Trouble with java security manager

I have set up a security manager for my webapp running on Tomcat. The application enables the user to write his own scripts using Javascript, that's why I need to set up a security manager.
Using Rhino as script interpreter, it is possible to use the standard java security mechanisms, e.g. using the security manager to handle the scripts' rights.
I've added the following lines to my policy file:
// give server all rights
grant codeBase "file:webapp/WEB-INF/-" {
     permission java.security.AllPermission;
//rights granted to scripts
grant codeBase "file:restrictedClient" {
     permission java.io.FilePermission "webapp/WEB-INF/lib/js.jar", "read";
I've assigned the scripts to the "restrictedClient" code base. However, the script execution fails as the script does not have the permission to access or define classes of any package (even standard java packages like java.lang or java.math).
In java.security, I have found the following comment:
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.
# by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#package.definition=
I now wonder, why the checkPackageDefinition is checked though there's no entry for any package to be checked.
Extending the policy file like
grant codeBase "file:restrictedClient" {
     permission java.lang.RuntimePermission "accessClassInPackage.webapp/WEB-INF/classes/org/mozilla/javascript";
     permission java.io.FilePermission "webapp/WEB-INF/lib/js.jar", "read";
     permission java.lang.RuntimePermission "defineClassInPackage.java.io";
     permission java.lang.RuntimePermission "defineClassInPackage.java.util";
     permission java.lang.RuntimePermission "defineClassInPackage.java.net";
     permission java.lang.RuntimePermission "defineClassInPackage.java.sql";
     permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
     permission java.lang.RuntimePermission "defineClassInPackage.java.math";
     permission java.lang.RuntimePermission "de.methodpark.pkit.facade.impl";
works, but an unpleasant feeling remains :-).
Rhino creates an own classloader for script execution. Could that be the source of the strange behaviour?
Any help would be appreciated!
Regards,
Matthias

David,
I was glad to see your post regarding WLS 9.2 and the troubles with enabling Java Security Manager.
Were you able to learn any more on things like - why doesn't the admin console work when the security manager is enabled with the default policy file. Also, why is it so difficult to add permissions for your own applications and get them to actually work.
I'd be curious to see if you were able to get it to work or if you have any insights or resources that can help with this as we are really struggling to get a restrictive policy file that works.
Thanks,
D

Similar Messages

WebLogic Admin Console won't work with java security manager enabled.

By just enabling the security manager on the command line with -Djava.security.manager and using the default weblogic.policy in the server/lib directory, the admin console will not work. I just see a blank page when I try to access the admin console with permission errors all over on the server console.
In looking at the admin console's weblogic.xml it should have access to everything since it contains:
grant {
permission java.security.AllPermission;
Are there known issues with this? If I add this permission to the weblogic.policy file everything works fine but then I might as well not turn on the security manager.
Thanks,
Dave

David,
I was glad to see your post regarding WLS 9.2 and the troubles with enabling Java Security Manager.
Were you able to learn any more on things like - why doesn't the admin console work when the security manager is enabled with the default policy file. Also, why is it so difficult to add permissions for your own applications and get them to actually work.
I'd be curious to see if you were able to get it to work or if you have any insights or resources that can help with this as we are really struggling to get a restrictive policy file that works.
Thanks,
D

I am having trouble with my security questions, I want to change them, so it says that it sent me an email to change it but it never shows up, so I can't buy anything now?

I am having trouble with my security questions, I want to change them, so it says that it sent me an email to change it but it never shows up, so I can't buy anything now?

This issue was resolved! I didnt think about restoring my computer to factory settings but I did and now my computer works like brand new. basically, just back up your files and do the following:
http://www.youtube.com/watch?v=yPmT5Xbb8p0

Having trouble with the security questions for iTunes. Tried to reset them, but the mail from Apple never comes . . .

Having trouble with the security questions for iTunes. Tried to reset them, but the mail from Apple never comes . . .

You need to ask Apple to reset your security questions; ways of doing so include clicking here and picking a method for your country, and filling out and submitting this form.
(96290)

Java.security.manager ?

My understanding about Java SecurityManager is when you want to use it,
it have to be installed. It can be installed through
using -Djava.security.manager
option with java command or calling setSecurityManager() in the application.
I'm sure that WLS startup script marketed with WLS5.1
used -Djava.security.manager
option, however, WLS6.1 and WLS7.0's script don't use the option. Do they
install a SecurityManager through setSecurityManager() method?
I'm just curious to know why they are different between WLS5.1 and
WLS6.1/7.0.
Thanks in advance,
Koji Sekiguchi

6.1 and 7.0 do not install a SecurityManager programattically. It was
decided that most people do not make use of the added security provided
by the security manager and that it has a significant performance hit on
the VM (I think we found 6-7% degradation but it was a long time ago so
I may be way off) so that it did not make sense to run with it by
default. Instead we tell people to turn it on who need it. It seems
better because all of the security conscious people know to look for it
and all of the security unaware folk don't know enough to turn it off so
they are stuck with the degradation.
The SecurityManager is really most helpful if you are installing
untrusted applications on your app server (something most users don't
do). It does next-to-nothing to prevent remote attacks.
Neil Smithline
Koji Sekiguchi wrote:
My understanding about Java SecurityManager is when you want to use it,
it have to be installed. It can be installed through
using -Djava.security.manager
option with java command or calling setSecurityManager() in the application.
I'm sure that WLS startup script marketed with WLS5.1
used -Djava.security.manager
option, however, WLS6.1 and WLS7.0's script don't use the option. Do they
install a SecurityManager through setSecurityManager() method?
I'm just curious to know why they are different between WLS5.1 and
WLS6.1/7.0.
Thanks in advance,
Koji Sekiguchi

How can i deal with java.security.AccessControlException?

Hi all, I need to implement JavaMail using Servlet and deploy throught J2EE deployment tool. But when i test out the servlet i will always encounter this exception thrown. How can i solve this?
java.security.AccessControlException: access denied (java.util.PropertyPermission * read,write)
This is the servlet i am testing. Please advise. Thanks in advance!
* @(#)JavaMailServlet.java 1.3 99/12/06
* Copyright 1998, 1999 Sun Microsystems, Inc. All Rights Reserved.
* This software is the proprietary information of Sun Microsystems, Inc.
* Use is subject to license terms.
import java.io.*;
import java.util.*;
import java.text.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.mail.*;
import javax.mail.internet.*;
import javax.activation.*;
* This is a servlet that demonstrates the use of JavaMail APIs
* in a 3-tier application. It allows the user to login to an
* IMAP store, list all the messages in the INBOX folder, view
* selected messages, compose and send a message, and logout.
* 
* Please note: This is NOT an example of how to write servlets!
* This is simply to show that JavaMail can be used in a servlet.
* 
* For more information on this servlet, see the
* JavaMailServlet.README.txt file.
* 
* For more information on servlets, see
* * http://java.sun.com/products/java-server/servlets/index.html
* @author Max Spivak
public class JavaMailServlet extends HttpServlet implements SingleThreadModel {
String protocol = "POP3";
String mbox = "INBOX";
* This method handles the "POST" submission from two forms: the
* login form and the message compose form. The login form has the
* following parameters: <code>hostname</code>, <code>username</code>,
* and <code>password</code>. The <code>send</code> parameter denotes
* that the method is processing the compose form submission.
public void doPost(HttpServletRequest req, HttpServletResponse res)
 throws ServletException, IOException {
// get the session
 HttpSession ssn = req.getSession(true);
 String send = req.getParameter("send");
String host = req.getParameter("hostname");
String user = req.getParameter("username");
String passwd = req.getParameter("password");
URLName url = new URLName(protocol, host, -1, mbox, user, passwd);
ServletOutputStream out = res.getOutputStream();
 res.setContentType("text/html");
 out.println("<html><body bgcolor=\"#CCCCFF\">");
 if (send != null) {
 // process message sending
 send(req, res, out, ssn);
 } else {
 // initial login
 // create
 MailUserData mud = new MailUserData(url);
 ssn.putValue("javamailservlet", mud);
 try {
 Properties props = System.getProperties();
 System.out.println("url");
 props.put("mail.smtp.host", host);
 Session session = Session.getDefaultInstance(props, null);
 session.setDebug(false);
 Store store = session.getStore(url);
 store.connect();
 Folder folder = store.getDefaultFolder();
 if (folder == null)
 throw new MessagingException("No default folder");
 folder = folder.getFolder(mbox);
 if (folder == null)
 throw new MessagingException("Invalid folder");
 folder.open(Folder.READ_WRITE);
 int totalMessages = folder.getMessageCount();
 Message[] msgs = folder.getMessages();
 FetchProfile fp = new FetchProfile();
 fp.add(FetchProfile.Item.ENVELOPE);
 folder.fetch(msgs, fp);
 // track who logged in
 System.out.println("Login from: " + store.getURLName());
 // save stuff into MUD
 mud.setSession(session);
 mud.setStore(store);
 mud.setFolder(folder);
 // splash
 out.print("<center>");
 out.print("");
 out.println("Welcome to JavaMail!</center>");
 // folder table
 out.println("<table width=\"50%\" border=0 align=center>");
 // folder name column header
 out.print("<tr><td width=\"75%\" bgcolor=\"#ffffcc\">");
 out.print("");
 out.println("FolderName</td> ");
 // msg count column header
 out.print("<td width=\"25%\" bgcolor=\"#ffffcc\">");
 out.print("");
 out.println("Messages</td> ");
 out.println("</tr>");
 // folder name
 out.print("<tr><td width=\"75%\" bgcolor=\"#ffffff\">");
 out.print("<a href=\"" + HttpUtils.getRequestURL(req) + "\">" +
 "Inbox" + "</a></td> ");
 // msg count
 out.println("<td width=\"25%\" bgcolor=\"#ffffff\">" +
 totalMessages + "</td>");
 out.println("</tr>");
 out.println("</table");
 } catch (Exception ex) {
 out.println(ex.toString());
 } finally {
 out.println("</body></html>");
 out.close();
* This method handles the GET requests for the client.
public void doGet (HttpServletRequest req, HttpServletResponse res)
 throws ServletException, IOException {
HttpSession ses = req.getSession(false); // before we write to out
ServletOutputStream out = res.getOutputStream();
 MailUserData mud = getMUD(ses);
 if (mud == null) {
 res.setContentType("text/html");
 out.println("<html><body>Please Login (no session)</body></html>");
 out.close();
 return;
 if (!mud.getStore().isConnected()) {
 res.setContentType("text/html");
 out.println("<html><body>Not Connected To Store</body></html>");
 out.close();
 return;
 // mux that takes a GET request, based on parameters figures
 // out what it should do, and routes it to the
 // appropriate method
 // get url parameters
 String msgStr = req.getParameter("message");
String logout = req.getParameter("logout");
 String compose = req.getParameter("compose");
 String part = req.getParameter("part");
 int msgNum = -1;
 int partNum = -1;
 // process url params
 if (msgStr != null) {
 // operate on message "msgStr"
 msgNum = Integer.parseInt(msgStr);
 if (part == null) {
 // display message "msgStr"
res.setContentType("text/html");
 displayMessage(mud, req, out, msgNum);
 } else if (part != null) {
 // display part "part" in message "msgStr"
 partNum = Integer.parseInt(part);
displayPart(mud, msgNum, partNum, out, res);
 } else if (compose != null) {
 // display compose form
 compose(mud, res, out);
} else if (logout != null) {
 // process logout
try {
mud.getFolder().close(false);
mud.getStore().close();
 ses.invalidate();
out.println("<html><body>Logged out OK</body></html>");
} catch (MessagingException mex) {
out.println(mex.toString());
 } else {
 // display headers
 displayHeaders(mud, req, out);
/* main method to display messages */
private void displayMessage(MailUserData mud, HttpServletRequest req,
 ServletOutputStream out, int msgNum)
 throws IOException {
 out.println("<html>");
out.println("<HEAD><TITLE>JavaMail Servlet</TITLE></HEAD>");
 out.println("<BODY bgcolor=\"#ccccff\">");
 out.print("<center>");
 out.println("Message " + (msgNum+1) + " in folder " +
 mud.getStore().getURLName() +
 "/INBOX</center>");
 try {
 Message msg = mud.getFolder().getMessage(msgNum);
 // first, display this message's headers
 displayMessageHeaders(mud, msg, out);
 // and now, handle the content
 Object o = msg.getContent();
 //if (o instanceof String) {
 if (msg.isMimeType("text/plain")) {
 out.println("<pre>");
 out.println((String)o);
 out.println("</pre>");
 //} else if (o instanceof Multipart){
 } else if (msg.isMimeType("multipart/*")) {
 Multipart mp = (Multipart)o;
 int cnt = mp.getCount();
 for (int i = 0; i < cnt; i++) {
 displayPart(mud, msgNum, mp.getBodyPart(i), i, req, out);
 } else {
 out.println(msg.getContentType());
 } catch (MessagingException mex) {
 out.println(mex.toString());
 out.println("</BODY></html>");
 out.close();
* This method displays a message part. <code>text/plain</code>
* content parts are displayed inline. For all other parts,
* a URL is generated and displayed; clicking on the URL
* brings up the part in a separate page.
private void displayPart(MailUserData mud, int msgNum, Part part,
 int partNum, HttpServletRequest req,
 ServletOutputStream out)
 throws IOException {
 if (partNum != 0)
 out.println("<hr>");
try {
 String sct = part.getContentType();
 if (sct == null) {
 out.println("invalid part");
 return;
 ContentType ct = new ContentType(sct);
 if (partNum != 0)
 out.println("Attachment Type: " +
 ct.getBaseType() + " ");
 if (ct.match("text/plain")) {
 // display text/plain inline
 out.println("<pre>");
 out.println((String)part.getContent());
 out.println("</pre>");
 } else {
 // generate a url for this part
 String s;
 if ((s = part.getFileName()) != null)
 out.println("Filename: " + s + " ");
 s = null;
 if ((s = part.getDescription()) != null)
 out.println("Description: " + s + " ");
 out.println("<a href=\"" +
 HttpUtils.getRequestURL(req) +
 "?message=" +
 msgNum + "&part=" +
 partNum + "\">Display Attachment</a>");
 } catch (MessagingException mex) {
 out.println(mex.toString());
* This method gets the stream from for a given msg part and
* pushes it out to the browser with the correct content type.
* Used to display attachments and relies on the browser's
* content handling capabilities.
private void displayPart(MailUserData mud, int msgNum,
 int partNum, ServletOutputStream out,
 HttpServletResponse res)
 throws IOException {
 Part part = null;
try {
 Message msg = mud.getFolder().getMessage(msgNum);
 Multipart mp = (Multipart)msg.getContent();
 part = mp.getBodyPart(partNum);
 String sct = part.getContentType();
 if (sct == null) {
 out.println("invalid part");
 return;
 ContentType ct = new ContentType(sct);
 res.setContentType(ct.getBaseType());
 InputStream is = part.getInputStream();
 int i;
 while ((i = is.read()) != -1)
 out.write(i);
 out.flush();
 out.close();
 } catch (MessagingException mex) {
 out.println(mex.toString());
* This is a utility message that pretty-prints the message
* headers for message that is being displayed.
private void displayMessageHeaders(MailUserData mud, Message msg,
 ServletOutputStream out)
 throws IOException {
 try {
 out.println("Date: " + msg.getSentDate() + " ");
Address[] fr = msg.getFrom();
if (fr != null) {
boolean tf = true;
out.print("From: ");
for (int i = 0; i < fr.length; i++) {
out.print(((tf) ? " " : ", ") + getDisplayAddress(fr));
tf = false;
out.println(" ");
Address[] to = msg.getRecipients(Message.RecipientType.TO);
if (to != null) {
boolean tf = true;
out.print("To: ");
for (int i = 0; i < to.length; i++) {
out.print(((tf) ? " " : ", ") + getDisplayAddress(to[i]));
tf = false;
out.println(" ");
Address[] cc = msg.getRecipients(Message.RecipientType.CC);
if (cc != null) {
boolean cf = true;
out.print("CC: ");
for (int i = 0; i < cc.length; i++) {
out.print(((cf) ? " " : ", ") + getDisplayAddress(cc[i]));
 cf = false;
out.println(" ");
 out.print("Subject: " +
 ((msg.getSubject() !=null) ? msg.getSubject() : "") +
 " ");
} catch (MessagingException mex) {
 out.println(msg.toString());
* This method displays the URL's for the available commands and the
* INBOX headerlist
private void displayHeaders(MailUserData mud,
 HttpServletRequest req,
ServletOutputStream out)
 throws IOException {
SimpleDateFormat df = new SimpleDateFormat("EE M/d/yy");
out.println("<html>");
out.println("<HEAD><TITLE>JavaMail Servlet</TITLE></HEAD>");
 out.println("<BODY bgcolor=\"#ccccff\"><hr>");
 out.print("<center>");
 out.println("Folder " + mud.getStore().getURLName() +
 "/INBOX</center>");
 // URL's for the commands that are available
 out.println("");
out.println("<a href=\"" +
 HttpUtils.getRequestURL(req) +
 "?logout=true\">Logout</a>");
out.println("<a href=\"" +
 HttpUtils.getRequestURL(req) +
 "?compose=true\" target=\"compose\">Compose</a>");
 out.println("");
 out.println("<hr>");
 // List headers in a table
out.print("<table cellpadding=1 cellspacing=1 "); // table
 out.println("width=\"100%\" border=1>"); // settings
 // sender column header
 out.println("<tr><td width=\"25%\" bgcolor=\"ffffcc\">");
 out.println("");
 out.println("Sender</td>");
 // date column header
 out.println("<td width=\"15%\" bgcolor=\"ffffcc\">");
 out.println("");
 out.println("Date</td>");
 // subject column header
 out.println("<td bgcolor=\"ffffcc\">");
 out.println("");
 out.println("Subject</td></tr>");
 try {
 Folder f = mud.getFolder();
 int msgCount = f.getMessageCount();
 Message m = null;
 // for each message, show its headers
 for (int i = 1; i <= msgCount; i++) {
m = f.getMessage(i);
 // if message has the DELETED flag set, don't display it
 if (m.isSet(Flags.Flag.DELETED))
 continue;
 // from
out.println("<tr valigh=middle>");
out.print("<td width=\"25%\" bgcolor=\"ffffff\">");
 out.println("" +
 ((m.getFrom() != null) ?
 m.getFrom()[0].toString() :
 "" ) +
 "</td>");
 // date
out.print("<td nowrap width=\"15%\" bgcolor=\"ffffff\">");
 out.println("" +
df.format((m.getSentDate()!=null) ?
 m.getSentDate() : m.getReceivedDate()) +
 "</td>");
 // subject & link
out.print("<td bgcolor=\"ffffff\">");
 out.println("" +
 "<a href=\"" +
 HttpUtils.getRequestURL(req) +
"?message=" +
i + "\">" +
((m.getSubject() != null) ?
 m.getSubject() :
 "No Subject") +
"</a>" +
"</td>");
out.println("</tr>");
 } catch (MessagingException mex) {
 out.println("<tr><td>" + mex.toString() + "</td></tr>");
 mex.printStackTrace();
 out.println("</table>");
 out.println("</BODY></html>");
 out.flush();
 out.close();
* This method handles the request when the user hits the
* Compose link. It send the compose form to the browser.
private void compose(MailUserData mud, HttpServletResponse res,
 ServletOutputStream out)
 throws IOException {
 res.setContentType("text/html");
 out.println(composeForm);
 out.close();
* This method processes the send request from the compose form
private void send(HttpServletRequest req, HttpServletResponse res,
 ServletOutputStream out, HttpSession ssn)
 throws IOException {
String to = req.getParameter("to");
 String cc = req.getParameter("cc");
 String subj = req.getParameter("subject");
 String text = req.getParameter("text");
 try {
 MailUserData mud = getMUD(ssn);
 if (mud == null)
 throw new Exception("trying to send, but not logged in");
 Message msg = new MimeMessage(mud.getSession());
 InternetAddress[] toAddrs = null, ccAddrs = null;
 if (to != null) {
 toAddrs = InternetAddress.parse(to, false);
 msg.setRecipients(Message.RecipientType.TO, toAddrs);
 } else
 throw new MessagingException("No \"To\" address specified");
 if (cc != null) {
 ccAddrs = InternetAddress.parse(cc, false);
 msg.setRecipients(Message.RecipientType.CC, ccAddrs);
 if (subj != null)
 msg.setSubject(subj);
 URLName u = mud.getURLName();
 msg.setFrom(new InternetAddress(u.getUsername() + "@" +
 u.getHost()));
 if (text != null)
 msg.setText(text);
 Transport.send(msg);
 out.println("<h1>Message sent successfully</h1></body></html>");
 out.close();
 } catch (Exception mex) {
 out.println("<h1>Error sending message.</h1>");
 out.println(mex.toString());
 out.println(" </body></html>");
// utility method; returns a string suitable for msg header display
private String getDisplayAddress(Address a) {
String pers = null;
String addr = null;
if (a instanceof InternetAddress &&
((pers = ((InternetAddress)a).getPersonal()) != null)) {
 addr = pers + " "+"<"+((InternetAddress)a).getAddress()+">";
} else
addr = a.toString();
return addr;
// utility method; retrieve the MailUserData
// from the HttpSession and return it
private MailUserData getMUD(HttpSession ses) throws IOException {
 MailUserData mud = null;
 if (ses == null) {
 return null;
 } else {
 if ((mud = (MailUserData)ses.getValue("javamailservlet")) == null){
 return null;
 return mud;
public String getServletInfo() {
return "A mail reader servlet";
* This is the HTML code for the compose form. Another option would
* have been to use a separate html page.
private static String composeForm = "<HTML><HEAD><TITLE>JavaMail Compose</TITLE></HEAD><BODY BGCOLOR=\"#CCCCFF\"><FORM ACTION=\"/servlet/JavaMailServlet\" METHOD=\"POST\"><input type=\"hidden\" name=\"send\" value=\"send\">JavaMail Compose Message<TABLE BORDER=\"0\" WIDTH=\"100%\"><TR><TD WIDTH=\"16%\" HEIGHT=\"22\"> To:</TD><TD WIDTH=\"84%\" HEIGHT=\"22\"><INPUT TYPE=\"TEXT\" NAME=\"to\" SIZE=\"30\"> (separate addresses with commas)</TD></TR><TR><TD WIDTH=\"16%\">CC:</TD><TD WIDTH=\"84%\"><INPUT TYPE=\"TEXT\" NAME=\"cc\" SIZE=\"30\"> (separate addresses with commas)</TD></TR><TR><TD WIDTH=\"16%\">Subject:</TD><TD WIDTH=\"84%\"><INPUT TYPE=\"TEXT\" NAME=\"subject\" SIZE=\"55\"></TD></TR><TR><TD WIDTH=\"16%\"> </TD><TD WIDTH=\"84%\"><TEXTAREA NAME=\"text\" ROWS=\"15\" COLS=\"53\"></TEXTAREA></TD></TR><TR><TD WIDTH=\"16%\" HEIGHT=\"32\"> </TD><TD WIDTH=\"84%\" HEIGHT=\"32\"><INPUT TYPE=\"SUBMIT\" NAME=\"Send\" VALUE=\"Send\"><INPUT TYPE=\"RESET\" NAME=\"Reset\" VALUE=\"Reset\"></TD></TR></TABLE></FORM></BODY></HTML>";
* This class is used to store session data for each user's session. It
* is stored in the HttpSession.
class MailUserData {
URLName url;
Session session;
Store store;
Folder folder;
public MailUserData(URLName urlname) {
 url = urlname;
public URLName getURLName() {
 return url;
public Session getSession() {
 return session;
public void setSession(Session s) {
 session = s;
public Store getStore() {
 return store;
public void setStore(Store s) {
 store = s;
public Folder getFolder() {
 return folder;
public void setFolder(Folder f) {
 folder = f;

You posted a thousand lines of badly-formatted code and didn't have the sense to say which one had the exception.
My guess is that it was this one:Session session = Session.getDefaultInstance(props, null);because that happened to me. I fixed it by calling getInstance instead of getDefaultInstance.
However if that isn't the problem, how about spending a few seconds to post a less useless question?

How to get Java source in applet stack trace to debug Java security manager

How can I get line numbers for Java source in stack traces for my applet? I'm having a problem with my code-signing certificate. On one of my applets, I consistently get a NullPointerException inside the security dialog code in the JDK. As a result, either the "trust this applet" dialog never appears, or even though it appears, it defaults to untrusted because of the exception, so I can't access any local files (and that's a bit of a problem for an applet whose sole purpose is to upload files to our server). I unzipped src.zip in my JDK directory and set the debug flag for my Ant <javac> task as well as set debuglevel to "lines." Anything else? Here's the trace that I'm getting so far. See that after the NullPointerException it assumes that the user has denied permission. If I could read this Java source maybe I could figure out why it hates my code-signing certificate (jarsigner, BTW, never complains when I verify my jar).
security: Blacklist file not found or revocation check is disabled
security: Accessing keys and certificate in Mozilla user profile: null
security: Loading Root CA certificates from D:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from D:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading Deployment certificates from C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
security: Loaded Deployment certificates from C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Start to check whether root CA is replaced
security: The root CA has been replaced
security: No timestamping info available
security: Found jurisdiction list file
security: Start checking trusted extension for this certificate
security: Start comparing to jurisdiction list with this certificate
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
security: Checking if certificate is in Deployment session certificate store
java.lang.NullPointerException
 at com.sun.deploy.ui.UIFactory.showSecurityDialog(Unknown Source)
 at com.sun.deploy.security.TrustDeciderDialog.showDialog(Unknown Source)
 at com.sun.deploy.security.X509Util.showSecurityDialog(Unknown Source)
 at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
 at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
 at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
 at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
 at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
 at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
 at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$700(Unknown Source)
 at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
 at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
 at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
 at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
 at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
 at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
 at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
 at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
 at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
security: User has denied the priviledges to the code
security: Adding certificate in Deployment denied certificate store
security: Added certificate in Deployment denied certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Start to check whether root CA is replaced
security: The root CA has been replaced
security: No timestamping info available
security: Found jurisdiction list file
security: Start checking trusted extension for this certificate
security: Start comparing to jurisdiction list with this certificate
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment denied certificate store

Rats, now that I look at the stack trace and compare to what's in the JDK srce.zip, it appears that most of this code is not part of the JDK source. I don't see any com/sun/deploy, etc.

Having Trouble with Java Cryptography Extension (JCE)

Hi, this is my first attempt at using the JCE. I'm using JCE 1.2.1
and basically all I'm trying to do at this point is encrypt a
FileInputStream object using the DES standard, with the JCE
classes. Here is my code Fragment.
protected FileOutputStream encriptFile(FileInputStream baseFile,
File encFileName) throws IOException
try
// Create the output file for the encrypted document
FileOutputStream encriptedFile = new FileOutputStream
(encFileName);
// Must register the provider that implements the algorithm
Provider sunJce = new com.sun.crypto.provider.SunJCE();
Security.addProvider(sunJce);
char[] pbeKeyData = password.toCharArray();
PBEKeySpec pbeKeySpec = new PBEKeySpec(pbeKeyData);
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance
("DES");
SecretKey pbeKey = keyFactory.generateSecret(pbeKeySpec);
Cipher pbe = Cipher.getInstance("DES"); // Same as above.
pbe.init(Cipher.ENCRYPT_MODE, pbeKey);
CipherOutputStream cout = new CipherOutputStream
(encriptedFile, pbe);
// Use a byte array to write the file output in blocks of 64
bytes.
byte[] buffer = new byte[64];
while (true)
int bytesRead = -1;
bytesRead = baseFile.read(buffer);
if (bytesRead == -1) break;
cout.write(buffer, 0, bytesRead);
cout.flush();
cout.close();
baseFile.close(); // Close the input file.
catch (java.security.NoSuchAlgorithmException nsA)
System.err.println(nsA);
nsA.printStackTrace();
catch (java.lang.ExceptionInInitializerError eIIE)
System.err.println(eIIE);
eIIE.printStackTrace();
catch (Exception e)
System.err.println(e);
e.printStackTrace();
My problem arises with the line "SecretKeyFactory keyFactory =
SecretKeyFactory.getInstance("DES");" This line throws an
ExceptionInInitializerError and the catch block tells me this
java.lang.ExceptionInInitializerError
java.lang.ExceptionInInitializerError: java.lang.SecurityException:
Cannot set up certs for trusted CAs
(The rst of the stackCall here)...
From what I've read in the documentation, I need to have a provider
set up that handles the SecretKeyFactory and encryption algorithms,
but the documentation also says that the SunJCE provider that I set
up near the start of my method should have been able to handle this.
Is there anyone out there with expeience doing this kind of thing
that can help.
Thanks,
Dan

Please check out the following:
1. Be sure that the jar file will be viewable from classpath and that the provider you want to use will be in java.security file.
2. In the java.security file you should have something like this:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.crypto.provider.SunJCE
3. If you wish, you can test your program with another JCE implementation, like cryptix.
You can download the api and documentation of cryptix at http://www.cryptix.org/products/index.html
I wish this can be useful to you!!!
Thank you for some duke dollars.

Java Security Manager in Multi-threaded application

I am writing a multi-threaded application listening (TCP and UDP) to several ports. To help implement certain security features (eg. refusing connections from certain ip address), I'm using the java.lang.SecurityManager (by subclassing it). I am having a few problems and queries and am hoping someone here can help me.
1. As all the threads are calling the checkAccept(host, port) method. Is there a way to know which thread is currently accessing the security manager? For example if host A were to make 2 connections to the application, one to thread 1 (say listening to port 5001) and the other to to thread 2 (say listening to port 5002). I intend to refuse the connection to thread 2 but there is not way of differentiating the 2 connections since they are from the same host and there isnt any way of knowing their port number.
2. Are calls to the Security Manager thread safe?
I have been having this problem for a long time, would appreciate if someone can help point me to the right direction. cheers.

1. As all the threads are calling the
checkAccept(host, port) method. Is there a way to
know which thread is currently accessing the security
manager?Just use Thread.currentThread(). As specified in the Javadoc for e.g. SecurityManager.checkAccept().
2. Are calls to the Security Manager thread safe? No.

Cannot start OC4J instance after specifying default java.security.manager

Hi All,
I am using OracleiAS 10.1.3.4 and trying to make use of the new User and Role APIs introduced in 10.1.3.1.
While trying to get an object of IdentityStore using the following code, I got this error -
java.security.PrivilegedActionException: oracle.security.idm.ConfigurationException: java.security.AccessControlException: access denied (oracle.security.jazn.JAZNPermission getOC4JIntegrationData)
oidFactory = (IdentityStoreFactory) AccessController.doPrivileged(
new PrivilegedExceptionAction()
public Object run() throws IMException
IdentityStoreFactoryBuilder builder =
new IdentityStoreFactoryBuilder();
return builder.getIdentityStoreFactory();
I then tried specifying the default security manager in start JAVA options for my oc4j instance - Djava.security.manager. I also verified that my java policy file is present under $ORACLE_HOME/j2ee/oc4j_soa/config/java2.policy. But the issue is - once I put this default secirity manager in startup options in opmn.xml, the oc4j instance does not get started, it gives following error -
08/12/30 02:58:22 Start process
Dec 30, 2008 2:58:24 AM com.evermind.server.XMLDataSourcesConfig parseRootNode
INFO: Legacy datasource detected...attempting to convert to new syntax.
08/12/30 02:58:29 WARNING: Application.setConfig Application: default is in failed state as initialization failed.
java.lang.ExceptionInInitializerError
08/12/30 02:58:29 Error initializing server: Application: default is in failed state as initialization failed
08/12/30 02:58:32 Fatal error: server exiting
Any idea ? Any pointers please ?
Thanks,
Ankit

Ankit,
Check your syntax for the datasource. If you migrated from file-based to OID, then you should look at this link:
http://download.oracle.com/docs/cd/E12524_01/relnotes.1013/e12523/oc4j.htmThere is a known issue when migrating from file-based to OIM\OID. Navigate to:
12.2 JAZNMigration Tool Does Not Migrate ADFPrincipal Type Correctly
-Michael

Trouble with photoshop(cs4) manages colours

Hello there. I have callibrated my printer, and have callibrated my monitor monthly over the three months since I purchased my Color Munki. I have set up a printer profile that I want to use. I have CS4 and using a "two up view" for soft- proofing, the copy to be printed (on screen) was at first rather dull with a green cast and with blacks greyed off compared to the master copy and very difficult to match the master even closely. The prints were passable after a lot of fiddling but not as good as I had hoped even compared to prints I produced before I used my own printer- paper profile .. However recently the prints have got even worse. They are really, really dark when printed even though they dont look so on screen.They also still have the colour cast etc. I have been selecting "no color management' in the printer dialogue along with the printer- paper profile. I have had to resort to using "Printer manages colour" and a generic printer paper profile again as I used to do. I am getting far better prints with good colour matches this way so it would seem that there is nothing wrong with the printer. I have concluded that it must be a problem with the colour management in my CS4 Photoshop. I have an Epson Stylus photo 1410 printer, a Dell flat screen U2410 monitor and a nikon D90 camera. I feel so disappointed after forking out for the Color Munki etc hoping to get really top class prints. .I would really appreciate some advice.

You have to make sure you have configured everything to work together - i.e., to make the printer driver expect that Photoshop is going to do the color transform.
However, there were some posts last year implying people with Epson printers were seeing "double profiling" - meaning somehow two color transforms were being invoked, and they couldn't turn the behavior off. I think at least some people just broke down and bought new printers, as Epson apparently would not fix the drivers to work properly with Photoshop CS5.
I don't know whether yours might fall under the same issue, but you could double check with Epson.com and see if there have been any newer drivers released for your model.
-Noel

Problem with Advanced Security Manager

Hi
I am using the advanced security manager to migrate security from Essbase 7 server to Essbase 11 server. The users who are externally authenticated on essbase 7 server are under native security mode on the Essbase 11 server after security import.Does the Advanced security manager put all the users (whether they are externally authenticated or under native security mode) in native security mode after import?
Please help

Hello 831221
In version 11 "native" means that the users are stored in OpenLDAP (once Essbase was externalized).
You would only be able to create "external" users if the Shared Services have been connected to an external User Source (e.g. MSAD) prior to
importing the users.
best regards
.T

Trouble with my secure network

Hello, just got my new Ipod touch today, it is the latest generation(32GB) and I'm having a **** of a time connecting to our houses secure wireless network.
No matter how many times I input the password, I always get a denial, saying that it could not connect to the network ,now, I am using a D-link wireless router, and I have tried turning off the security all-together(which worked), but as soon as I turned it back on it kicked me from the network, and I couldnt log-in again.
The damndest thing is that not one day ago, my brother got a ipod touch himself(it came as a free gift with a macbook pro purchased by my father), it is a 16GB from the previous generation of Ipod touches, but it works just fine with our secure Wi-fi, but mine wont for whatever reason.

The only security I haven't tried yet is WEP, and thats just because it changes the password to something I don't know.
I actually just got off the phone with a "product expert" who said that this is a widespread firmware issue and that they were working on making a downloadable fix. Honestly I'm not sure if he is to be believed or not, but judging from all the posts I found using google, I certainly believe the bit about it being wide-spread issue.
By the way LE, do you have the first generation of Ipod touch? Just curious seeing as how my brother's similarly had no problems connecting.

Trouble with Content Security Policy (CSP)

In the latest Firefox 33 there seem to be an issue with Content Security Policy (CSP) and how it handles url that are url encoded.
For instance when some CSP directive is set to like https://mywebsite.com/application/do;jsessiond=1234 - it will get URL encoded so the ; gets replaced by %3B.
In Firefox 32 and earlier this worked, but not in this new solution.

It may be that it needs a header application/x-www-form-urlencoded is this included in your url request as well as charset UTF-8?
If you select a different encoding via web dev [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI]
This sounds like what it did before? [http://www.justarrangingbits.org/firefox-magic-decoding-address-bar/index.html]

PDK-Java Security manager: controlling portlet appearance in portlet list

Hi,
The Understanding PDK-Java Portlet Security article says: "Portlet security is handled at two main points in Oracle9iAS Portal. It is used when a user view the list of portlets available from a provider. It is also used when rendering the portlet on a portal page."
I don't see how a portlet can control its appearance in the list of available portlets. Is the article inaccurate, or am I overlooking something?
Thanks,
Peter

The article is correct.
Before showing a portlet in the portlet repository, the provider is contacted by the portal to determine if the current user should be able to see the portlet. This is the isRunnable call.
In release 3.0.9, a feature was added allowing a provider to instruct the portal to cache the results of this call. There are 2 portlet properties associated with this feature:
<portlet>
<callIsRunnable>true/false</callIsRunnable>
<callGetPortlet>true/false</callGetPortlet>
</portlet>
The second property affects whether a call to get a portlet's metadata is made before displaying it in the portlet repository.

Trouble with java security manager

Similar Messages

Maybe you are looking for