Reputation: 1701
Java Permission for Jackson on Domino XPage
Using Codehaus Jackson on a Domino Server within an XPages produces the following stack trace
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: java.lang.SecurityException: not allowed to access members in class class java.util.ArrayList
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at java.lang.Throwable.<init>(Throwable.java:67)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at lotus.notes.AgentSecurityManager.checkMemberAccess(Unknown Source)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at java.lang.Class.checkMemberAccess(Class.java:112)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at java.lang.Class.getDeclaredMethods(Class.java:675)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at org.codehaus.jackson.map.introspect.AnnotatedClass._addMemberMethods(AnnotatedClass.java:620)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at org.codehaus.jackson.map.introspect.AnnotatedClass.resolveMemberMethods(AnnotatedClass.java:413)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at org.codehaus.jackson.map.introspect.BasicClassIntrospector.classWithCreators(BasicClassIntrospector.java:185)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at org.codehaus.jackson.map.introspect.BasicClassIntrospector.collectProperties(BasicClassIntrospector.java:157)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at org.codehaus.jackson.map.introspect.BasicClassIntrospector.forSerialization(BasicClassIntrospector.java:96)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at org.codehaus.jackson.map.introspect.BasicClassIntrospector.forSerialization(BasicClassIntrospector.java:16)
[07715:00011-2293234576] 04/02/2013 10:28:12 AM HTTP JVM: at org.codehaus.jackson.map.SerializationConfig.introspect(SerializationConfig.java:973)
In the java.policy I tried this settings:
// Jackson (JSON)
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
// permission java.lang.RuntimePermission "accessDeclaredMembers";
// permission java.lang.RuntimePermission "accessClassInPackage.java.util.ArrayList";
permission java.security.AllPermission;
The first permission has nothing to do with the current problem. I tried to solve it with the second and third setting, but it doesn't work.
Only the last setting helps, but that's way to much... Any better solutions?
Upvotes: 0
Views: 1164
Answers (1)
Reputation: 13831
I'm not familiar with Domino XPages, but I assume it follows the standard Java security scheme, so here's a few thoughts/ideas:
Do not put your application specific security configuration in the "global" space. Instead, find the correct codebase and add it to it's own codepase section in the java.policy file:
grant codeBase "myCodeBase" {
// Security configuration here, e.g.
// permission java.security.AllPermission;
// If you end up using AllPermissions, at least it only applies to your app
};
Figure out what your "codeBase" is and insert it in place of "myCodeBase".
For specific permissions needed for different types of access, you can check the document Permissions in Java™ SE 7 Development Kit (JDK). In your stacktrace it seems like it's the call getDeclaredMethods that is the cause of the problem. In the document mentioned, the required permissions are described:
java.lang.Class
public Class[] getDeclaredClasses() public Field[] getDeclaredFields()
public Method[] getDeclaredMethods()
public Constructor[] getDeclaredConstructors()
public Field getDeclaredField(String name)
public Method getDeclaredMethod(...)
public Constructor getDeclaredConstructor(...)
needs permissions
Default checkMemberAccess does not require any permissions if "this" class's classloader is the same as that of the caller. Otherwise, it requires java.lang.RuntimePermission "accessDeclaredMembers". If this class is in a package, java.lang.RuntimePermission "accessClassInPackage.{pkgName}" is also required.
So your commented entries in the policy files seems correct. If you uncomment those lines, it should solve this particular security exception, but you might encounter new ones.
Edit: You say cou can't specify a codebase for your application, but you should at least be able to specify a codebase pointing to your specific jar file, like this:
grant codeBase "file://file_url_to_jar" { }
It might not solve your problem, but could get you a step further.
Edit:
If all else fails, and it still does not work, you can turn on java security debugging. It'll produce a lot of output, but it can be helpful to track down security errors. Enable it by adding -Djava.security.debug=all to the JVM startup options.
Edit:
For this particular permission (accessDeclaredMembers), the problem could possibly be fixed by adding the jackson jar to the lib/ext folder of the JVM, as this would make the classes be loaded with the same classloader as the JRE classes, and the accessDeclaredMembers check is skipped.
Upvotes: 1
Related Questions
- In Notes designer v12 xpages error "Access restriction: Java Problem"
- Need help troubleshooting with Jackson
- java.security.AccessControlException: Access denied (java.lang.RuntimePermission preferences)
- OWASP security issue with jackson-databind-2.9.8 jar
- Domino Agent and GSON - access denied
- Domino Agent struggling with Java security using third party jar in /jvm/lib/ext
- Applet and jackson external jars: Can not access public class
- Lotus Notes Agent - Java Security Error
- security: access denied exception in Japplet
- Error: java.security.AccessControlException: Access denied