INF\classes\com\sun\xml\internal\ws\runtime\config\jaxb.properties" "read")
java.lang.Exception: Stack trace
	at java.lang.Thread.dumpStack(Unknown Source)
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkRead(Unknown Source)
	at ro.sync.security.manager.SandboxSecurityManager.checkRead(SandboxSecurityManager.java:130)
	at java.io.File.exists(Unknown Source)
	at java.io.WinNTFileSystem.canonicalize(Unknown Source)
	at java.io.File.getCanonicalPath(Unknown Source)
	at org.apache.catalina.webresources.AbstractFileResourceSet.file(AbstractFileResourceSet.java:90)
	at org.apache.catalina.webresources.DirResourceSet.getResource(DirResourceSet.java:101)
	at org.apache.catalina.webresources.StandardRoot.getResourceInternal(StandardRoot.java:282)
	at org.apache.catalina.webresources.CachedResource.validateResource(CachedResource.java:105)
	at org.apache.catalina.webresources.Cache.getResource(Cache.java:87)
	at org.apache.catalina.webresources.StandardRoot.getResource(StandardRoot.java:217)
	at org.apache.catalina.webresources.StandardRoot.getClassLoaderResource(StandardRoot.java:226)
	at org.apache.catalina.loader.WebappClassLoaderBase.findResource(WebappClassLoaderBase.java:938)
	at org.apache.catalina.loader.WebappClassLoaderBase.getResource(WebappClassLoaderBase.java:1057)
	at javax.xml.bind.ContextFinder.loadJAXBProperties(Unknown Source)
	at javax.xml.bind.ContextFinder.find(Unknown Source)
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source)
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source)
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader$3.run(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.createJAXBContext(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.loadMetroConfig(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.init(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.<init>(Unknown Source)
	at com.sun.xml.internal.ws.assembler.TubelineAssemblyController.getTubeCreators(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroTubelineAssembler.createClient(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.createPipeline(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.sei.SEIStub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getStubHandler(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source)
	at javax.xml.ws.Service.getPort(Unknown Source)
	at org.javacream.StoreService$1.run(StoreService.java:80)
	at org.javacream.StoreService$1.run(StoreService.java:78)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.javacream.StoreService.getStoreWebServicePort(StoreService.java:77)
	at com.gdvdl.TgicServiceCatalog.operations.SoapTest.doOperation(SoapTest.java:40)
	[...]
access: domain that failed ProtectionDomain  null
 null
 <no principals>
 java.security.Permissions@49821a41 (
 ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.xml.internal.ws.runtime.config")
 ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
)
I also already added the AccessController.doPrivileged() - without any effect.

When I deactivated security I get m previous behavior:

Code: Select all

access: access denied ("java.security.AllPermission" "<all permissions>" "<all actions>")
java.lang.Exception: Stack trace
	at java.lang.Thread.dumpStack(Unknown Source)
	at java.security.AccessControlContext.checkPermission(Unknown Source)
	at java.security.AccessController.checkPermission(Unknown Source)
	at java.lang.SecurityManager.checkPermission(Unknown Source)
	at ro.sync.security.manager.SandboxSecurityManager.checkPermissionInternal(SandboxSecurityManager.java:304)
	at ro.sync.security.manager.SandboxSecurityManager.checkPermission(SandboxSecurityManager.java:255)
	at sun.misc.URLClassPath.check(Unknown Source)
	at sun.misc.URLClassPath$JarLoader.checkResource(Unknown Source)
	at sun.misc.URLClassPath$JarLoader.getResource(Unknown Source)
	at sun.misc.URLClassPath.getResource(Unknown Source)
	at sun.misc.URLClassPath.getResource(Unknown Source)
	at java.lang.ClassLoader.getBootstrapResource(Unknown Source)
	at java.lang.ClassLoader.getResource(Unknown Source)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1271)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188)
	at java.lang.ClassLoader.defineClass1(Native Method)
	at java.lang.ClassLoader.defineClass(Unknown Source)
	at java.security.SecureClassLoader.defineClass(Unknown Source)
	at org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2419)
	at org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:865)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1334)
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1188)
	at java.lang.Class.getDeclaredMethods0(Native Method)
	at java.lang.Class.privateGetDeclaredMethods(Unknown Source)
	at java.lang.Class.privateGetMethodRecursive(Unknown Source)
	at java.lang.Class.getMethod0(Unknown Source)
	at java.lang.Class.getMethod(Unknown Source)
	at javax.xml.bind.ContextFinder.newInstance(Unknown Source)
	at javax.xml.bind.ContextFinder.newInstance(Unknown Source)
	at javax.xml.bind.ContextFinder.find(Unknown Source)
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source)
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source)
	at javax.xml.bind.JAXBContext.newInstance(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader$3.run(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader$3.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.createJAXBContext(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.loadMetroConfig(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.init(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroConfigLoader.<init>(Unknown Source)
	at com.sun.xml.internal.ws.assembler.TubelineAssemblyController.getTubeCreators(Unknown Source)
	at com.sun.xml.internal.ws.assembler.MetroTubelineAssembler.createClient(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.createPipeline(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.Stub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.sei.SEIStub.<init>(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getStubHandler(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.createEndpointIFBaseProxy(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source)
	at com.sun.xml.internal.ws.client.WSServiceDelegate.getPort(Unknown Source)
	at javax.xml.ws.Service.getPort(Unknown Source)
	at org.javacream.StoreService$1.run(StoreService.java:80)
	at org.javacream.StoreService$1.run(StoreService.java:78)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.javacream.StoreService.getStoreWebServicePort(StoreService.java:77)
	at com.gdvdl.TgicServiceCatalog.operations.SoapTest$1.run(SoapTest.java:45)
	at com.gdvdl.TgicServiceCatalog.operations.SoapTest$1.run(SoapTest.java:41)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.gdvdl.TgicServiceCatalog.operations.SoapTest.doOperation(SoapTest.java:40)
	[...]
access: domain that failed ProtectionDomain  null
 null
 <no principals>
 java.security.Permissions@eafd1b (
 ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.xml.internal.ws.runtime.config")
 ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
)
Is there any other place where I can grant additiona lpermissions or remove some security?

Thanks and regards,
Patrik

cristi_talau
Posts: 341
Joined: Thu Sep 04, 2014 4:22 pm

Re: Problem with SecurityManager

Post by cristi_talau » Tue Dec 15, 2020 6:37 pm

Hello,

If you could share a framework that we can use to reproduce the problem, we should be able to troubleshoot it more efficiently. To disable even more security features you can set the "com.oxygenxml.disable.security" to "true".

Best,
Cristian

Patrik
Posts: 280
Joined: Thu Nov 28, 2013 9:32 am
Location: Hamburg/Germany
Contact:

Re: Problem with SecurityManager

Post by Patrik » Wed Dec 16, 2020 2:47 pm

Great, thanks for the offer. I created a minimal test framework and sent it to support@oxygenxml.com.

Regards,
Patrik

cristi_talau
Posts: 341
Joined: Thu Sep 04, 2014 4:22 pm

Re: Problem with SecurityManager

Post by cristi_talau » Thu Dec 17, 2020 1:16 pm

Hello,

Thanks for the framework. I was able to reproduce the problem. One part of the error logs is interesting (you also found it in a previous post):

Code: Select all

access: domain that failed ProtectionDomain  null
 null
 <no principals>
 java.security.Permissions@2c0231eb (
 ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.xml.internal.ws.runtime.config")
 ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
)
It does not provide a source location for the context that does not have the proper permissions. I found a StackOverflow post with a similar problem [1]. They discovered that the access control context is created programmatically by MetroConfigLoader with hard-coded permissions [2]. This is why the permissions you granted in catalina.policy file were not taken into account.

Their solution seemed to be to use a custom version of jaxws-rt and not rely on the library found in JRE. I am not very familiar with how JAXB works internally, but I expect some classloader challenges with this approach. What I know is that the hierarchy of classloaders is the following:

Code: Select all

JVM classloader -> Tomcat classloader -> Web Author classloader -> Framework classloader
Best,
Cristian

[1] https://stackoverflow.com/questions/442 ... loaderbase
[2] https://github.com/JetBrains/jdk8u_jaxw ... .java#L269

Post Reply