getenv.* : Access denied (java.lang.RuntimePermission getenv.*) [SPR-6287]

[spring-projects-issues]

Sree Vaddi opened SPR-6287 and commented

I get the following error.
Upon investigation, I found that org.springframework.context-3.0.0.RC1.jar,
calls System.getProperties() and System.getenv() to initialize SYSTEM_PROPERTIES_BEAN_NAME & SYSTEM_ENVIRONMENT_BEAN_NAME. Both these calls raises exceptions on my server, due to our policies.

My company restricts me from entering a line in 'policy' file that has a wildcard, in this case getenv.*.

Is there a work around ?
Basically, custom building the mentioned jar without these two beans initialized ?

Any insite is highly appreciated!

Thanks in advance.
SreeV

[10/30/09 3:06:45:594 CDT] 00000016 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to InfoCenter for further information.

Permission:

getenv.* : Access denied (java.lang.RuntimePermission getenv.*)

Code:

org.springframework.context.support.AbstractApplic ationContext in {file:/opt/httpd/root/apps/wszng/ibm/ccix-dev-ear/wszngWeb.war/WEB-INF/lib/org.springframework.context-3.0.0.RC1.jar}

Stack Trace:

java.security.AccessControlException: Access denied (java.lang.RuntimePermission getenv.*)
at java.security.AccessController.checkPermission(Acc essController.java:108)
at java.lang.SecurityManager.checkPermission(Security Manager.java:558)
at com.ibm.ws.security.core.SecurityManager.checkPerm ission(SecurityManager.java:212)
at java.lang.System.getenv(System.java:632)
at org.springframework.context.support.AbstractApplic ationContext.prepareBeanFactory(AbstractApplicatio nContext.java:474)

---

Affects: 3.0 RC1

Reference URL: http://forum.springsource.org/showthread.php?t=79877

Issue Links:

• Spring Expression Language creates systemProperties bean calling System.getProperties() which in enterprise shared containers is locked down [SPR-6308] #10974 Spring Expression Language creates systemProperties bean calling System.getProperties() which in enterprise shared containers is locked down

[spring-projects-issues]

Arjen Poutsma commented

Already fixed, as part of #10974

[spring-projects-issues]

Sree Vaddi commented

Hi,

I verified my app with spring build 458.
I still see error in my server.log but my app loads up OK.

As suggested by Matt in http://jira.springframework.org/browse/SPR-6308

The only way, I could get rid of the exception is,
by dropping systemProperties and systemEnvironment beans.

Now, my app loads smoothly without any exceptions.

By the way, when is 3.0 RC2 release due ?

Thank you very much.

With Regards
Sree

[spring-projects-issues]

Arjen Poutsma commented

What's the error you see in your log?

[spring-projects-issues]

Sree Vaddi commented

Hi Arjen,

It is the same error, as in the 'Description'.
So, I followed Matt's suggestion to drop a blank 'systemProperties' and 'systemEnviroment' beans.
That took away the error, as the 'if' fails and loading of neither of these beans ever executes.

I wish I copy/paste from my server log. But my servers keeps logs of the last three deployments, only.
I made more than three deployments afterwards, trying to fix another Permissions error with ognl jar.
Do you mind suggesting a pointer to fix this new one ?
{
[11/12/09 20:05:46:310 CST] 00000024 SecurityManag W SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to InfoCenter for further information.

Permission:

invoke.com.mycompany.DecisionAction.nextScreenName : Access denied (ognl.OgnlInvokePermission invoke.mycompany.Action.nextScreenName)

Code:

ognl.OgnlRuntime  in  {file:/opt/httpd/root/apps/myapp/myAppWeb.war/WEB-INF/lib/ognl-2.7.3.jar}

Stack Trace:

java.security.AccessControlException: Access denied (ognl.OgnlInvokePermission invoke.com.mycompany.Action.nextScreenName)
at java.security.AccessController.checkPermission(AccessController.java:108)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:558)
at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:212)
at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:807)
at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1253)
at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68)
at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:1329)
at ognl.ASTMethod.getValueBody(ASTMethod.java:90)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.ASTChain.getValueBody(ASTChain.java:141)
at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)
at ognl.SimpleNode.getValue(SimpleNode.java:258)
at ognl.Ognl.getValue(Ognl.java:494)
at org.springframework.binding.expression.ognl.OgnlExpression.getValue(OgnlExpression.java:85)
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at org.springframework.webflow.engine.ActionList.execute(ActionList.java:155)
at org.springframework.webflow.engine.State.enter(State.java:193)
at org.springframework.webflow.engine.Flow.start(Flow.java:535)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222)
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)
at org.springframework.webflow.mvc.servlet.FlowController.handleRequest(FlowController.java:174)
at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:771)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:716)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:647)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:563)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1143)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:591)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:481)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3453)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:815)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1466)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:119)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1473)

Code Base Location:

Thanking you.

With Regards
Sree

[spring-projects-issues]

Sree Vaddi commented

Please read the following line in my above comment as:
Permission:

invoke.com.mycompany.DecisionAction.nextScreenName : Access denied (ognl.OgnlInvokePermission invoke.mycompany.Action.nextScreenName)

Permission:

invoke.com.mycompany.Action.nextScreenName : Access denied (ognl.OgnlInvokePermission invoke.mycompany.Action.nextScreenName)

[spring-projects-issues]

Praveen commented

Hi,

Can you please share the solution for this exception.

java.security.AccessControlException: Access denied (ognl.OgnlInvokePermission invoke.com.mycompany.Action.nextScreenName)

Thanks,
Praveen

[spring-projects-issues]

Sree Vaddi commented

I checkedout OGNL source code.
Commented the code that does this check alone.
Re-build the jar.

This was back, Oct 2009.

I used spring framework & related, but never faced this issue, again.
I assume, it was fixed, as it says on this jira.

Thanking you.

With Regards
Sree