Reputation: 11
Why do I get AccessControlException: access denied when I add BouncyCastleProvider to Security in Tomcat servlet
I've created a Java servlet and runs it in a Tomcat server on a web hotel. It should send push messages to iOS devices so I added JavaPNS. This works fine in my local Tomcat server, but when I deploy it on the Tomcat server provided by a web hotel then this statement:
Security.addProvider(new BouncyCastleProvider());
gives the Exception:
Exception in thread "Thread-193" java.lang.InternalError: cannot create instance of org.bouncycastle.jce.provider.symmetric.AES$Mappings : java.security.AccessControlException: access denied (java.security.SecurityPermission putProviderProperty.BC)
at org.bouncycastle.jce.provider.BouncyCastleProvider.loadAlgorithms(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.setup(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.access$000(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.bouncycastle.jce.provider.BouncyCastleProvider.(Unknown Source)
at javapns.communication.ConnectionToAppleServer.(ConnectionToAppleServer.java:41)
....
Probably the web hotel have some sort of security turned on in the Tomcat server that I don't have turned on locally.
Does anyone know if there any work-around to this problem? If not, what should I ask the support at the web hotel to change to make this possible?
Upvotes: 1
Views: 1559
Answers (2)
Reputation: 269797
Don't attempt to install BouncyCastle as a provider. Create a new BouncyCastle instance in your application, and pass that provider to the getInstance() overload that accepts a Provider parameter on each of the cryptographic services.
Modifications to the Security class affect all applications in the container; they aren't local to your application. Use a more targeted approach that doesn't require global changes.
Relying on an installed provider can be convenient in a standalone application, but it creates a lot of problems in the long run, when you require a specific provider, and a library written on top of the JCA doesn't allow you to specify a provider.
Upvotes: 2
Reputation: 16635
There is no work-around. There are a number of possibilities. Explain to your provider what you want to do and discuss the options with them. They include:
- The provider installing the BouncyCastle provider
- The provider granting you the necessary permissions to add the provider yourself
Note that if you have a shared Tomcat instance then the chances of the provider agreeing to any of the above are pretty slim.
Upvotes: 1
Related Questions
- java.lang.SecurityException: JCE cannot authenticate the provider BC
- Globally register bouncycastle security provider in JDK 11
- Bouncy castle security provider doesn't load under Java 11/12
- bouncycastle error "JCE cannot authenticate the provider BC" with "jar-with-dependencies"
- bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC
- I've put security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider but it isn't being used during SSL handshake
- java.security.NoSuchProviderException: no such provider: BC
- BouncyCastle SecurityException throws only when the *bcprov*.jar is packaged into the generated JAR
- Run time exception using jsp servlet and bouncy castle
- How to add Security provider in a Spring application using Javaconfig?