java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

enthuguy
enthuguy used Ask the Experts™
on
Hi,
kindly please suggest

I injected below lines in tomcat catalina.policy,

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
permission java.io.FilePermission "", "read,write,execute";
permission java.util.PropertyPermission "", "read";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window


But I still get
Error in Full Agent Registration Info Resolver reading environment variable/system property 
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
I changed from this

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
permission java.io.FilePermission "", "read,write,execute";
permission java.util.PropertyPermission "", "read";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window


to this

grant codeBase "file:/<path_to_directory>/-" {
permission java.security.AllPermission;
  permission java.io.FilePermission "*", "read,write,execute";
  permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "getenv.*";
};

Open in new window



Looks like it progressed a bit, but getting below now

java.lang.NoClassDefFoundError: com/singularity/ee/util/string/e
	at com.appdynamics.appagent/com.singularity.ee.agent.appagent.kernel.JavaAgent.<clinit>(JavaAgent.java:144)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at java.base/java.lang.Class.newInstance(Class.java:584)
	at com.singularity.ee.agent.appagent.AgentEntryPoint.premain(AgentEntryPoint.java:647)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:513)
	at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:525)
Caused by: java.lang.ClassNotFoundException: Unable to load class com.singularity.ee.util.string.e
	at com.singularity.ee.agent.appagent.kernel.classloader.e.findClass(e.java:73)
	at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.c(AgentClassLoader.java:405)
	at com.singularity.ee.agent.appagent.kernel.classloader.d.b(d.java:69)
	at com.singularity.ee.agent.appagent.kernel.classloader.AgentClassLoader.loadClass(AgentClassLoader.java:306)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
	... 13 more

Open in new window

Top Expert 2016

Commented:
Not sure about this but maybe it's worth looking

at the following docs
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Changing your policy at a code level has no effect on the underlying filesystem.

Your first test will be to run shell commands under your Apache user (or Tomcat user if this differs from Apache) to determine if the user has sufficient privilege to execute whatever file operation you're attempting in Tomcat.

Normally a simple cat (read file) or touch (write file) under your runtime user (using su or sudo) will instantly tell you if you have a code problem or require work at the filesystem level to open permissions.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

David FavorFractional CTO
Distinguished Expert 2018

Commented:
Tip: You'll use the setfacl command to manage complex ACLs.

Author

Commented:
Thanks CEHJ and David,
Will check these
Top Expert 2016

Commented:
Your problem is about the inability to read env vars is it not?

Author

Commented:
I think so CEHJ,

may be I"m not passing they required variable....but I dont think, java will fail this bad. :)

I believe application would handle it in a better way
Top Expert 2016

Commented:
I think so CEHJ,
Well the error is certainly about reading env vars.
It might not be present to read. You need to find out what your code is doing and which env var is to be read

Author

Commented:
Sure, will check that tomorrow along with the application team
Top Expert 2016

Commented:
Also use stat to ensure that policy file is actually being read. It might not be

Author

Commented:
I think, it is reading
Reason, before below change, it was throwing this error.
Error in Full Agent Registration Info Resolver reading environment variable/system property
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.")

  permission java.io.FilePermission "*", "read,write,execute";
  permission java.util.PropertyPermission "*", "read,write";

Open in new window



After above, it is now this error.
java.lang.NoClassDefFoundError: com/singularity/ee/util/string/e

Open in new window

Top Expert 2016

Commented:
No class error is probably caused by a faulty install of the API. FInd out which API it is and make sure you install it properly

Maybe check out THIS

Author

Commented:
Found below policy helped to resolve the issue but I think its overly permissive.

Is this too bad? :)

grant   {
    permission java.security.AllPermission;
    permission java.lang.management.ManagementPermission "monitor";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
Commented:
grant   {
    permission java.security.AllPermission;
    permission java.lang.management.ManagementPermission "monitor";
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

this helped a bit, but I know it too open

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial