Security Manager refused file access

Similar Messages

• Using the Security Manager to restrict access to a single package

  After reading up on the Security Manager, the package.access property and the use of the [accessClassInPackage RuntimePermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] , it seemed to me that it would possible to set up the following: I have a security-sensitive code base packaged in a jar, and I want to make sure that only one client code base that I specify is permitted to access it. The idea here is to prevent malicious code from executing anything in the sensitive code base; the sensitive code is only accessible to one client that I name in a security policy file. Perhaps rather foolishly, I advised a client to consider this before testing out a sample myself, because much to my surprise, it appears to me that it isn't possible to get the Security Manager to do this at all. Am I missing something? I'm a bit startled by this conclusion -- it seems like such an obvious use for the Security Manager, I'm hard-pressed to be believe that it can't be done, and more inclined to suspect that I'm going about it wrong.
  Here's what I thought I could do: set up the package.access property so that it denies access to any package; then in the policy file, grant the RuntimePermission/accessClassInPackage to the client code base that is permitted to access the sensitive code.
  Of course, you wouldn't want the package.access property to exclude all packages in the global java.security file, because then no code could be accessed at all. It would be necessary to use the trick of resetting the package.access property within the code, as [illustrated in the secure coding guidelines|http://java.sun.com/security/seccodeguide.html#1-1a] .
  But the problem lies in the idea of "use the package.access property to deny access to +any+ package". There doesn't seem to be any way to use wildcards or the like with the property -- it has to specifically name packages (or package prefixes) to which access is forbidden. It wouldn't do to try to name the packages to which I'm trying to prevent access, since we're trying to prevent access from malicious code -- the attacker could just choose package names that aren't on the list. I'd really need to say that access is denied to all packages, except for those in the permitted code base, but the security mechanisms for package access don't seem to allow that.
  Moreover, the trick of changing the value of package.access can't be done within the client code -- otherwise, the attacker client would just set the property to his own purposes. But it can't really be done within the sensitive package either, because the whole idea is to prevent access to that package, and by the time it's busy setting the property, it's already too late, because the package has to have been accessed by a client to get there at all.
  It seems to me that this a symptom of something I've never really understood about the design of the Security Manager -- you can grant permissions to specific code bases, but you can't revoke permissions from specific code bases, let alone all code bases. What I want to do here is grant access permission to one specific code base and revoke it from all others. There doesn't seem to be any way to express that with the mechanisms of the Security Manager.
  The more I look at it, the more it seems that there's just no way to use the Security Manager this way -- set up package access so that a specific code base can only be accessed by one specific client code base. There are surely other ways to get the effect that I'm looking for, but as far as I can tell, none of them involve restricting package access (for example: define a custom permission, grant it only to the permitted client. and check against that permission within the sensitive code base; meaning that the sensitive code has to be accessible to anyone in the first place). This conclusion really surprises me (not to mention my bit of embarrassment with the client); wouldn't this be precisely the sort of thing the Security Manager ought to be good for?

  You're looking at this back to front. The security policy file is there for the client to decide how much access he is going to give this application, not for to application to restrict who can use it. If you want to control what used to be called 'state orientation' you can do that directly by looking down the stack trace inside your code.

• My 'secure 'connection 'refused' when access iTunes after 8.0.2.20 upgrade

  My 'secure' network connection was 'refused' when access iTunes. I can view & navigate the iTunes store AND I can update my Podcasts successfully...BUT I can't sign in/download /purchase, et al.
  Triage so far...not neccessarily in this order...
  1) Not using Norton or Macafee - using Verizon Security suite
  Checked firewall - itunes is listed a 'safe'
  2) Ran ITunes Dx program - followed the suggestion to check SSL & TLS - checked correctly (log pasted below)
  3) Uninstalled iTunes and then reinstalled - no change
  4) Cleaned out IE files cookies - no change
  5) Renamed the etc/HOST file name - no change
  6) the Apple Help person said that he has no idea and have done what he would have already suggested...
  Below is pasted the results from the iTunes triage...
  Microsoft Windows XP Professional Service Pack 2 (Build 2600)
  Dell Computer Corporation Dimension 4550
  iTunes 8.0.2.20
  QuickTime 7.5.5
  FairPlay 1.1.11
  CD Driver 2.0.7.5
  CD Driver DLL 2.1.1.1
  Apple Mobile Device 2.1.2.7
  Bonjour 1.0.5.11 (118.5)
  iTunes Serial Number FA60CA709F4AAB80
  Current user is an administrator.
  The current local date and time is 2008-12-04 15:04:28.
  iTunes is not running in safe mode.
  Video Display Information
  NVIDIA GeForce4 MX 420
  ** External Plug-ins Information **
  No external plug-ins installed.
  ** Network Connectivity Tests **
  Network Adapter Information
  Adapter Name: {B8B89F3F-B5E7-4802-AEF4-CE01824912C0}
  Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
  IP Address: 192.168.1.45
  Subnet Mask: 255.255.255.0
  Default Gateway: 192.168.1.1
  DHCP Enabled: Yes
  DHCP Server: 192.168.1.1
  Lease Obtained: Thu Dec 04 14:22:10 2008
  Lease Expires: Fri Dec 05 14:22:10 2008
  DNS Servers: 192.168.1.1
  192.168.1.1
  Active Connection: LAN Connection
  Connected: Yes
  Online: Yes
  Using Modem: No
  Using LAN: Yes
  Using Proxy: No
  SSL 3.0 Support: Enabled
  TLS 1.0 Support: Enabled
  Firewall Information
  Windows Firewall is off.
  Connection attempt to Apple web site was successful.
  Connection attempt to iTunes Store was successful.
  Secure connection attempt to iTunes Store was unsuccessful.
  The network connection was refused.
  Secure connection attempt to iPhone activation server unsuccessful.
  The network connection was refused.
  Last successful store access was 2008-12-04 14:53:22.

  Although a didn't currently have Norton and had thought I had uninstalled it (no longer in my program menu & no residual icons et al...there is the 'Semantic' TOOL that must be used to REALLY remove Norton security remnants that are buried deep in the c-drive program files. This I didn't know about...
  So I downloaded the tool from the Norton web page and ran it per their instructions. After rebooting, my 8.0.2.20 iTunes secure connect was fine.
  I spent 9+ days trying to get iTunes to work. Norton is the devil company and I will never use that security program again - especially with all the other Norton-specific issues iTunes is having release after release...

• How to start Enterprise Security Manager in 11g

  Hi All,
  How to start Enterprise Security Manger in 11g ? Should Grid Control be installed seperately ? There is no menu or utility that represent Enterprise Security Manager in 11g ? In 10g there is a menu item called "Enterprise Security Manager" , how to access it in 11g ?
  Regards,
  Senthil.

  my doubt is ,, just simply giving the above command the listener create and start or do i need to modify any other parameters which i have to copy from old listener file.The former. Unless you need/want to use non-standard parameters, you don't need anything else. Just start it.

• Role based reflection security manager?

  Hi,
  I am trying to find out whether there is a possibility to implement a role based Security Manager to control access to reflection operations (such as checkMemberAccess() for example).
  I need to implement an application where using reflection is totally forbidden, except for some very specific parts of the code. Is this possible? If yes, how should I proceed? Is there a concept of identity around the security manager? Should I use ReflectPermission? If yes how?
  I have been doing some reading, but it is still not clear to me. I am looking for a general implementation procedure.
  Thanks.

  Jrm wrote:
  Ok, fair enough regarding storing data on end user PC.
  But I see a contradiction here (or I mis-read you). I understand that SecurityManagers are used for applets to restrict some of their actions. What if people are able to bypass SecurityManagers? What is the point of having them? If a .jar application is started with a SecurityManager, can an end user strip it and replace it with its own security manager (from its own code for example)?First of all, the SecurityManager is provided by the local computer, not the applet. But, the most important point is that the SecurityManager used when running third-party applet code is not trying to protect the third-party code, it is trying to protect the local computer from unknown third-party code. the user is perfectly able to disable the SecurityManager and/or give the third-party code whatever permissions it desires if they decide to trust the code. you are trying to protect your code (+which is the third-party code with respect to the user+) from the user. that is the opposite situation, and does not work.
  I would be happy if I could deliver a .jar application with my customized and 'unremovable' SecurityManager. Is that possible or can one always fiddle the .jar to remove it?
  Because if people can always remove it, it is a permanent open door for man-in-the-middle attacks when code is delivered to end-users, correct? Is there any way to protect .jar from tampering?As i said in my previous post, there is no way to stop this. as a software developer, i'm sure you are aware that you can find "cracked" versions of any commercial software that you are interested in (if you know where to look). what makes you think that your java program is any more "secure" than those other programs?

• Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

  Hello everyone
  I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
  The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
  ===========
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  ==========
  For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding  to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
  This is the failover configuration
  CAM:
  Primary:     10.1.206.248 camsrv1.mycompany.com
  Secondary: 10.1.206.249 camsrv2.mycompany.com
  Virtual:       10.1.206.250 camsrv3.mycompany.com
  Then I do exactly the same steps for the CAS's and this is the failover configuration:
  Primary:     10.1.216.248 cassrv1.mycompany.com
  Secondary: 10.1.216.249 cassrv2.mycompany.com
  Virtual:       10.1.216.250 cassrv3.mycompany.com
  Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities"  and vice versa.
  The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
  I verify that the time was right in the CAM and the CAS and all good up there.
  Appreciate your help
  Eduardo Navas

  Eduardo,
  Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
  On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• My DVR security sofware that I access remotely uses a "dvr .ocx" file....when I try it in Firefox , either the latest non beta (3.6.1.5) or the new beta version (4.0 rc) it will NOT work as it says the plugin is missing... it works in IE 8,but not IE9...

  My machine is Top of the range (my Company builds them so it had better be :) )
  Amd 1100t , 8gb ram , Windows 7 64 bit etc, etc...
  The is not a hardware problem , but a software problem with FF...Any help would be appreciated as I hate using IE 8 for anything at all :( but I have to keep it on my machines just to run my remote security cameras at my Computer shop ???
  Original question...as question length is limited ...not very bright that limit by the way :(
  "My DVR security sofware that I access remotely uses a "dvr .ocx" file....when I try it in Firefox , either the latest non beta (3.6.1.5) or the new beta version (4.0 rc) it will NOT work as it says the plugin is missing... it works in IE 8 (unfortunately) but not IE9...
  As I own a Computer company I am fairly computer literate but cannot find a plugin that allows this to work in Firefox.... but I would have expected it to work in the new Firefox :(
  All the best, Brett :)

  The longer this thread continues, the more ancillary comments you throw in that aren't directly pertinent to your problem with your DVR software not working with Firefox 4.0. Sorry, I don't intend to continue with this discussion.
  I do agree that ''something'' needs to be done better with regards to plugins for Firefox, but I do disagree with you as to whose responsibility that ''something'' is.

• Saving Password for a pdf file in HP Client Security Manager

  Hello,
  I want to save the password for a pdf file in the Password Manager of the HP Client Security Manager Software but the symbol for the entry of the password is not appearing on the top right of the screen. If I use the registered fingerprint a dialog opens where the Client Security Manager asks which account it should use to login. But i can't add a password for the file. The login for websites is perfectly fine. 
  Do you have any idea how to fix that?
  Is there a way to manually enter password for files?
  Thanks in advance.

  Thanks for the information.
  Suggest you to try uninstall and re-install the latest version which is - 8.3.3.1762. The direct link is:
  http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetails/?sp4ts.oid=5405363&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalState%3Didx%253D%257CswItem%253Dob_129972_1%257CswEnvOID%253D4060%257CitemLocale%253D%257CswLang%253D%257Cmode%253D%257Caction%253DdriverDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
  If this does not fix, then suggest you to log a call with technical support.
  Please do post any progress on this.

• Security Manager/Access problem

  (WWC-00000)
  An unexpected error has occurred in portlet instances: wwpob_api_portlet_inst.create_inst (WWC-44846)
  The following error occurred during the call to Web provider: java.lang.NullPointerException
  at oracle.portal.provider.v2.security.URLSecurityManager.hasAccess(Unknown Source)
  at oracle.portal.provider.v2.DefaultPortletDefinition.hasAccess(Unknown Source)
  at oracle.portal.provider.v2.ProviderInstance.getPortletDefinition(Unknown Source)
  at oracle.portal.provider.v2.ProviderInstance.getPortletInstance(Unknown Source)
  at oracle.portal.provider.v2.ProviderInstance.getPortletInstance(Unknown Source)
  at oracle.webdb.provider.v2.adapter.soapV1.ProviderAdapter.registerPortlet(Unknown Source)
  at java.lang.reflect.Method.invoke(Native Method)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.doMethodCall(Unknown Source)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.processInternal(Unknown Source)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.process(Unknown Source)
  at oracle.webdb.provider.v2.adapter.SOAPServlet.doSOAPCall(Unknown Source)
  at oracle.webdb.provider.v2.adapter.SOAPServlet.service(Unknown Source)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
  at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:59)
  at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283)
  at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:523)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:269)
  at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:735)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
  at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
  (WWC-43147)
  Removing the provider.xml security manager setting will do away with this problem.
  Versions being used: Portal 9.0.2 and PDK september.

  I have checked with PDK September samples related to Security Manager/Access and they are working fine. Please lets know for which PDK sample gives this error.

• Security Manager and Policy Files

  Hi all,
  I am writing a simple java rmi application, but understand it wont run without a Security Manager installed and a policy file.
  I think I have installed the security manger using the following in the main() method of my client application:
  System.setSecurityManager(new RMISecurityManager());However I am unsure how to use a policy file with this. I have looked on the internet, but it does not seem to be very well documented
  Please could you advise me how to create a policy file that will work for my application and where to place it in my application so that my application can use it.
  Any help would be greatfuly appreciated
  Thanx
  Aaron

  An RMI application doesn't need a security manager unless you are using the codebase feature.

• Security manager - applet - write/read files

  Hi.
  I've been trying to built a SecurityManager to allow my java applet to construct a file (*.txt or *.doc) on the server (webhosting provider) it came from. Unfortunately when I use the setSecurityManager method to set my Security Manager as the default Security Manager for that specific applet, the applet throws a SecurityException. It wouldn't allow me to change the Security Manager.
  I want to change the default Security Manager so that my applet can have permission to read and write to the specified file (*.txt or *.doc). I don't want to save any kind of files on the host computer even if I can do that, I only require to save my file (*.txt or *.doc) to the computer from were the applet's classes came from.
  Thank you!

  If there is a security manager already installed, this method first calls the security manager's checkPermission method with a RuntimePermission("setSecurityManager") permission to ensure it's ok to replace the existing security manager. This may result in throwing a SecurityException. Thus I think that you need to grant the setSecurityManager permission to your current SecurityManager to be able to replace it.

• Access to IPortalComponentRequest in custom security manager

  Hi All,
  I am implementing a custom security manager. For my requirements, I need IPortalComponentRequest object in the security manager class. Can anyone give me a clue to get the request object in security manager implementation.
  Regards,
  Yoga

  Hi Romano,
  I tried this. Its returning mysapsso2 cookie and authentication_schema cookie. But not retuning any custom cookies added to the response from any other application.
  What I have tried to achieve is:
  1. When a user login and authentication suceeds, I will add a custom cookie to the response.
  2. Get the custom cookie added in the security manager class and do manipulations to check whether the user is authenticated.
  Using the method you have suggested, I was not able to get any custom cookies added in other applications.
  I tried the code using resource context(resource context obtained form IUser) as suggested in other threads,
  HttpServletRequest request = (HttpServletRequest) resourceContext.getObjectValue("http://sapportals.com/xmlns/cm/httpservletrequest");
  But this API returns null.
  Any way to achieve?
  Regards
  Yoga

• Seeking a document management and file sharing solution for an online client portal

  Hi
  Late last year our developers created a Member’s Portal for a client’s website (built with WordPress) enabling Members to have a secure area for a discussion forum and crucially, secure
  document storage and access, and file-sharing. The WordPress plugin chosen for the Portal was WP-Client.
  We have a problem though and I wonder if you or anyone can help?
  Basically, the solution was supposed to be like Dropbox or Google Drive but within the Portal but with slight differences. The problem is that the current solution we have isn’t like either
  and has various flaws which make it unpopular with most members. It uses free software called kcfinder – see
  http://kcfinder.sunhater.com/ as the basis for the file management systems.
  So we are seeking to change the file management system. This system must do the following:
  It’s got to be intuitive e.g. the action open or download must be ‘typical’ (it is not so in kcfinder you have to right click to download for instance
  You must be able open an Office document (especially Word, Excel and Powerpoint) online in situ within the portal. Currently in kcfinder you have to download it. 
   You must be able to edit it online. Currently you have to download it, open it, edit it, re-upload it and overwrite it.
  The client uses Sharepoint (I think that’s part of MS Office 365) and wants to be able to I think drag docs from there straight into the Portal file management system (I think at the moment they have to download a file from Sharepoint to their hard drive
  and then upload to kcfinder.
  We are currently investigating using a WP plugin for Google Drive
  https://wp-glogin.com/drive/ and Google Apps for work to create some sort of file management system that meets the requirements.
  However having loaded the plugin, the developer has found that two issues remain that so far defeat us:
  Firstly, and this seems to be applicable to using Google Drive outside the portal as well as in it - you can’t edit Word docs online in Google Drive without creating a Google Doc. This means we get duplicate docs which we don’t want – and they’re in
  the wrong format. We want Word and no duplication. The members/users don’t have time to delete and change the format back to Word. I guess the same applies to other Office docs.
  Second, apparently you can’t create a new folder in Google Drive in the portal.
  So my question for this forum is really what can you suggest, either as a fix to the Google Drive solution or is there a totally different plugin or set up we can use? Ideally it should
  be Office-based or friendly since most of our users use Microsoft Office.
  The other proviso is that it must be affordable. We/client cannot afford the $10 per user per month that some systems charge. The attractiveness of the Google option is not only the wide
  use of Google Docs (notwithstanding the fact that you can't open Word in GD instead it creates a duplicate in GD) but the fact that the plugin is cheap.
  Thanks in anticipation. 

  Hi,
  Why don't you take a look at Office Web App server which provides browser-based file viewing and editing services for Office files:
  https://technet.microsoft.com/en-us/library/jj219435.aspx
  It can be integrated with your customized website, and provide the ability to online view/editing Office documents..
  Hope it helps.
  Aravindhan Battepati

• Allow help desk to manage open files on file server

  I am looking to delegate the ability to manage open files to our help desk users.  They are getting an increasing number of calls from users asking about files and who has them open, or to force close them..etc.
  The help desk users are not admins on our file server, therefore do not have access to RDP to the file server.  I was hoping they could do it from computer management RSAT tools on their local machine.  I just don't know how to allow them to do
  it.
  Thanks
  sb

  Hello,
  Since they are not able to RDP the FS then they should need to access files using shared folders.
  For that, you will need to share the root folder where your files are. Please give Full Control permission on it. Here, to manage their permissions, you can grant them what you want using NTFS permissions.
  Note that NTFS and Share permissions are combined and the user will be have the minimum of privileges when he access the folder as a share. For that, I recommended using FC permission on the shared folder to avoid additional management tasks.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   
  Microsoft
  Student Partner 2010 / 2011
  Microsoft
  Certified Professional
  Microsoft
  Certified Systems Administrator: Security
  Microsoft
  Certified Systems Engineer: Security
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft
  Certified Technology Specialist: Windows 7, Configuring
  Microsoft
  Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft
  Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Rmi with security manager not working in netbeans

  Hello i'm trying to use rmi but get the error java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve) when i run it in netbeans. here is my code
  public static void main(String[] args) {
          if (System.getSecurityManager() == null) {
              System.setSecurityManager(new SecurityManager());
          try {
              String name = "Compute";
              Compute engine = new ComputeEngine();
              Compute stub =
                  (Compute) UnicastRemoteObject.exportObject(engine, 0);
              Registry registry = LocateRegistry.getRegistry();
              registry.rebind(name, stub);
              System.out.println("ComputeEngine bound");
          } catch (Exception e) {
              System.err.println("ComputeEngine exception:");
              e.printStackTrace();
      }It works if i don't have a security manager and it works with a security manager if i don't use netbeans to run it and use the command line. i need to use a secuirty manager because the client code is running in eclipse and it moans that there is no security manager if i run it without one
  this is the error i get when running with no security manager
  java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
       java.lang.ClassNotFoundException: takenoteremote.Compute (no security manager: RMI class loader disabled)
  Please help

  I have sort of got it to work, i took out the security manager and used the code base parameter on the command line, and put my interface into a jar file. I can only get it to work though on the command line, if i run it in netbeans it doesn't find the class in the jar file it needs.
  Any ideas?