SecurityManager

Similar Messages

• How do I get an extended SecurityManager to handle privileged code?

  Hi.
  I have written my own SecurityManager which asks if the user wants to allow the action before denying it. It also offers to write the whole permission into the current policy file.
  The problem I have is that I can't get the securitymanager to handle privileged code. At the moment I get the call stack and check which classes that doesn't have the permission, check their codebase and write the permission to that codebase. But that will fail if any code is privileged.
  So what I need is to get some information about those protection domains that are marked privileged, and it seems that the only way to get that is by using DomainCombiner.
  But it doesn't seem to work at all, thinking that it might have something to do with that I have to run the critical code in my security manager as privileged, and that I do something wrong when I am extracting the DomainCombiner.
  Well, I hope you understand my problem and that someone have some nice idea about how to do it in a clean nice way.
  best regards,
  Fredrik

  Might be better if I post the whole code, it aint that big.
  package tddc03;
  public class SecMan2 extends SecurityManager { 
      private static String separator = System.getProperty("file.separator");
      public SecMan2() {
           super();
      public void checkPermission(final Permission perm) {
       try {
           super.checkPermission(perm);
       catch (final SecurityException se) {
           System.out.println("Securityexception caught: " + se.getMessage());
           System.out.println("Would you like to: 1. Allow once, 2. Allow everytime, 3. Deny?");
           try {
            char res = (char)System.in.read();
            /*Read until end of line, or eof. to descard anything other then the first character*/
            char tmp;
            int readItem;
            do {
                tmp = (char) (readItem = System.in.read());
            }  while ( tmp != '\n' && readItem != -1 );
            if ((res != '1') && (res != '2')) {
                System.out.println("deny!");
                throw se;
            else if (res == '2')
                 /*Well, we need to make the handleException() code to run as privileged code
                  * since it need access to resources that the caller shouldn't have access to.
                  * The code that runs marked as privileged only rely on its own permission, so
                  * we can give this package the permission to write to the policy file without giving
                  * it to the program that is running*/
                  try {
                      AccessController.doPrivileged(
                                     new PrivilegedExceptionAction() {
                                         public Object run() throws SecurityException {
                                                    handleException(se, perm);
                                                    return null;
                  } catch (PrivilegedActionException e) {
                      throw (SecurityException) e.getException();
           } catch (IOException ioe) {
                System.out.println("IOException on input:" + ioe.getMessage());
                throw se;
       catch (Exception e) {
           System.out.println("Exception caught :" + e.getMessage());
           e.printStackTrace();
      private void handleException(SecurityException e, final Permission perm) {
       String provider;
       Vector<String> codebase = new Vector();
       /*if you only using your own policy file, there will be one '=' infront of the
         searchpath which we have to remove*/
       provider = System.getProperty("java.security.policy");     
       provider = provider.replaceFirst("=","");     
       /*this means we have to use the default one.*/
       if (provider == null)
           provider = System.getProperty("java.home") + separator +"lib"
            + separator +"security"+separator+"java.policy";
       //codebase = "file:" + System.getProperty("user.dir") + separator + "-";
       Class[] classes = getClassContext();
       ProtectionDomain pd = null;
       for(int i=0; i < classes.length; i++) {
           pd = classes.getProtectionDomain();
       if (pd.implies(perm) == true) {
                      System.out.println(i + ". " + classes[i].toString());
       else {
                      System.out.print(i + ". " + classes[i].toString()+ "[");
                      System.out.println(pd.getCodeSource().getLocation().toString() + "]");
                      codebase.add(pd.getCodeSource().getLocation().toString());
       final File policy_file = new File(provider);
       final PolicyParser parser = new PolicyParser();
       PolicyParser.PermissionEntry perm_entry;
       PolicyParser.GrantEntry grant_entry;
       //Traverse the exception message to get the specs for the new permission
       String perm_type, perm_action, perm_param;
       try {
       //We need to get the data from the exception message, so we will split it up.
       String temp[] = e.getMessage().split("[()]",3);
       temp = temp[1].split("\\s",3);
       perm_type = temp[0];
       perm_param = temp[1];
       if (temp.length > 2)
            perm_action = temp[2];
       else
            perm_action = "";
       perm_entry = new PolicyParser.PermissionEntry(perm_type, perm_param, perm_action);
       FileReader p_reader = new FileReader(policy_file);
       parser.read(p_reader);
       p_reader.close();
       //Travers all grants, looking for the current codeBase
       PolicyParser.GrantEntry list_entry;
       Enumeration elements;
       for(Enumeration ec = codebase.elements(); ec.hasMoreElements();) {
            elements = parser.grantElements();
            grant_entry= new PolicyParser.GrantEntry();
            grant_entry.codeBase = (String) ec.nextElement();
            while(elements.hasMoreElements()) {
            list_entry = (PolicyParser.GrantEntry) elements.nextElement();
            //If null == null or codeBase == codeBase
            if (grant_entry.codeBase.equals(list_entry.codeBase)) {
                 list_entry.add(perm_entry);
                 //To mark that the entry was successfully found
                 grant_entry = null;
                 break;
            if (grant_entry != null) {
            grant_entry.add(perm_entry);
            parser.add(grant_entry);
       FileWriter p_writer = new FileWriter(policy_file);
       parser.write(p_writer);
       p_writer.close();
       Policy.getPolicy().refresh();
       } catch (IOException ioe) {
       System.out.println("IOException caught:" + ioe.getMessage());
       } catch (ParsingException pe) {
       System.out.println("ParsingException caught:" + pe.getMessage());
       } catch (Exception ex) {
       System.out.println("Exception caught:" + ex.getMessage());

• Serialization access to data members through SecurityManager?

  Hello,
  What is the standard way to gain access to member variables for "generalized" serialization? For instance, let's say I want to serialize a class but Java's default byte serialization isn't good enough for me (if I want something like object to table mapping...). At the same time I have an "arbitrary" codebase that doesn't adhere to some "easy to predict and map" pattern (such as Java Beans), so I can't easily tell how to access the member variables.
  What I am thinking of doing is splitting my problem up into:
  1) listing and gaining access to all relevant variables
  2) using a 3rd party storage solution (OJB, Castor.......)
  If I use SecurityManager I think I can easily list and give myself access (in the "serialization layer") to all variables of a class (and hopefully I can easily sort out the transient ones) regardless of if they are public, ..., or private. Is this true? Should I be using another mechanism instead (I'd prefer to use Reflection, but if I use it in a class seperate from the one I'm investigating, I think I'll have the same limitations that arbitrary code would have (in terms of access)).
  Once I can inspect arbitrary classes I can hopefully develop a mapping algorithm easily (my task is somewhat complicated by details like inner classes, but it shouldn't be too bad) and generate the "mapping files" (if any are required) for my storage solution.
  Then I plug in the storage solution and run with it.
  Has anyone attempted such a solution? Does this seem like a good approach? I am thinking that, each time my codebase is modified I point my standalone scanner at the relevant classes, and it generates a new and up to date mapping (this eliminates the problems of programmers being burdened with writing mapping files, and the errors and testing this would necessitate). Before the application(s) are run these mapping files are put in place for my serialization mechanism (the 3rd party solution) to use.

  I assume you're talking about classes that you can't reasonably modify yourself. The JRE provides hooks (see java.io.Serializable) whereby classes can change the way they get serialized and deserialized, typically to make it more effecient. Indeed many classes in the JRE do exactly this.
  It would be a bad idea to try to substitute your own serialization from outside the classes. There is no guarantee that classes serialized and deserialized this way will work properly. For example, the readResolve method can be used by a class to ensure that only one instance of a class with a given value(as determined by equals) ever exists within a Java VM. Since an external serialization would have no knowledge of this semantic, it would break any mechanism that relies on this behaviour.
  Sylvia.

• How stop call to System.exit but allow them to install Securitymanager?

  I have an application that allows you to start a java application from inside it (it then gives you monitoring capabilities). I want this to work with pretty much any desktop application, even those that require their own security manager. However, i don't want their application to be able to shutdown the jvm. How can I do this?
  As far as I can tell, there's no way to allow them to add the securitymanager, "wrapped" by mine is there?
  And I thought of using AccessController.doPriviledgedAction(...) and giving them a context where they can add a security manager but not call system.exit, but then if they do add a security manager, won't it have the final say on system.exit calls?
  Is there a solution here?

  6tr6tr wrote:
  Thanks for the reply!
  Hmmm, the problem with that is I need the users to be able to use my application without access to that app's source code. So they need to be able to run that program (as 3rd party black-boxed code) inside my app and still have this work properly. Is there another way?
  Source code?
  You don't need any source code for what I suggested.
  If a frame/jframe tries to exit on close, I can grab and stop that. my problem is if some random code tries to call system.exit(). Is there any other way to intercept it?
  UPDATE: the only solution i could come up with is to use bytecode engineering + classloading.
  Which I doubt will help if they call it with reflection.
  You could use the bootstrap command line options and replace System with your own version. Add some functionality to how it sets up the security manager and/or make System.exit() do nothing, but provide another name for yourself.

• How get codesource of caller in SecurityManager, change perms based on it?

  I want to have a SecurityManager that does something like:
  public void checkPermission(Permission perm)
        //Pseudo code
        if ( allowedList.contains( caller_context ) ) return;
        else
              //Pass to another SecurityManager object
              baseSecurityManager.checkPermission( perm );
  }If I know what jar file the allowed code was loaded from how would I find out if the calling code's context is the same (from that jar or other jars I "OK" )?

  Thanks for taking the time to help me on this! :)
  * SecurityManager isn't designed for delegation to another SecurityManager. The variuos check* method may be overriden to allow extra permissions. If you don't delegate to the method that was originally called, you might miss something.I know that normally this is the case but the specs on this require it. :(
  * The model is that every frame in the current AccesControlContext (acc) has the required permission. So you need to iterate through and throw when you find an unprivileged frame. This is what AccessControlContext.checkPermission does.Yeah, I was trying to iterate through the classes from getClassContext() but when i call getProtectionDomain(), it starts an endless loop.
  * Use AccessController.getContext in preference to SecurityManag.getClassContext.Unfortunately, that doesn't help. You can't get at any of the classes/codesources/protectiondomain in the context. The only thing you can do is ask it if, according to it's internal algorithm, the permission is implied. I can't get any info about the calling class' codesource.
  * (Since 1.4,) ProtectionDomain constructed with the four argument constructor are dynamic, and add permissions from the current Policy. This seems like what you want to do.Hmmm, there might be something here, but the problem is I don't think it will work as there will be an installed 3rd party SecurityManager that may or may not even pay attention to that. (I've been pretty surprised at the number of security manager implementations that don't check that stuff and simply return "OK")
  * Source for SecurityManager and other classes is in src.zip of the JDK. SecurityManager.checkPermission, uses java.security.AccessController.Yeah, I checked this but it simply goes to native code which checks for info that's only available to Sun's JVm code.
  Thanks again!

• Basic SecurityManager Question

  Hi,
  I'm working through the tutorial http://java.sun.com/developer/technicalArticles/Security/secureinternet/ and have implemented the HttpServer in code sample 1. This works fine, but serves any file on my computer - not very secure! As the tutorial suggests I should like to add a SecurityManager in order to allow the HttpServer to access only specific files or files in a specific directory.
  If I add a SecurityManager at the first line in the main method : public static void main(String argv[]) throws Exception {
       System.setSecurityManager(new java.lang.SecurityManager());
       HttpServer httpserver = new HttpServer();
       httpserver.run();
      } I cannot access any file at all. I get the exception
  Exception: access denied (java.net.SocketPermission 127.0.0.1:4288 accept,resolve)I realise that I need to add an entry in a policy file. I have therefore added the following line in a file called mypolicy :grant codeBase "file:/d:/SSL" {
    permission java.io.FilePermission "d:\\SSL\\index.html", "read";
  };I understand this to mean that all code executing in d:/SSL should have read access to d:/SSL/index.html (HttpServer.class and index.html are both in d:/SSL)
  I link the mypolicy file to java.security with the line policy.url.3=file:/D:/mypolicyHowever, I am still denied access to all files and specifically index.html.
  What am I missing or have I completely misunderstood these basic concepts? Do I need to create a FilePermission object? If so what do I do with this object? Does it have to be registered somewhere?
  Thanks.

  Just to add to Tims response
  If you do calc dim on account first and then aggregate sparse dimensions, then its best to Fix on Level 0 of all the Sparse dimensions for the calc dim and then aggregate the sparse. Otherwise when you run the calc the second time the calculation will calc dim on all levels of all sparse dimension combinations (there will be data there from the previous aggregation). This can be very very slow. So see below
  FIX("Local", "HSP_InputValue", "Actual",  "Final", "Jan", "FY15")
    FIX(@RELATIVE("Entity",0),@RELATIVE("Product",0), @RELATIVE("Channel",0),@RELATIVE("Project",0))
  CALC DIM ("Account");
  ENDFIX
  AGG ("Entity","Product", "Channel", "Project",);
  ENDFIX;

• How to properly use/write a SecurityManager?

  Greetings and salutations,
  it's a fine Sunday afternoon overhere and I'm embedding BeanShell (www.beanshell.org)
  in one of my applications. Everything works fine but one thing: BeanShell is
  way too powerful for humble users. If I intended them to enter a simple formula,
  they're able to write 'System.exit(42)' and whammo, they're out.
  No problem, SecurityManagers can handle those sort of things; I've written one
  before using Java1.1.4. All I had to do was implement 19 or so methods throwing
  a SecurityException when the wanted action (like exiting the application) was not
  allowed. No so anymore ... Sun has thoroughly altered the entire mechanism
  and I have seven browsers open, showing all the API docs for SecurityManagers,
  Permissions, AccessControllers, AccessControlExceptions and what have you.
  About the same amount of VIs are sitting at my screen, scrutinizing the sources,
  Eclipse is somewhere located in the top left corner and I'm writing in the bottom
  left corner of my screen while hunting for a non mentioned class 'sun.security.util.SecurityConstants'
  which must contain all Permissions (I think) used by SecurityManagers et. al.
  This is certainly not the way to go (especially not on a Sunday afternoon). All I
  want is to forbid a BeanShell interpreter to, say, exit the application, start a new
  thread, access a file etc. etc. I realize that putting a SecurityManager in charge
  doesn't solve the entire problem, because a simple 'for(;;);' remains a real,
  undetected show stopper ...
  FUI, BeanShell simply is Java, but interpreted. It's a wonderful, clever tool written
  by Patrick Niemeyer (sp?) who knows what he's doing ... I don't want to downgrade
  my app by supplying just a 'formula interpreter' or some such, but I do need a
  SecurityManager to forbid the blatant, most powerfull actions such an interpreted
  script can issue.
  Anyone? I'd really appreciate a reply from a kind soul who's in the knowing ...
  kind regards,
  Jos

  Maybe I did not get your problem right but for the sake of learning:
  Why is it not possible for you to use the standard security manager and then
  specify in the policy file which code gets to do what? I want all permissions to be setable by a user; think of it as a YGWYD
  (You Get What You Deserve) schema. That BeanShell interpreter is so powerful;
  it actually is Java, but all interpreted, e.g. from within interpreted Java one can
  invoke compiled Java methods on compiled classes and vice versa.
  To complicate matters, more than one interpreter may be running at the same
  time in different threads. When a thread is running an interpreter I want those
  permissions to take effect when needed (and activated by the user); if a thread
  is not running an interpreter I want no SecurityManager to forbid anything ...
  Is the user code executing in the same protection domain as the interpreter
  code? That would be very strange indeed and could be considered a bug or
  misfeature in BeanShell (which I am not familiar with).BeanShell knows nothing about protection domains at all. But on top of
  securities/managers, etc. if a user types in something silly as "for(;;);",
  that particular thread comes to a shrieking halt anyway ...
  I was thinking of extending the SecurityManager class and overriding all those
  checkXXX methods; the extended methods check whether or not the current
  thread is running an interpreter; if not the check is delegated to the corresponding
  super method; if it is called from within a running interpreter, the user settings
  are checked and either the super method is called again or an exception is
  thrown. I can't see how I can accomplish the same without overriding the
  SecurityManager class, but please feel free to enlighten me, because this
  thingy is bothering me for a couple of weeks now ...
  kind regards,
  Jos

• How does the SecurityManager authorize with JAAS?

  Hello,
  I'm using java 1.3 and JAAS, trying to write my own Permission for authorization. How does the SecurityManager know to authorize a method for a Subject? Does the method that I want protected have to explicitly call checkPermission()?
  The examples given are always for FilePermission. They show a program calling Subject.doAs() to perform an action as a particular Subject, and they imply that checkPermission() is called by the methods doing the file access.
  Thanks

  I think you
  a) create a specific permission class (such as a "canDoThisPermission(String targetMethod)" class)
  b) in your method check that the permission is granted by calling
  checkPermission(new CanDoThisPermission(<methname>))
  be sure your new permission class is being loaded from a trusted location (...lib/ext/... for eg.)

• How do i use the SecurityManager?

  I am trying to have an applet display an html page in a JEditorPane, but the applet fails because of AccessControlException. Do i need to use a SecurityManager? If so, how do i go about implemeting it in my code?
  Thank you in advance!
  Tarek

  Hi Tarek,
  In order to avoid this exception, you have to specify the required permission for the specified file by means of policy tool.
  1) Start the policy tool
  2) Grant the required permission
  3) Save the policy file.
  Then while starting the appletviewer it can be given as
  appletviewer -J-Djava.security.policy=mypolicy
  http://java.sun.com/WriteFile.html.
  Lot of examples are given in the security tutorial of sun site.
  I hope this will help you.
  Thanks
  Bakrudeen
  Technical Support Engineer
  Sun MicroSystems Inc, India

• SecurityManager different in init(), start() or when called by javascript

  I have an applet loaded via JNLP and running on jre 1.6.0_16 on IE7 or FF3.5 on Windows XP SP3 32bit.
  In this applet. JNLP file specify all-permission, but I am unsure if this tag is relevant to applet or only to application. Anyway, it is in the jnlp file. This jnlp file is not signed.
  Currently I am unsure about the SecurityManager that should control my applet. When I try to call File.createTempFile("aaaa", "bbb") in method init() ot start(), I get no problem at all: I create the file, I write to the file, I then delete it.
  Then, I do have a method being called from javascript. This new method cannot create any file since it always get a SecurityException.
  I am quite confident this is a bug, but I don't know what should be the correct behaviour.
  Any hint?
  Giuseppe

  So, it seems this is a known and expected behavior as discussed here:
       http://bugs.sun.com/view_bug.do?bug_id=6559401
       http://bugs.sun.com/view_bug.do?bug_id=5011139
       http://bugs.sun.com/view_bug.do?bug_id=5018024
  Bye,
  Giuseppe

• Using JavaFX 8 with SecurityManager enabled

  We like to use JavaFX 8 in a JVM that has SecurityManager enabled. Is there a list available of Permissions we have to grant to JavaFX's CodeSource?

  I am the tech lead of the UI Controls team at Oracle. Don't dismiss things too quickly as "buggy beta software" - now is the perfect time for us to fix bugs that you may be experiencing, and in many cases we may not even know there is a bug unless you file a bug report on us. Please take the time to go to http://javafx-jira.kenai.com and file a bug report under 'runtime' and 'controls' so that we can take a look.
  Thanks!

• When is securitymanager required

  Hi people,
  I am new to RMI. I have the following code:
  public class RMIServer
  private static final int PORT = 10002;
  private static final String HOST_NAME = "localhost";
  // Instance of ourselves
  private static RMIServer rmi;
  public static void main ( String[] args )
  // We need to set the security manager to the RMISecurityManager
  System.setSecurityManager( new RMISecurityManager() );
  try
  rmi = new RMIServer();
  catch ( java.rmi.UnknownHostException uhe )
  System.out.println( "The host computer name you have specified, " + HOST_NAME + " does not match your real computer name." );
  catch ( RemoteException re )
  System.out.println( "Error starting service" );
  System.out.println( "" + re );
  catch ( MalformedURLException mURLe )
  System.out.println( "Internal error" + mURLe );
  catch ( NotBoundException nbe )
  System.out.println( "Not Bound" );
  System.out.println( "" + nbe );
  } // main
  // Constructor
  public RMIServer() throws RemoteException, MalformedURLException, NotBoundException
  LocateRegistry.createRegistry( PORT );
  System.out.println( "Registry created on host computer " + HOST_NAME + " on port " + Integer.toString( PORT) );
  Hello h = new HelloImpl();
  System.out.println( "Remote HelloService implementation object created" );
  String urlString = "//" + HOST_NAME + ":" + Integer.toString( PORT ) + "/" + "HelloService";
  Naming.rebind( urlString, h );
  System.out.println( "Bindings Finished, waiting for client requests." );
  } // class RMIServer
  Which produces the following error when I run "java RMIServer"
  Exception in thread "main" java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:10002 connect,resolve)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkConnect(Unknown Source)
       at java.net.Socket.connect(Unknown Source)
       at java.net.Socket.connect(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at java.net.Socket.<init>(Unknown Source)
       at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(Unknown Source)
       at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(Unknown Source)
       at sun.rmi.transport.tcp.TCPEndpoint.newSocket(Unknown Source)
       at sun.rmi.transport.tcp.TCPChannel.createConnection(Unknown Source)
       at sun.rmi.transport.tcp.TCPChannel.newConnection(Unknown Source)
       at sun.rmi.server.UnicastRef.newCall(Unknown Source)
       at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
       at java.rmi.Naming.rebind(Unknown Source)
       at RMIServer.<init>(RMIServer.java:77)
       at RMIServer.main(RMIServer.java:39)
  The problem can be solved be removing the line that creates the RMISecurityManager in the code, however I do not understand why. Could someone enlighten me on when do we need to create a securitymanager and why in this case we need not.
  Thanks,
  Kelvin

  For securityManager set
  You have to take care of Java Security .
  And have to create security policy file which has the rules to what permissions you like etc
  It is lot of big world out there in security which you can do .
  Here is security spec
  http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-specTOC.fm.html

• Enabling ORM causes coldfusion.security.SecurityManager$UnauthenticatedCredentialsException

  I'm working on a Windows 2008 Enterprise server with ColdFusion 9 Standard datasourcing MySQL 5.1. When I enable ORM in my application.cfc I receive the following error:
  coldfusion.security.SecurityManager$UnauthenticatedCredentialsException
       at coldfusion.security.SecurityManager.authenticateAdmin(SecurityManager.java:1826)
       at coldfusion.featurerouter.handler.standard.StandardSecurityManager.authenticateAdmin(StandardSecurityManager.java:47)
       at coldfusion.sql.Executive.getDatasource(Executive.java:439)
       at coldfusion.orm.hibernate.HibernateConfiguration.initHibernateConfiguration(HibernateConfiguration.java:160)
       at coldfusion.orm.hibernate.HibernateConfiguration.<init>(HibernateConfiguration.java:141)
       at coldfusion.orm.hibernate.ConfigurationManager.initConfiguration(ConfigurationManager.java:69)
       at coldfusion.orm.hibernate.HibernateProvider.InitializeORMForApplication(HibernateProvider.java:182)
       at coldfusion.orm.hibernate.HibernateProvider.beforeApplicationStart(HibernateProvider.java:85)
       at coldfusion.filter.ApplicationFilter.fireBeforeAppStartEvent(ApplicationFilter.java:475)
       at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:221)
       at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
       at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
       at coldfusion.filter.PathFilter.invoke(PathFilter.java:87)
       at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
       at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
       at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
       at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
       at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
       at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
       at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:53)
       at coldfusion.CfmServlet.service(CfmServlet.java:200)
       at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
       at jrun.servlet.FilterChain.doFilter(FilterChain.java:86)
       at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
       at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
       at jrun.servlet.FilterChain.doFilter(FilterChain.java:94)
       at jrun.servlet.FilterChain.service(FilterChain.java:101)
       at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106)
       at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42)
       at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286)
       at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543)
       at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203)
       at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320)
       at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428)
       at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266)
       at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)
  I have confirmed the following:
  CF 9 ORM does work on my development environment for this same application.
  This error only occurs when I enable ORM for the CF application on this server.
  I previously thought that the MySQL user for ColdFusion may not have valid permissions. However, giving that user all permissions still did not fix the error.
  ORM was working for this same application in the past. One conclusion may be an issue with the latest CF hotfix provided by Adobe (which I did install about a month ago). However, I can confirm that the application did work AFTER that install.
  Any suggestions on how to get ORM working would be much appreciated!

  The only way I could resolve this error was to reinstall ColdFusion. I've even updated CF9 with the latest hotfix and it's running fine. I'll wait and see how it goes.

• Socket and securitymanager question

  hello,experts:
  my english is not good,so i don't understand what mean is "resolve",and i can't find example which demostrate usage of "resolve" on WWW:
  new SocketPermission("SomeClient.", "");
  or
  new SocketPermission("SomeClient.", "resolve");
  when use ServerSocket.accept() , does it means :
  " ServerSocket can only "resolve" IPaddress of "SomeClient." but Can not accept() it for Connection. and 'OtherClinet.'address which SecurityManager did not tell(define) in SocketPermission manner also couldn't 'resolve,accept,connect' ".
  or
  "ServerSocket just can "resolve" IPaddress of "SomeClient." but Can not accept() it for Connection. and 'OtherClinet.'address which SecurityManager did not tell(define) in SocketPermission manner could 'resolve,accept,connect' ".
  it reasonable some server would serve or not depend on what kind of request the client sent. so i wanna a ' blacklist of ip' (those ip can not be accepted),how to do this?
  thanks all expert.

  A really simple way to create a blacklist would be to close any socket which is in your blacklist:
  Set<String> blackList = new HashSet<String>();
  while ( true ) {
     Socket newConnection = serverSocket.accept();
     InetAddress address = newConnection.getInetAddress();
     if ( blackList.contains(address.getHostAddress()) ) {
        newConnection.close();
     } else {
        //do something with newConnection
  }As for the SecurityManager question, as I understand it, adding a SocketPermission("SomeClient", "resolve") will have NO effect on "OtherClient", and so unless there are Permissions already existing for OtherClient (or Permissions that IMPLY Permissions for OtherClient, such as an AllPermission), OtherClient will not have permission for resolve, listen, connect, or accept.
  Therefore, it does not seem like you could use the SecurityManager to create a BLACKlist, as either all addresses are permitted or denied, and if everything starts as denied, you could only WHITElist addresses (by adding a new SocketPermission). So I suggest doing something like I did above.

• SecurityManager can trust a signed jar?

  Hi, I have a signed applet. In the init method I forced classloader to load a signed jar. My jar calls some function not allowed in applet sandbox so I have an exception (in particular when a class in the jar calls System.getProperty()).
  I post in the applet development forum and a suggestion is to set null the SecurityManager. It's resolve my problem but I prefer another suggestion: make the SecurityManager trusts my jar.
  Is it possible? There is a way to give my jar the same privileges of my signed applet or to make the System considers it secure?
  Thanks in advance

  Thanks for your reply.
  My jar does not contain only JAXB library but also some libraries that java 5 does not have (but java 6 have in the JRE).
  I posted that my problem is in particular with JAXB library because loading my jar in a dinamic way I have an exception when I use JAXB library because it calls some forbidden function and it does not have permission.
  If I understand well your opinion you tell me that if I put my jar in the archive tag when I define my applet in the html page, my jar is downloaded only if the jre hasn't the needed classes. It's probably true but my jar contains some libraries (not only jaxb) and they are all downloaded at the same time.
  I tried this solution in the past and I tested my signed applet with different operating systems and in some case I obtained errors setting my jar in the archive tag with java 6 because there were conflicts.
  I can't divide my jar in more jars, it's a requirement.
  And after this tests I need to dowload it only with java 5. (I think)
  My applet is signed so I can obtain the classloader and add it the URL of my jar. But my jar dosn't have the same privileges.
  So I call System.setSecurityManager(null) and I haven't exception because nothing checks the actions of JAXB library.
  But I prefer to get my jar the privileges it needs and not set null the SecurityManager, is it possibile in JAVA? My jar is signed, as the applet, is it possibile to impose it is safe?