cancel
Showing results for 
Search instead for 
Did you mean: 

RMI security issue

Former Member
0 Kudos

Hi, there!

I have a security issue when I try to run RMI client code in the web application on the Web AS 2004s. There is

lookup statement in JSP or servlet code:

Naming.lookup("//server/RemoteClass")

which throws

java.io.AccessControlException: access denied (java.io.FilePermission

D:\usr\sap\AS1\JC00\j2ee\cluster\server0\apps\sap.com\MyEntApp\servlet_jsp\MyWebApp\work\com\mycompany\packagename\RemoteClassImpl_Stub.class read)

I have investigated where "java.security.policy" parameter is setup, there has value "./java.policy". This file is

regenerated each time when web AS is started, thus I created another policy file, granted file permission for

above path and set it as -Djava.security.policy in server start parameter. It doesn't resolve problem, I have

investigated this parameter doesn't correlate with real application run-time permissions. Have anybody ideas?

Thanks

P.S. This code works fine as a standalone application.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

This behavior is normal; the applications must not read the resources from the file system, otherwise ti will be a security leak.

And now the question is what you are trying to do? Why you need to get a remote class as the application is running in the same VM?

Kind regards,

Tsvetomir

Former Member
0 Kudos

2Srinivasan:

Srinivasan, I added authorization to the application but it doesn't resolve issue. I have already created java web start application instead web-application and currently I haven't got security problems.

2Tsvetomir:

Tsvetomir, in my case web-application was an rmi-client, rmi-server was in another server (no same VM). I have a question about why applications must not read the resources from the file system. There is java policy file \usr\sap\AS1\JC00\j2ee\cluster\server0\java.policy which is used by app server when it is starting. This file has section with comment:

grant codeBase "file:${user.dir}/apps/-" {

/* here should be placed all additional application's permissions(for all applications) */

};

i.e. there is possibility to control file system access, but any modifications of this file is dropped after server restarting. Are there any valid ways to change this policy file? I think this policy file is a key point of security control.

Former Member
0 Kudos

Hi,

I am also facing a similar issue as stated in the first post. Does anybody have a resolution to this problem? Please let me know.

Thanks,

Ajay.

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi,

The contents of the following help link and steps therein might be of help to you in analyzing and fixing the issue:

http://help.sap.com/saphelp_nw70/helpdata/en/a1/0071403017587ee10000000a155106/content.htm

Regards

Srinivasan T