Hello,
I've created a new view in keystore, created an alias in it and now I'm trying to access it from web application I'm developing.
I've given all possible permission to both the view and the alias under "Key Storage"->Runtime->Security in Visual Administrator
and have tried to execute following code:
InitialContext ctx = ctx = new InitialContext();
Object o = (Object) ctx.lookup("keystore");
KeystoreManager manager = (KeystoreManager) o;
KeyStore keyStore = manager.getKeystore("BF_VIEW");
At manager.getKeystore("BF_VIEW") line I get following exception:
java.rmi.RemoteException: com.sap.engine.services.keystore.exceptions.BaseRemoteException: Remote call errored
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:48)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.checkPermission(KeystoreManagerWrapper_Stub.java:707)
at com.sap.engine.services.keystore.interfaces.KeystoreManagerWrapper_Stub.getKeystore(KeystoreManagerWrapper_Stub.java:201)
at com.company.connectros.sap.GetCredentials.doGet(GetCredentials.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Caused by: com.sap.engine.services.keystore.exceptions.BaseKeystoreException: Application is not authorized to execute keystore operation [{EnginePermission: [keystore][view:GET_VIEW:BF_VIEW]}]
at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:755)
at com.sap.engine.services.keystore.impl.security.SecurityRestrictionsChecker.checkPermission(SecurityRestrictionsChecker.java:234)
at com.sap.engine.services.keystore.impl.ParameterChecker.checkPermission(ParameterChecker.java:35)
at com.sap.engine.services.keystore.impl.KeystoreManagerImpl.checkPermission(KeystoreManagerImpl.java:46)
... 19 more
Caused by: java.security.AccessControlException: access denied {EnginePermission: [keystore][view:GET_VIEW:BF_VIEW]}
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at java.security.AccessController.checkPermission(AccessController.java:401)
at com.sap.engine.services.keystore.impl.security.CodeBasedSecurityConnector.checkPermissions_getView(CodeBasedSecurityConnector.java:748)
... 22 more
The security log shows following:
#1.5#000C29FA901D006B00002326000014F8000433FB38B855CA#1183053988207#/System/Security#company.com/TestApp#com.sap.engine.services.security#AdAdministrator#1774####4aad3ff025a211dcbb80000c29fa901d#SAPEngine_Application_Thread[impl:3]_27##0#0#Info#1#com.sap.engine.services.security#Plain### [permissions_collection_operator]: [permission_collection]: AccessController.checkPermission() failed at domain [company.com/TestApp/servlet_jsp/Test/root/WEB-INF/classes]#
#1.5#000C29FA901D006B00002327000014F8000433FB38B85A3A#1183053988207#/System/Security#company.com/TestApp#com.sap.engine.services.security#AdAdministrator#1774####4aad3ff025a211dcbb80000c29fa901d#SAPEngine_Application_Thread[impl:3]_27##0#0#Info#1#com.sap.engine.services.security#Plain### [permissions_collection_operator]: [permission_collection]: domain's permissions: [
standalone: [, , , , , , , , , , , , , ]
collections:
{(java.lang.RuntimePermission loadLibrary)(java.lang.RuntimePermission queuePrintJob)(java.lang.RuntimePermission stopThread)}
{(java.io.FilePermission * read,write)}
{(java.util.PropertyPermission java.version read)(java.util.PropertyPermission java.vm.name read)(java.util.PropertyPermission java.vm.vendor read)(java.util.PropertyPermission os.name read)(java.util.PropertyPermission java.vendor.url read)(java.util.PropertyPermission java.vm.specification.vendor read)(java.util.PropertyPermission java.specification.vendor read)(java.util.PropertyPermission os.version read)(java.util.PropertyPermission java.specification.name read)(java.util.PropertyPermission java.class.version read)(java.util.PropertyPermission file.separator read)(java.util.PropertyPermission os.arch read)(java.util.PropertyPermission java.vm.version read)(java.util.PropertyPermission java.vm.specification.name read)(java.util.PropertyPermission java.specification.version read)(java.util.PropertyPermission java.vendor read)(java.util.PropertyPermission java.vm.specification.version read)(java.util.PropertyPermission * read)(java.util.PropertyPermission path.separator read)(java.util.PropertyPermission line.separator read)}
{(java.net.SocketPermission localhost:1024- listen,resolve)(java.net.SocketPermission * connect,resolve)}
]#
As you may see the permission required by keystore is <i></i> and this permission exists
for code's protected domain, but still, there is AccessDenied exception for
that permission.
I can also see this permission in 'Security Provider"'s "Protection Domains" tab.
Am I missing something in configuration?
Thanks,
Gil