1 2 Previous Next 16 Replies Latest reply on Nov 28, 2007 10:32 AM by jay.howell

    AccessControlException

    colomb

      We are currently evaluating JBoss Messaging and are having some issues with our web start applications. We've given the app complete access to the machine using the <all-securities> option but they still generate an AccessControlException every time they try and access the jboss.messaging.callback.bind.port property. Running these apps locally without using web start works fine. Anyone encounter this? Here is the exception:

      Caused by: java.lang.ExceptionInInitializerError
       at org.jboss.jms.client.remoting.JMSRemotingConnection.start(JMSRemotingConnection.java:96)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.invoke(ClientConnectionFactoryDelegate.java:159)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.java)
       at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCreationAspect.java:81)
       at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect0.invoke(StateCreationAspect0.java)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.java)
       at org.jboss.jms.client.container.ExceptionInterceptor.invoke(ExceptionInterceptor.java:69)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.java)
       at org.jboss.jms.client.container.ClientLogInterceptor.invoke(ClientLogInterceptor.java:107)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_N6840474864420126404.java)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(ClientConnectionFactoryDelegate.java)
       at org.jboss.jms.client.JBossConnectionFactory.createConnectionInternal(JBossConnectionFactory.java:202)
       at org.jboss.jms.client.JBossConnectionFactory.createQueueConnection(JBossConnectionFactory.java:108)
       at org.jboss.jms.client.JBossConnectionFactory.createQueueConnection(JBossConnectionFactory.java:103)
       at com.css.util.jms.jboss.JBossQueueFactoryImpl.connectQueues(JBossQueueFactoryImpl.java:31)
       at com.css.util.jms.JMSFactory.connectQueues(JMSFactory.java:45)
       ... 11 more
      Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission jboss.messaging.callback.bind.port read)
       at java.security.AccessControlContext.checkPermission(Unknown Source)
       at java.security.AccessController.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPermission(Unknown Source)
       at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
       at java.lang.System.getProperty(Unknown Source)
       at org.jboss.jms.client.remoting.CallbackServerFactory.getPort(CallbackServerFactory.java:72)
       at org.jboss.jms.client.remoting.CallbackServerFactory.<clinit>(CallbackServerFactory.java:68)
      


        • 1. Re: AccessControlException
          colomb

          After further investigation, adding

          grant {
           permission java.security.AllPermission;
          };


          to the client machine's javaws.policy file allowed the property lookup. Unfortunately, this isn't a viable solution for us. What also confuses me is that the jnlp file for the web start application should grant full access to all jars. Can anyone think of why this isn't working for the jboss-messaging-client.jar? thank you.

          • 2. Re: AccessControlException
            timfox

            I'm not sure which version you are looking at but the socket transport, which is the default in 1.0.x, requires tcp connections to be made back to the client, making it unsuitable for clients running in some kind of sandbox, e.g. jnlp or applets, where the security policy will typically not allow this.

            1.2 will introduce a bisocket transport which doesn't require connections to be made back to the client. The bisocket is not available in 1.0.x

            • 3. Re: AccessControlException
              colomb

               

              "timfox" wrote:
              I'm not sure which version you are looking at but the socket transport, which is the default in 1.0.x, requires tcp connections to be made back to the client, making it unsuitable for clients running in some kind of sandbox, e.g. jnlp or applets, where the security policy will typically not allow this.

              1.2 will introduce a bisocket transport which doesn't require connections to be made back to the client. The bisocket is not available in 1.0.x


              Tim,

              Thanks for the reply. I'm not sure thats the problem as the jnlp grants jars full access. Furthermore the exception isn't generated on the socket creation, but on accessing the system property. I could be missing something though.

              • 4. Re: AccessControlException
                timfox

                Actually this looks like a bug to me.

                JBM shouldn't be assuming it can look up System properties on the client side.

                I have posted a bug report:

                http://jira.jboss.com/jira/browse/JBMESSAGING-806

                This should be an easy fix, and should be in SP4.

                • 5. Re: AccessControlException
                  colomb

                  Thank you. Look forward to testing it out.

                  • 6. Re: AccessControlException
                    colomb

                    Upgraded to v 1.2.0CR1 and now I'm presented with a different AccessControlException

                    Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
                     at java.security.AccessControlContext.checkPermission(Unknown Source)
                     at java.security.AccessController.checkPermission(Unknown Source)
                     at java.lang.SecurityManager.checkPermission(Unknown Source)
                     at java.lang.SecurityManager.checkCreateClassLoader(Unknown Source)
                     at java.lang.ClassLoader.<init>(Unknown Source)
                     at org.jboss.remoting.loading.ClassByteClassLoader.<init>(ClassByteClassLoader.java:62)
                     at org.jboss.remoting.AbstractInvoker.<init>(AbstractInvoker.java:76)
                     at org.jboss.remoting.MicroRemoteClientInvoker.<init>(MicroRemoteClientInvoker.java:52)
                     at org.jboss.remoting.RemoteClientInvoker.<init>(RemoteClientInvoker.java:45)
                     at org.jboss.remoting.transport.socket.MicroSocketClientInvoker.<init>(MicroSocketClientInvoker.java:215)
                     at org.jboss.remoting.transport.socket.SocketClientInvoker.<init>(SocketClientInvoker.java:71)
                     at org.jboss.remoting.transport.bisocket.BisocketClientInvoker.<init>(BisocketClientInvoker.java:134)
                     at org.jboss.remoting.transport.bisocket.TransportClientFactory.createClientInvoker(TransportClientFactory.java:44)
                    


                    Setting AllPermissions fixes the issue of course. I was under the impression the bisocket would fix this issue? Any ideas?

                    • 7. Re: AccessControlException
                      colomb

                      Now upgraded to v1.2.0GA and we are still receiving an AccessControlException. I checked and the messaging-service.xml is configured to use the bisocket. Any help would be greatly appreciated.

                      java.security.AccessControlException: access denied (java.net.SocketPermission 10.100.1.40:514 connect,resolve)
                       at java.security.AccessControlContext.checkPermission(Unknown Source)
                       at java.security.AccessController.checkPermission(Unknown Source)
                       at java.lang.SecurityManager.checkPermission(Unknown Source)
                       at java.lang.SecurityManager.checkConnect(Unknown Source)
                       at java.net.DatagramSocket.send(Unknown Source)
                       at org.apache.log4j.helpers.SyslogWriter.write(SyslogWriter.java:69)
                       at org.apache.log4j.helpers.QuietWriter.write(QuietWriter.java:39)
                       at org.apache.log4j.helpers.SyslogQuietWriter.write(SyslogQuietWriter.java:45)
                       at org.apache.log4j.net.SyslogAppender.append(SyslogAppender.java:245)
                       at org.apache.log4j.AppenderSkeleton.doAppend(AppenderSkeleton.java:221)
                       at org.apache.log4j.helpers.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:57)
                       at org.apache.log4j.Category.callAppenders(Category.java:187)
                       at org.apache.log4j.Category.forcedLog(Category.java:372)
                       at org.apache.log4j.Category.log(Category.java:864)
                       at org.jboss.logging.log4j.Log4jLoggerPlugin.error(Log4jLoggerPlugin.java:222)
                       at org.jboss.logging.Logger.error(Logger.java:279)
                       at org.jboss.jms.client.delegate.DelegateSupport.handleThrowable(DelegateSupport.java:224)
                       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delegate$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(ClientConnectionFactoryDelegate.java:179)
                       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.java)
                       at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCreationAspect.java:83)
                       at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect0.invoke(StateCreationAspect0.java)
                       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.java)
                       at org.jboss.jms.client.container.ExceptionInterceptor.invoke(ExceptionInterceptor.java:71)
                       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.java)
                       at org.jboss.jms.client.container.ClientLogInterceptor.invoke(ClientLogInterceptor.java:107)
                       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_4579211046834694258.java)
                       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(ClientConnectionFactoryDelegate.java)
                       at org.jboss.jms.client.JBossConnectionFactory.createConnectionInternal(JBossConnectionFactory.java:212)
                       at org.jboss.jms.client.JBossConnectionFactory.createQueueConnection(JBossConnectionFactory.java:102)
                       at org.jboss.jms.client.JBossConnectionFactory.createQueueConnection(JBossConnectionFactory.java:96)
                       at com.css.util.jms.jboss.JBossQueueFactoryImpl.connectQueues(JBossQueueFactoryImpl.java:31)
                       at com.css.util.jms.CssJmsFactory.connectQueues(CssJmsFactory.java:52)
                       at com.css.graphs.messages.client.ApplicationMessageClient.<init>(ApplicationMessageClient.java:34)
                       at com.css.graphs.bonds.ApplicationMessageHandler.<init>(ApplicationMessageHandler.java:23)
                       at com.css.graphs.bonds.Bond.<init>(Bond.java:152)
                       at com.css.graphs.bonds.Bond.main(Bond.java:576)
                       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                       at java.lang.reflect.Method.invoke(Unknown Source)
                       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
                       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
                       at com.sun.javaws.Launcher.continueLaunch(Unknown Source)
                       at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
                       at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
                       at com.sun.javaws.Launcher.run(Unknown Source)
                       at java.lang.Thread.run(Unknown Source)
                      


                      • 8. Re: AccessControlException
                        genman

                        Looks like something related to your Log4J configuration accessing a socket via the Syslog appender. Perhaps you can remove this appender from your log4j configuration?

                        • 9. Re: AccessControlException
                          colomb

                          Removing the logger leaves me pretty much in the same spot:

                          Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
                           at java.security.AccessControlContext.checkPermission(Unknown Source)
                           at java.security.AccessController.checkPermission(Unknown Source)
                           at java.lang.SecurityManager.checkPermission(Unknown Source)
                           at java.lang.SecurityManager.checkCreateClassLoader(Unknown Source)
                           at java.lang.ClassLoader.<init>(Unknown Source)
                           at org.jboss.remoting.loading.ClassByteClassLoader.<init>(ClassByteClassLoader.java:62)
                           at org.jboss.remoting.AbstractInvoker.<init>(AbstractInvoker.java:76)
                           at org.jboss.remoting.MicroRemoteClientInvoker.<init>(MicroRemoteClientInvoker.java:52)
                           at org.jboss.remoting.RemoteClientInvoker.<init>(RemoteClientInvoker.java:45)
                           at org.jboss.remoting.transport.socket.MicroSocketClientInvoker.<init>(MicroSocketClientInvoker.java:217)
                           at org.jboss.remoting.transport.socket.SocketClientInvoker.<init>(SocketClientInvoker.java:72)
                           at org.jboss.remoting.transport.bisocket.BisocketClientInvoker.<init>(BisocketClientInvoker.java:133)
                           at org.jboss.remoting.transport.bisocket.TransportClientFactory.createClientInvoker(TransportClientFactory.java:44)
                          


                          Is anyone using queues for communication between webstart applications? I can't imagine we are the only ones doing this. Any help would be appreciated.

                          • 10. Re: AccessControlException
                            timfox

                            Looks like JBoss Remoting is trying to create a classloader and your security policy is not allowing it.

                            You should ask on the JBoss Remoting forum.

                            • 11. Re: AccessControlException

                              Hi Guys,

                              did anyone ever find a solution for this issue ?

                              we are having the same -- our client App runs via webstart and connects to a Queue on the server at startup.

                              up until now we have been using JBoss MQ - but we are now in the process of trying to migrate to JBoss Messaging - and this issue is causing us a bit of a problem.

                              We have tried JBoss 4.2.0.GA, 4.2.1.GA, 4.2.2.GA, JBM 1.4.0.GA, JBM 1.4.0.SP1, JBoss Remoting 2.2.2.SP1 and JBoss Remoting 2.2.2.SP2 - all of which give us the same problem.

                              as a reminder -- here's the exception :

                              org.jboss.jms.exception.MessagingJMSException: Failed to invoke
                               at org.jboss.jms.client.delegate.DelegateSupport.handleThrowable(DelegateSupport.java:269)
                               at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delegate$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(ClientConnectionFactoryDelegate.java:187)
                               at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N3019492359065420858.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_N3019492359065420858.java)
                               at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCreationAspect.java:83)
                               at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect0.invoke(StateCreationAspect0.java)
                               at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N3019492359065420858.invokeNext(ClientConnectionFactoryDelegate$createConnectionDelegate_N3019492359065420858.java)
                               at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(ClientConnectionFactoryDelegate.java)
                               at org.jboss.jms.client.JBossConnectionFactory.createConnectionInternal(JBossConnectionFactory.java:205)
                               at org.jboss.jms.client.JBossConnectionFactory.createQueueConnection(JBossConnectionFactory.java:101)
                               at org.jboss.jms.client.JBossConnectionFactory.createQueueConnection(JBossConnectionFactory.java:95)
                               at com.actual_systems.p2.client.support.activedata.DefClientADM.setupJMS(DefClientADM.java:1354)
                               at com.actual_systems.p2.client.support.activedata.DefClientADM.<init>(DefClientADM.java:324)
                               at com.actual_systems.p2.client.support.activedata.DefClientADM.getInstance(DefClientADM.java:309)
                               at com.actual_systems.p2.client.support.preference.ClientPreferenceSource.<init>(ClientPreferenceSource.java:88)
                               at com.actual_systems.p2.client.support.ClientPreferenceManager.<init>(ClientPreferenceManager.java:234)
                               at com.actual_systems.p2.client.support.ClientPreferenceManager.getInstance(ClientPreferenceManager.java:245)
                               at com.actual_systems.p2.client.startup.StartPPClient.initCPM(StartPPClient.java:560)
                               at com.actual_systems.p2.client.startup.StartPPClient.initApplication(StartPPClient.java:377)
                               at com.actual_systems.p2.client.startup.StartPPClient.main(StartPPClient.java:772)
                               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                               at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                               at java.lang.reflect.Method.invoke(Unknown Source)
                               at com.sun.javaws.Launcher.executeApplication(Unknown Source)
                               at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
                               at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
                               at com.sun.javaws.Launcher.run(Unknown Source)
                               at java.lang.Thread.run(Unknown Source)
                              Caused by: java.lang.reflect.InvocationTargetException
                               at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                               at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                               at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                               at java.lang.reflect.Method.invoke(Unknown Source)
                               at org.jboss.remoting.InvokerRegistry.loadServerInvoker(InvokerRegistry.java:438)
                               at org.jboss.remoting.InvokerRegistry.createServerInvoker(InvokerRegistry.java:525)
                               at org.jboss.remoting.transport.Connector.init(Connector.java:396)
                               at org.jboss.remoting.transport.Connector.create(Connector.java:782)
                               at org.jboss.remoting.transport.Connector.start(Connector.java:301)
                               at org.jboss.remoting.Client.addListener(Client.java:918)
                               at org.jboss.jms.client.remoting.JMSRemotingConnection.addInvokerCallbackHandler(JMSRemotingConnection.java:237)
                               at org.jboss.jms.client.remoting.JMSRemotingConnection.start(JMSRemotingConnection.java:312)
                               at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delegate$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(ClientConnectionFactoryDelegate.java:154)
                               ... 26 more
                              Caused by: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader)
                               at java.security.AccessControlContext.checkPermission(Unknown Source)
                               at java.security.AccessController.checkPermission(Unknown Source)
                               at java.lang.SecurityManager.checkPermission(Unknown Source)
                               at java.lang.SecurityManager.checkCreateClassLoader(Unknown Source)
                               at java.lang.ClassLoader.<init>(Unknown Source)
                               at org.jboss.remoting.loading.ClassByteClassLoader.<init>(ClassByteClassLoader.java:62)
                               at org.jboss.remoting.AbstractInvoker.<init>(AbstractInvoker.java:76)
                               at org.jboss.remoting.ServerInvoker.<init>(ServerInvoker.java:267)
                               at org.jboss.remoting.transport.socket.SocketServerInvoker.<init>(SocketServerInvoker.java:106)
                               at org.jboss.remoting.transport.bisocket.BisocketServerInvoker.<init>(BisocketServerInvoker.java:105)
                               at org.jboss.remoting.transport.bisocket.TransportServerFactory.createServerInvoker(TransportServerFactory.java:21)
                               ... 39 more
                              


                              can anyone help ?



                              • 12. Re: AccessControlException
                                timfox

                                It's my understanding that webstart runs in a restricted security environment.

                                Unfortunately JBoss remoting creates ClassLoaders - if that's prohibited by your security policy then it's not going to work.

                                • 13. Re: AccessControlException

                                  Hi Tim,

                                  our .jnlp file specifies


                                  <all-permissions>


                                  which I believe allows us to do most anything..

                                  certainly our app can make socket connections to the app server (for session bean calls - and to use JBoss MQ Queues),

                                  so I'm not sure why this shouldn't work using JBM ?

                                  • 14. Re: AccessControlException
                                    timfox

                                     

                                    "tpaterson" wrote:
                                    Hi Tim,

                                    our .jnlp file specifies

                                    <security>
                                    <all-permissions>
                                    </security>

                                    which I believe allows us to do most anything..

                                    certainly our app can make socket connections to the app server (for session bean calls - and to use JBoss MQ Queues),

                                    so I'm not sure why this shouldn't work using JBM ?



                                    It's JBR creating the classloader not jBM... I'll ask Ron to take a look. Btw I thought they already fixed this with Privileged blocks...

                                    1 2 Previous Next