Cannot overcome SocketPermission access denied

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
mindjoy
Posts: 7
Joined: 04 Sep 2020, 18:48
Location: Cleveland, OH, USA

Cannot overcome SocketPermission access denied

Post by mindjoy »

Below is my setup, please advise.

I get:

Code: Select all

java.security.AccessControlException: access denied ("java.net.SocketPermission" "my-dev-server" "resolve")
Running on Windows 64-bit:
java version "1.8.0_251"
Java(TM) SE Runtime Environment (build 1.8.0_251-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.251-b08, mixed mode)
Settings:

In C:/WINDOWS/Sun/Java/deployment/deployment.config:

Code: Select all

deployment.system.config=file:///C:/Windows/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true
In C:/Windows/Sun/Java/Deployment/deployment.properties:

Code: Select all

deployment.system.security.policy=file:///C:/Windows/Sun/Java/Deployment/java.policy

Code: Select all


// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
        permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
        // Allows any thread to stop itself using the java.lang.Thread.stop()
        // method that takes no argument.
        // Note that this permission is granted by default only to remain
        // backwards compatible.
        // It is strongly recommended that you either remove this permission
        // from this policy file or further restrict it to code sources
        // that you specify, because Thread.stop() is potentially unsafe.
        // See the API specification of java.lang.Thread.stop() for more
        // information.
        permission java.lang.RuntimePermission "stopThread";

        // allows anyone to listen on dynamic ports
        permission java.net.SocketPermission "localhost:0", "listen";
        permission java.net.SocketPermission "my-dev-server:0", "resolve";

        // "standard" properies that can be read by anyone

        permission java.util.PropertyPermission "java.version", "read";
        permission java.util.PropertyPermission "java.vendor", "read";
        permission java.util.PropertyPermission "java.vendor.url", "read";
        permission java.util.PropertyPermission "java.class.version", "read";
        permission java.util.PropertyPermission "os.name", "read";
        permission java.util.PropertyPermission "os.version", "read";
        permission java.util.PropertyPermission "os.arch", "read";
        permission java.util.PropertyPermission "file.separator", "read";
        permission java.util.PropertyPermission "path.separator", "read";
        permission java.util.PropertyPermission "line.separator", "read";

        permission java.util.PropertyPermission "java.specification.version", "read";
        permission java.util.PropertyPermission "java.specification.vendor", "read";
        permission java.util.PropertyPermission "java.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.specification.version", "read";
        permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
        permission java.util.PropertyPermission "java.vm.specification.name", "read";
        permission java.util.PropertyPermission "java.vm.version", "read";
        permission java.util.PropertyPermission "java.vm.vendor", "read";
        permission java.util.PropertyPermission "java.vm.name", "read";
};

Janak Mulani
Posts: 726
Joined: 24 Mar 2020, 13:37

Re: Cannot overcome SocketPermission access denied

Post by Janak Mulani »

Hi

Which version of OpenWebStart are you using? With which JVM are you running your application?

You have created a deployment.config file in C:\Windows\Sun\Java\Deployment directory. This file contains a property :
deployment.system.config that points to the deployment.properties file. OWS will then pick up deployment properties from the specified file when deployment.properties file is NOT present in <User Home>\.config\icedtea-web dir. When deployment.properties IS present in <User Home>\.config\icedtea-web dir then it has the precedence for specified properties.

You need to determine which deployment.properties file is being used by OWS on your machine and which JVM is used. The JVMs used by OWS can be seen in file USER_HOME/.cache/icedtea-web/jvm-cache/cache.json which can be using itw-settings>JVM Manager . You could change the jre/lib/security/java.policy file of that JVM.

mindjoy
Posts: 7
Joined: 04 Sep 2020, 18:48
Location: Cleveland, OH, USA

Re: Cannot overcome SocketPermission access denied

Post by mindjoy »

Janak, thank you for your quick response!

I am using Open Webstart 1.2.1, with JVM 1.8.0_251 Oracle Corporation, Windows x64 C:\Program Files\Java\jre1.8.0_251.

"<User Home>\.cache\icedtea-web\jvm-cache\cache.json" contains the following:

Code: Select all

{
  "runtimes": [
    {
      "version": "1.8.0_251",
      "vendor": "Oracle Corporation",
      "javaHome": "file:///C:/Program%20Files/Java/jre1.8.0_251/",
      "active": true,
      "os": "WIN64",
      "managed": false,
      "lastUsage": "2020-09-04T15:19:51.778"
    }
  ]
}
I realized OWS uses "<User Home>\.config\icedtea-web\deployment.properties", however, the problem is this file is overwritten/regenerated by OWS at some point. However, I modified it now to point to java.policy file at C:\Windows\Sun\Java\Deployment\java.policy by adding this line:

Code: Select all

deployment.system.security.policy=file:///C:/Windows/Sun/Java/Deployment/java.policy
When I run my application via OWS, I still get:

Code: Select all

Denying permission: ("java.net.SocketPermission" "my-dev-server" "resolve")
I found the following in the Console:

Code: Select all

...
Property 'ows.install4j.propertyUpdate' is unknown.
Loading USER level properties from: file:/<User Home>/.config/icedtea-web/deployment.properties
Loading SYSTEM level properties from: file:/C:/Windows/Sun/Java/Deployment/deployment.properties
System level deployment.config is mandatory: true
Using System level deployment.properties : file:/C:/Windows/Sun/Java/Deployment/deployment.properties
System level settings deployment.properties are mandatory: true
Loading system configuration from: file:/C:/WINDOWS/Sun/Java/deployment/deployment.config
...
I think it ignores all the parameters from "<User Home>\.config\icedtea-web\deployment.properties" because of the error:

Code: Select all

Property 'ows.install4j.propertyUpdate' is unknown.
so I commented out this line:

Code: Select all

#ows.install4j.propertyUpdate=...
Then I ran my application again, and I got:

Code: Select all

Denying permission: ("java.net.SocketPermission" "my-dev-server" "resolve")
and "<User Home>\.config\icedtea-web\deployment.properties" is modified again by OWS wiping out my added line and uncommenting "ows.install4j.propertyUpdate" line and I also found the same 7 line messages in the Console.

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: Cannot overcome SocketPermission access denied

Post by Stephan Classen »

could you share the following file with us?
C:/Windows/Sun/Java/Deployment/deployment.properties

mindjoy
Posts: 7
Joined: 04 Sep 2020, 18:48
Location: Cleveland, OH, USA

Re: Cannot overcome SocketPermission access denied

Post by mindjoy »

I have a single line there:

Code: Select all

deployment.system.security.policy=file:///C:/Windows/Sun/Java/Deployment/java.policy

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: Cannot overcome SocketPermission access denied

Post by Stephan Classen »

ok. because this property is not locked it will be overwritten if a different value is defined in the deployment.properties file in the user directory.

mindjoy
Posts: 7
Joined: 04 Sep 2020, 18:48
Location: Cleveland, OH, USA

Re: Cannot overcome SocketPermission access denied

Post by mindjoy »

I don't have different value specified in "<User Home>\.config\icedtea-web\deployment.properties", this is the contents:

Code: Select all

#Netx deployment configuration
#ows.install4j.propertyUpdate=1599235195818
#Tue Sep 08 10:00:57 EDT 2020
deployment.javaws.shortcut=ASK_USER
deployment.log=true
deployment.console.startup.mode=SHOW
ows.install4j.propertyUpdate=1599573657711
deployment.javaws.autodownload.locked=true
deployment.log.file=true
ows.jvm.manager.updateStrategy=DO_NOTHING_ON_LOCAL_MATCH
deployment.security.level.locked=true
What do I need to do to make the permission policy stick?

Janak Mulani
Posts: 726
Joined: 24 Mar 2020, 13:37

Re: Cannot overcome SocketPermission access denied

Post by Janak Mulani »

Hi

I created a setup like yours by having a System level deployment config which points to a deployment.properties (DP for short) file which then points to a custom policy file.

When System level DP is defined, OWS reads it and as well as the User level DP in <User Home>/.config/icedtea-web dir. Properties from both are considered but a property in System level DP takes precedence over the same property in user level DP.

I found that Permissions from

Code: Select all

deployment.system.security.policy=file:///C:/.../my_java.policy 
are not considered by ITW even though the Permissions from that file are read to create a Policy object. It did not matter if I had this property in System level DP or User level DP.

What worked was having the Permission added to the java.policy file of the JRE being used to run the JNLP application.

We need to dig deeper into this to find out why Permissions defined in a custom java.policy specified in DP are not taking effect. For this we would like to understand your set up. Would it be possible to have a Zoom meeting for this? Please reply at openwebstart@karakun.com to arrive at a mutually convenient time for the meeting.

Thanks

Janak

mindjoy
Posts: 7
Joined: 04 Sep 2020, 18:48
Location: Cleveland, OH, USA

Re: Cannot overcome SocketPermission access denied

Post by mindjoy »

In my JNLP file I have the following:

Code: Select all

    <security>
        <all-permissions/>
    </security>
I reverted all the changes made to all the following files to the original default contents:
  • deployment.config
  • deployment.properties
  • java.policy
in the following paths:
  • C:\Program Files\Java\jre1.8.0_251\lib\security
  • C:\Windows\Sun\Java\Deployment
  • <User Home>\.config\icedtea-web\security
Then cleared the cache, ran my application, but still got:
Denying permission: ("java.net.SocketPermission" "my-dev-server" "resolve")
It does not help if I put the following into the main java.policy file in C:\Program Files\Java\jre1.8.0_251\lib\security:

Code: Select all

        permission java.net.SocketPermission "my-dev-server:0", "resolve";
What do I need to do to allow SocketPermission to my server my-dev-server?

Janak Mulani
Posts: 726
Joined: 24 Mar 2020, 13:37

Re: Cannot overcome SocketPermission access denied

Post by Janak Mulani »

Hi,

You say that you have <all-permissions/> in the jnlp file and yet you are getting "Denying permission: ("java.net.SocketPermission" "my-dev-server" "resolve")". This is strange because, as we discussed, with all-permissions the app should have the permission to connect to and resolve any hostname.

You say that you have included "permission java.net.SocketPermission "my-dev-server:0", "resolve";" in C:\Program Files\Java\jre1.8.0_251\lib\security\java.policy . Is this the JRE being used to run the application specified in the jnlp file? Can you please check in the log files which exact JRE is used to run your app? The logs can be found in <UserHome>\.config\icedtea-web directory.

As explained to you in our call with <all-permissions/> the app should run without permission denied problem. But since it is not working we will have to find a solution in the code. We will be happy to offer you paid support to look at your particular problem. Please let us know.

Thanks
Janak

mindjoy
Posts: 7
Joined: 04 Sep 2020, 18:48
Location: Cleveland, OH, USA

Re: Cannot overcome SocketPermission access denied

Post by mindjoy »

According to the following Java documentation:

Code: Select all

https://docs.oracle.com/javase/7/docs/technotes/guides/javaws/developersguide/syntax.html
If the all-permissions element is specified, the application has full access to the client machine and local network. All JAR files must be signed. The user is prompted to accept the certificate and agree to run the application.
It only allows full access to the local machine, not other servers, such as "my-dev-server". It looks to me that OpenWebStart does not honor any permission statements in any of the java.policy files, since I tried all of them but got the same error "Denying permission: ("java.net.SocketPermission" "my-dev-server" "resolve")". Of course, "C:\Program Files\Java\jre1.8.0_251" is the JRE which runs OpenWebStart and is specified in OWS settings and its logs, which I already mentioned below.

I am not trying anything crazy here, just simple setup which enables running the Java application via JNLP and OpenWebStart, which accesses different servers on the corporate intranet.

mindjoy
Posts: 7
Joined: 04 Sep 2020, 18:48
Location: Cleveland, OH, USA

Re: Cannot overcome SocketPermission access denied

Post by mindjoy »

Sorry for confusion, finally I was able to make it work, the trick was with the server names, I had to add another server name to the main JRE java.policy file, i.e. in the format of:

Code: Select all

        permission java.net.SocketPermission "my-dev-server1:0", "resolve";
        permission java.net.SocketPermission "my-dev-server2:0", "resolve";
What is the preferred way of specifying this permission? Does it always have to go to the main JRE java.policy file or do you recommend placing it into the java.policy in "C:\Windows\Sun\Java\Deployment\", or perhaps, something completely different? Thank you for your help!

Janak Mulani
Posts: 726
Joined: 24 Mar 2020, 13:37

Re: Cannot overcome SocketPermission access denied

Post by Janak Mulani »

>
What is the preferred way of specifying this permission? Does it always have to go to the main JRE java.policy file or do you recommend placing it into the java.policy in "C:\Windows\Sun\Java\Deployment\", or perhaps, something completely different? Thank you for your help!
>
Depends on you company's Sys Admin policy. However, putting it in JRE is not advisable as JRE used by OWS will change as per the preferred JRE version in JNLP file or as per OWS JVM manager settings or when JREs are upgraded etc.

Best would be to have your custom java.policy pointed to by deployment.properties:

Code: Select all

deployment.system.security.policy=file:///C:/.../my_java.policy 


which can be picked up by OWS. Unfortunately there seems to be a problem with this code in OWS/ITW. If you would like to have it fixed on priority basis we can make an offer to you. Please let us know.

Post Reply