on 12-19-2007 9:23 PM
Hi, there!
I have a security issue when I try to run RMI client code in the web application on the Web AS 2004s. There is
lookup statement in JSP or servlet code:
Naming.lookup("//server/RemoteClass")
which throws
java.io.AccessControlException: access denied (java.io.FilePermission
D:\usr\sap\AS1\JC00\j2ee\cluster\server0\apps\sap.com\MyEntApp\servlet_jsp\MyWebApp\work\com\mycompany\packagename\RemoteClassImpl_Stub.class read)
I have investigated where "java.security.policy" parameter is setup, there has value "./java.policy". This file is
regenerated each time when web AS is started, thus I created another policy file, granted file permission for
above path and set it as -Djava.security.policy in server start parameter. It doesn't resolve problem, I have
investigated this parameter doesn't correlate with real application run-time permissions. Have anybody ideas?
Thanks
P.S. This code works fine as a standalone application.
Hi,
This behavior is normal; the applications must not read the resources from the file system, otherwise ti will be a security leak.
And now the question is what you are trying to do? Why you need to get a remote class as the application is running in the same VM?
Kind regards,
Tsvetomir
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
2Srinivasan:
Srinivasan, I added authorization to the application but it doesn't resolve issue. I have already created java web start application instead web-application and currently I haven't got security problems.
2Tsvetomir:
Tsvetomir, in my case web-application was an rmi-client, rmi-server was in another server (no same VM). I have a question about why applications must not read the resources from the file system. There is java policy file \usr\sap\AS1\JC00\j2ee\cluster\server0\java.policy which is used by app server when it is starting. This file has section with comment:
grant codeBase "file:${user.dir}/apps/-" {
/* here should be placed all additional application's permissions(for all applications) */
};
i.e. there is possibility to control file system access, but any modifications of this file is dropped after server restarting. Are there any valid ways to change this policy file? I think this policy file is a key point of security control.
Hi,
The contents of the following help link and steps therein might be of help to you in analyzing and fixing the issue:
http://help.sap.com/saphelp_nw70/helpdata/en/a1/0071403017587ee10000000a155106/content.htm
Regards
Srinivasan T
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
24 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.