Avatar of enthuguy
enthuguy
Flag for Australia asked on

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

Hi,
kindly please suggest

I injected below lines in tomcat catalina.policy,

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
permission java.io.FilePermission "", "read,write,execute";
permission java.util.PropertyPermission "", "read";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window


But I still get
Error in Full Agent Registration Info Resolver reading environment variable/system property 
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

Open in new window

LinuxJavaDocker* TomcatApache Web Server

Avatar of undefined
Last Comment
enthuguy

8/22/2022 - Mon
enthuguy

ASKER
I changed from this

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
permission java.io.FilePermission "", "read,write,execute";
permission java.util.PropertyPermission "", "read";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window


to this

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
  permission java.io.FilePermission "*", "read,write,execute";
  permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window



Looks like it progressed a bit, but getting below now

java.lang.NoClassDefFoundError: com/singularity/ee/util/string/e
	at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.<clinit>(JavaAgent.java:144)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at java.base/java.lang.Class.newInstance(Class.java:584)
	at com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:647)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:513)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:525)
Caused by: java.lang.ClassNotFoundException: Unable to load class com.singularity.ee.util.string.e
	at com.singularity.ee.agent.appagent.kernel.classloader.e.findClass(e.java:73)
	at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.c(AgentClassLoader.java:405)
	at com.singularity.ee.agent.appagent.kernel.classloader.d.b(d.java:69)
	at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClass(AgentClassLoader.java:306)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
	... 13 more

Open in new window

CEHJ

Not sure about this but maybe it's worth looking

at the following docs
David Favor

Changing your policy at a code level has no effect on the underlying filesystem.

Your first test will be to run shell commands under your Apache user (or Tomcat user if this differs from Apache) to determine if the user has sufficient privilege to execute whatever file operation you're attempting in Tomcat.

Normally a simple cat (read file) or touch (write file) under your runtime user (using su or sudo) will instantly tell you if you have a code problem or require work at the filesystem level to open permissions.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
David Favor

Tip: You'll use the setfacl command to manage complex ACLs.
enthuguy

ASKER
Thanks CEHJ and David,
Will check these
CEHJ

Your problem is about the inability to read env vars is it not?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
enthuguy

ASKER
I think so CEHJ,

may be I"m not passing they required variable....but I dont think, java will fail this bad. :)

I believe application would handle it in a better way
CEHJ

I think so CEHJ,
Well the error is certainly about reading env vars.
It might not be present to read. You need to find out what your code is doing and which env var is to be read
enthuguy

ASKER
Sure, will check that tomorrow along with the application team
Your help has saved me hundreds of hours of internet surfing.
fblack61
CEHJ

Also use stat to ensure that policy file is actually being read. It might not be
enthuguy

ASKER
I think, it is reading
Reason, before below change, it was throwing this error.
Error in Full Agent Registration Info Resolver reading environment variable/system property
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

  permission java.io.FilePermission "*", "read,write,execute";
  permission java.util.PropertyPermission "*", "read,write";

Open in new window



After above, it is now this error.
java.lang.NoClassDefFoundError: com/singularity/ee/util/string/e

Open in new window

CEHJ

No class error is probably caused by a faulty install of the API. FInd out which API it is and make sure you install it properly

Maybe check out THIS
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
enthuguy

ASKER
Found below policy helped to resolve the issue but I think its overly permissive.

Is this too bad? :)

grant   {
    permission java.security.AllPermission;
    permission java.lang.management.ManagementPermission "monitor";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
ASKER CERTIFIED SOLUTION
enthuguy

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.