• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 637
  • Last Modified:

java.net.SocketPermission error trying to access MySQL database from servlet

Apologies for any incorrect terminology I may use. Some of this is quite new to me.

I have a small Java program that connects to a MySQL database and retrieves and displays some data from it. The code runs fine at the command line.

A similar piece of Java code that runs in the context of a servlet gives this error at the point where it starts making the connection to the MySQL database: -

com.mysql.jdbc.CommunicationsException: Communications link failure due to underlying exception:


MESSAGE: java.security.AccessControlException: access denied (java.net.SocketPermission connect,resolve)


java.net.SocketException: java.security.AccessControlException: access denied (java.net.SocketPermission connect,resolve)
        at com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.java:156)
        at com.mysql.jdbc.MysqlIO.<init>(MysqlIO.java:277)
        at com.mysql.jdbc.Connection.createNewIO(Connection.java:2668)
        at com.mysql.jdbc.Connection.<init>(Connection.java:1531)
        at com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:266)
        at java.sql.DriverManager.getConnection(DriverManager.java:525)
        at java.sql.DriverManager.getConnection(DriverManager.java:171)
        at ShowPVersions.doGet(ShowPVersions.java:31)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:243)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:275)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:161)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:245)
        at org.apache.catalina.core.ApplicationFilterChain.access$0(ApplicationFilterChain.java:177)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:156)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:152)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
        at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
        at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
        at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)


The Java code is: -

import java.sql.*;

public class ShowPVersions {
  public static void main(String args[]){
    System.out.println("Looking for P Version Information");
    try {
        Statement stmt;
      ResultSet rs;

      //Register the JDBC driver for MySQL.

      String url = "jdbc:mysql://";

      Connection con = DriverManager.getConnection(url,"USER", "SECRET");

      //Display URL and connection information
      System.out.println("URL: " + url);
      System.out.println("Connection: " + con);

      //Get a Statement object
      stmt = con.createStatement();

      stmt = con.createStatement(

      //Query the database, storing the result
      // in an object of type ResultSet
      rs = stmt.executeQuery("SELECT * from PVersion");

      System.out.println("Versions: -");
        String strVer = rs.getString("Version");
        String strTime = rs.getString("InstallTime");
        System.out.println("\t" + strVer + "\t" + strTime);

    }catch( Exception e ) {

I'm running the following: -

Debian etch
MySQL 5.0
Tomcat 5.5
Sun JRE 5.0
1 Solution
In Tomcat/conf, you would find catalina.conf
Add these lines (after modifying to your configurartion values) and restart TomCat

grant codeBase "file:${catalina.home}/webapps/ExamplApp/WEB-INF/lib/MySQLDriverJar.jar!/-" {
     permission java.net.SocketPermission "<The DB Server IP Address>", "connect";

Hope it helps
SimonFisherAuthor Commented:
The MySQL driver/jar file is symbolically linked so it appears at various places under /usr/share/tomcat and /usr/share/java. It's not in my application area.

My MySQL database server is on the same machine as Tomcat.

It appears that under Debian, you don't edit /var/lib/tomcat5.5/conf/catalina.policy directly, but make changes to files in /etc/tomcat5.5/policy.d/ which then get merged to form the catalina.policy file. So, I've added this to /etc/tomcat5.5/policy.d/50user.policy

I can confitm that after restarting tomcat, the catalina.policy file does contain the required addition: -

grant codeBase "file:/usr/share/tomcat5.5/common/lib/mysql.jar!/-" {
     permission java.net.SocketPermission "", "connect";

I still get the error.
Mayank SAssociate Director - Product EngineeringCommented:
>> "file:/usr/share/tomcat5.5/common/lib/mysql.jar!/"

Try grant codeBase "file:/usr/share/tomcat5.5/common/lib/mysql.jar" {
permission java.net.SocketPermission "*", "connect";
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

SimonFisherAuthor Commented:
Still getting the same error message.
Mayank SAssociate Director - Product EngineeringCommented:
Try giving all files under lib the same permission
Mayank SAssociate Director - Product EngineeringCommented:
What was the result of: >> Try giving all files under lib the same permission
SimonFisherAuthor Commented:
The solution I used was to modify the file /etc/tomcat5.5/policy.d/04webapps.policy such that within a section starting: -

    grant {

I added: -

    permission java.net.SocketPermission "", "connect,resolve";
    permission java.util.PropertyPermission "file.encoding", "read";

I found this solution from elsewhere.
SimonFisherAuthor Commented:
mayankeagle's suggestion "Try giving all files under lib the same permission" wasn't detailed enough for me to follow. I was away on holiday from April 13th (shortly after I posted "Still getting the same error message." and found the solution on my return, after seeing your suggestion but before I had asked you to elaborate.
Mayank SAssociate Director - Product EngineeringCommented:
All files under lib the same permission means you need to repeat the permission you are giving to one file to all other files in the directory. Since you have:

Try grant codeBase "file:/usr/share/tomcat5.5/common/lib/mysql.jar" {
permission java.net.SocketPermission "*", "connect";

Suppose you also have another abc.jar and xyz.jar in the same lib directory, then also give:

Try grant codeBase "file:/usr/share/tomcat5.5/common/lib/abc.jar" {
permission java.net.SocketPermission "*", "connect";

Try grant codeBase "file:/usr/share/tomcat5.5/common/lib/xyz.jar" {
permission java.net.SocketPermission "*", "connect";

Mayank SAssociate Director - Product EngineeringCommented:
you can reply back and ask for clarification if you fail to understand any of the comments because we come here only when we find free time from our work, so sometimes our replies might not be very elaborate.
SimonFisherAuthor Commented:
I would have asked for elaboration __IF__ I hadn't already found the solution elsewhere.

As it is, I do not feel that any of the comments or suggestions made contributed to me finding the solution. Do you think otherwise?
Mayank SAssociate Director - Product EngineeringCommented:
Well, I wouldn't know myself as to whether my comments helped or not and whether you tried them or not, or whether you're looking for a solution of your own or not, if you don't reply to my comment to let me know.
Closed, 500 points refunded.
Community Support Moderator

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now