Link to home
Create AccountLog in
Avatar of enthuguy
enthuguyFlag for Australia

asked on

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

Hi,
kindly please suggest

I injected below lines in tomcat catalina.policy,

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
permission java.io.FilePermission "", "read,write,execute";
permission java.util.PropertyPermission "", "read";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window


But I still get
Error in Full Agent Registration Info Resolver reading environment variable/system property 
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

Open in new window

Avatar of enthuguy
enthuguy
Flag of Australia image

ASKER

I changed from this

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
permission java.io.FilePermission "", "read,write,execute";
permission java.util.PropertyPermission "", "read";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window


to this

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
  permission java.io.FilePermission "*", "read,write,execute";
  permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window



Looks like it progressed a bit, but getting below now

java.lang.NoClassDefFoundError: com/singularity/ee/util/string/e
	at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.<clinit>(JavaAgent.java:144)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at java.base/java.lang.Class.newInstance(Class.java:584)
	at com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:647)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:513)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:525)
Caused by: java.lang.ClassNotFoundException: Unable to load class com.singularity.ee.util.string.e
	at com.singularity.ee.agent.appagent.kernel.classloader.e.findClass(e.java:73)
	at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.c(AgentClassLoader.java:405)
	at com.singularity.ee.agent.appagent.kernel.classloader.d.b(d.java:69)
	at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClass(AgentClassLoader.java:306)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
	... 13 more

Open in new window

Avatar of CEHJ
Not sure about this but maybe it's worth looking

at the following docs
Changing your policy at a code level has no effect on the underlying filesystem.

Your first test will be to run shell commands under your Apache user (or Tomcat user if this differs from Apache) to determine if the user has sufficient privilege to execute whatever file operation you're attempting in Tomcat.

Normally a simple cat (read file) or touch (write file) under your runtime user (using su or sudo) will instantly tell you if you have a code problem or require work at the filesystem level to open permissions.
Tip: You'll use the setfacl command to manage complex ACLs.
Thanks CEHJ and David,
Will check these
Your problem is about the inability to read env vars is it not?
I think so CEHJ,

may be I"m not passing they required variable....but I dont think, java will fail this bad. :)

I believe application would handle it in a better way
I think so CEHJ,
Well the error is certainly about reading env vars.
It might not be present to read. You need to find out what your code is doing and which env var is to be read
Sure, will check that tomorrow along with the application team
Also use stat to ensure that policy file is actually being read. It might not be
I think, it is reading
Reason, before below change, it was throwing this error.
Error in Full Agent Registration Info Resolver reading environment variable/system property
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

  permission java.io.FilePermission "*", "read,write,execute";
  permission java.util.PropertyPermission "*", "read,write";

Open in new window



After above, it is now this error.
java.lang.NoClassDefFoundError: com/singularity/ee/util/string/e

Open in new window

No class error is probably caused by a faulty install of the API. FInd out which API it is and make sure you install it properly

Maybe check out THIS
Found below policy helped to resolve the issue but I think its overly permissive.

Is this too bad? :)

grant   {
    permission java.security.AllPermission;
    permission java.lang.management.ManagementPermission "monitor";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
ASKER CERTIFIED SOLUTION
Avatar of enthuguy
enthuguy
Flag of Australia image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account