-Djava.security.manager=problems for service providers
Daniel Fuchs
daniel.fuchs at oracle.com
Tue Mar 27 14:09:04 UTC 2018
Hi,
On 27/03/2018 14:06, Alan Bateman wrote:
> Moving this to security-dev.
>
> From the stack trace, it looks like you are using JDK 8 or older. There
> are several changes in JDK 9 and newer in the PolicyFile code to how it
> loads its resources that may help with the issues you are seeing.
>
> -Alan
[snip]
> [java] at java.util.logging.Logger.log(Logger.java:788)
> [java] at org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:496)
In what logging is concerned, it's probably not a good idea to
use java.util.logging in a Policy/SecurityManager implementation
supplied on the command line as java.util.logging uses
doPrivileged and checks for permissions.
For the record the line that throws in the first stack trace
seems to be this one at LogManager.java:965
Class<?> clz = ClassLoader.getSystemClassLoader().loadClass(word);
The exception is caught and printed on System.err at line 981
allowing the caller to proceed - so it's not what is
causing the ExceptionInInitializerError, but it shows that
ClassLoader.getSystemClassLoader() is probably returning null
at this point, and it looks like it is the same issue you're
seeing at ResourceBundle.java:502 later on, which prevents the
CombinerSecurityManager to initialize.
Hopes this helps,
-- daniel
>
> On 27/03/2018 13:56, Peter Firmstone wrote:
>> Not sure if this is the right place to mention this.
>>
>> Anyone notice that specifying a custom security manager at jvm start
>> up causes issues with service providers loading? If using the sun
>> PolicyFile implementation, the policy doesn't load due to the provider
>> failure, I have a custom policy implementation that will allow the jvm
>> to run in this state, and other providers are also not loading, such
>> as the logger and JCE.
>>
>> Note that it doesn't occur if the security manager is set
>> programmatically in the main method at start up, only if it's set via
>> command line option.
>>
>> Examples of providers not loading:
>>
>> [java] java.lang.NullPointerException
>> [java] Can't load log handler "java.util.logging.ConsoleHandler"
>> [java] java.lang.NullPointerException
>> [java] java.lang.NullPointerException
>> [java] at
>> java.util.logging.LogManager$5.run(LogManager.java:965)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> java.util.logging.LogManager.loadLoggerHandlers(LogManager.java:958)
>> [java] at
>> java.util.logging.LogManager.initializeGlobalHandlers(LogManager.java:1578)
>>
>> [java] at
>> java.util.logging.LogManager.access$1500(LogManager.java:145)
>> [java] at
>> java.util.logging.LogManager$RootLogger.accessCheckedHandlers(LogManager.java:1667)
>>
>> [java] at java.util.logging.Logger.getHandlers(Logger.java:1777)
>> [java] at java.util.logging.Logger.log(Logger.java:735)
>> [java] at java.util.logging.Logger.doLog(Logger.java:765)
>> [java] at java.util.logging.Logger.log(Logger.java:788)
>> [java] at
>> org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:496)
>>
>> [java] at
>> org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:469)
>>
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> org.apache.river.api.security.ConcurrentPolicyFile.readPoliciesNoCheckGuard(ConcurrentPolicyFile.java:468)
>>
>> [java] at
>> org.apache.river.api.security.ConcurrentPolicyFile.readPolicyPermissionGrants(ConcurrentPolicyFile.java:243)
>>
>> [java] at
>> org.apache.river.api.security.ConcurrentPolicyFile.<init>(ConcurrentPolicyFile.java:253)
>>
>> [java] at
>> org.apache.river.api.security.ConcurrentPolicyFile.<init>(ConcurrentPolicyFile.java:226)
>>
>> [java] at
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:154)
>>
>> [java] at
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:133)
>>
>> [java] at
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)
>>
>> [java] at
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:162)
>>
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>
>> [java] at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>
>> [java] at
>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> [java] at java.lang.Class.newInstance(Class.java:442)
>> [java] at sun.misc.Launcher.<init>(Launcher.java:93)
>> [java] at sun.misc.Launcher.<clinit>(Launcher.java:54)
>> [java] at
>> java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
>> [java] at
>> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
>>
>>
>> [java] Error occurred during initialization of VM
>> [java] java.lang.ExceptionInInitializerError
>> [java] at
>> java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
>> [java] at
>> java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
>> [java] at
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
>> [java] at
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
>> [java] at
>> sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
>> [java] at
>> sun.security.provider.PolicyFile.init(PolicyFile.java:626)
>> [java] at
>> sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
>> [java] at
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
>> [java] at
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
>> [java] at
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
>> [java] at
>> sun.security.provider.PolicyFile.init(PolicyFile.java:439)
>> [java] at
>> sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
>> [java] at java.security.Policy.getPolicyNoCheck(Policy.java:196)
>> [java] at java.security.Policy.getPolicy(Policy.java:154)
>> [java] at net.jini.security.Security$7.run(Security.java:1054)
>> [java] at net.jini.security.Security$7.run(Security.java:1052)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> net.jini.security.Security.getPolicy(Security.java:1052)
>> [java] at
>> net.jini.security.Security.getContext(Security.java:506)
>> [java] at
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:140)
>>
>> [java] at
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:132)
>>
>> [java] at
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)
>>
>> [java] at
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:160)
>>
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>
>> [java] at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>
>> [java] at
>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> [java] at java.lang.Class.newInstance(Class.java:442)
>> [java] at sun.misc.Launcher.<init>(Launcher.java:93)
>> [java] at sun.misc.Launcher.<clinit>(Launcher.java:54)
>> [java] at
>> java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
>> [java] at
>> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
>> [java] Caused by: java.lang.NullPointerException
>> [java] at
>> java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:502)
>> [java] at
>> java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
>> [java] at
>> java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
>> [java] at
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
>> [java] at
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
>> [java] at
>> sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
>> [java] at
>> sun.security.provider.PolicyFile.init(PolicyFile.java:626)
>> [java] at
>> sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
>> [java] at
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
>> [java] at
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
>> [java] at
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
>> [java] at
>> sun.security.provider.PolicyFile.init(PolicyFile.java:439)
>> [java] at
>> sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
>> [java] at java.security.Policy.getPolicyNoCheck(Policy.java:196)
>> [java] at java.security.Policy.getPolicy(Policy.java:154)
>> [java] at net.jini.security.Security$7.run(Security.java:1054)
>> [java] at net.jini.security.Security$7.run(Security.java:1052)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> net.jini.security.Security.getPolicy(Security.java:1052)
>> [java] at
>> net.jini.security.Security.getContext(Security.java:506)
>> [java] Unexpected exception:
>> [java] at
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:140)
>>
>> [java] at
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:132)
>>
>> [java] at
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)
>>
>> [java] at
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:160)
>>
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> [java] at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>
>> [java] at
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>
>> [java] at
>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>> [java] at java.lang.Class.newInstance(Class.java:442)
>> [java] at sun.misc.Launcher.<init>(Launcher.java:93)
>> [java] at sun.misc.Launcher.<clinit>(Launcher.java:54)
>> [java] at
>> java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
>> [java] at
>> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
>>
>>
>>
>> [java] java.lang.ExceptionInInitializerError
>> [java] at
>> javax.crypto.JceSecurityManager.<clinit>(JceSecurityManager.java:65)
>> [java] at
>> javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2586)
>> [java] at
>> javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2610)
>> [java] at
>> sun.security.ssl.CipherSuite$BulkCipher.isUnlimited(CipherSuite.java:535)
>> [java] at
>> sun.security.ssl.CipherSuite$BulkCipher.<init>(CipherSuite.java:507)
>> [java] at
>> sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:614)
>> [java] at
>> sun.security.ssl.SSLContextImpl.getApplicableCipherSuiteList(SSLContextImpl.java:294)
>>
>> [java] at
>> sun.security.ssl.SSLContextImpl.access$100(SSLContextImpl.java:42)
>> [java] at
>> sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:425)
>>
>> [java] at java.lang.Class.forName0(Native Method)
>> [java] at java.lang.Class.forName(Class.java:264)
>> [java] at
>> java.security.Provider$Service.getImplClass(Provider.java:1634)
>> [java] at
>> java.security.Provider$Service.newInstance(Provider.java:1592)
>> [java] at
>> sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
>> [java] at
>> sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
>> [java] at
>> javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
>> [java] at
>> net.jini.jeri.ssl.Utilities.getServerSSLContextInfo(Utilities.java:712)
>> [java] at
>> net.jini.jeri.ssl.Utilities.getSupportedCipherSuites(Utilities.java:284)
>> [java] at
>> net.jini.jeri.ssl.SslEndpointImpl.getConnectionContexts(SslEndpointImpl.java:750)
>>
>> [java] at
>> net.jini.jeri.ssl.SslEndpointImpl.getCallContext(SslEndpointImpl.java:326)
>>
>> [java] at
>> net.jini.jeri.ssl.SslEndpointImpl.newRequest(SslEndpointImpl.java:185)
>> [java] at
>> net.jini.jeri.ssl.SslEndpoint.newRequest(SslEndpoint.java:550)
>> [java] at
>> net.jini.jeri.BasicObjectEndpoint.newCall(BasicObjectEndpoint.java:421)
>> [java] at
>> net.jini.jeri.BasicInvocationHandler.invokeRemoteMethod(BasicInvocationHandler.java:688)
>>
>> [java] at
>> net.jini.jeri.BasicInvocationHandler.invoke(BasicInvocationHandler.java:571)
>>
>> [java] at com.sun.proxy.$Proxy2.registerGroup(Unknown Source)
>> [java] at
>> org.apache.river.start.SharedActivationGroupDescriptor.create(SharedActivationGroupDescriptor.java:370)
>>
>> [java] at
>> org.apache.river.qa.harness.SharedGroupAdmin.start(SharedGroupAdmin.java:204)
>>
>> [java] at
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:639)
>>
>> [java] at
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:660)
>>
>> [java] at
>> org.apache.river.qa.harness.ActivatableServiceStarterAdmin.getServiceSharedLogDir(ActivatableServiceStarterAdmin.java:388)
>>
>> [java] at
>> org.apache.river.qa.harness.ActivatableServiceStarterAdmin.start(ActivatableServiceStarterAdmin.java:224)
>>
>> [java] at
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:639)
>>
>> [java] at
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:660)
>>
>> [java] at
>> org.apache.river.qa.harness.AdminManager.startLookupService(AdminManager.java:679)
>>
>> [java] at
>> org.apache.river.test.spec.lookupservice.QATestRegistrar.construct(QATestRegistrar.java:458)
>>
>> [java] at
>> org.apache.river.test.spec.lookupservice.test_set00.EvntLeaseExpiration.construct(EvntLeaseExpiration.java:88)
>>
>> [java] at
>> org.apache.river.qa.harness.MasterTest.doTest(MasterTest.java:228)
>> [java] at
>> org.apache.river.qa.harness.MasterTest.access$000(MasterTest.java:48)
>> [java] at
>> org.apache.river.qa.harness.MasterTest$1.run(MasterTest.java:174)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at
>> javax.security.auth.Subject.doAsPrivileged(Subject.java:483)
>> [java] at
>> org.apache.river.qa.harness.MasterTest.doTestWithLogin(MasterTest.java:171)
>>
>> [java] at
>> org.apache.river.qa.harness.MasterTest.main(MasterTest.java:150)
>> [java] Caused by: java.lang.SecurityException: Can not initialize
>> cryptographic mechanism
>> [java] at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:93)
>> [java] ... 44 more
>> [java] Caused by: java.lang.SecurityException: Cannot locate
>> policy or framework files!
>> [java] at
>> javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:316)
>> [java] at
>> javax.crypto.JceSecurity.access$000(JceSecurity.java:50)
>> [java] at javax.crypto.JceSecurity$1.run(JceSecurity.java:85)
>> [java] at java.security.AccessController.doPrivileged(Native
>> Method)
>> [java] at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)
>
More information about the security-dev
mailing list