FilePermission issue with OWS and RHEL8

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
danmoser
Posts: 3
Joined: 08 Mar 2023, 18:38

FilePermission issue with OWS and RHEL8

Post by danmoser »

I'm migrating some self-signed WebStart (WS) applications from Oracle's Java 8 to OpenJDK11+OpenWebStart. However I'm getting strange "java.io.FilePermission" errors after the migration. In other words, when launching the application's JNLP with Oracle's WS it works fine but with OpenWebStart that error is triggered.

The errors are coming from the log4j2 files that are saved in a remote server. I tested it in a Windows machine, and it worked just fine! Thus, the "java.io.FilePermission" error should be related to my Linux RHEL8 system.

I've added this to the JAR's MANIFEST.MF, with no effect:

Code: Select all

Codebase: *.mydomain.edu
Permissions: all-permissions
The way I found to solve the error was to manually change the java.policy file (at $HOME/.config/icedtea-web/security) with this:

Code: Select all

grant codeBase "*.mydomain.edu" {
  permission java.io.FilePermission "<<ALL FILES>>", "read, write, execute, delete";
};
(Of course, this is not a recommended solution since the applications are used by many different users.)

My question is: how could I solve this in a more robust way? Is there a way to include a custom java.policy file inside the JAR file? Or OpenWebStart requires an extra configuration that I'm missing?
Thanks!

Janak Mulani
Posts: 726
Joined: 24 Mar 2020, 13:37

Re: FilePermission issue with OWS and RHEL8

Post by Janak Mulani »

>
The errors are coming from the log4j2 files that are saved in a remote server. I tested it in a Windows machine, and it worked just fine! Thus, the "java.io.FilePermission" error should be related to my Linux RHEL8 system.
>
When do you get these errors? After the application is started by OWS? Can you please post the OWS logs?

danmoser
Posts: 3
Joined: 08 Mar 2023, 18:38

Re: FilePermission issue with OWS and RHEL8

Post by danmoser »

Hi Janak! I get the errors when starting the application in Linux.

This is what I get in the stderr:

Code: Select all

WARNING: package javax.jnlp not in java.desktop
[myuser][ITW-CORE][2023-03-10 08:48:26.431 MST][WARN ][net.adoptopenjdk.icedteaweb.manifest.ManifestAttributesChecker][My Tool#428b8743] This application does not specify a Codebase in its manifest. Please verify with the applet''s vendor. Continuing. See: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html for details.
[myuser][ITW-CORE][2023-03-10 08:48:26.554 MST][WARN ][net.sourceforge.jnlp.JNLPFile][AWT-EventQueue-0#23a5fd2] Application title was not found in manifest. Check with application vendor
[myuser][ITW-CORE][2023-03-10 08:48:26.813 MST][WARN ][net.sourceforge.jnlp.JNLPFile][My Tool#428b8743] Application title was not found in manifest. Check with application vendor
Exception in thread "My Tool" java.lang.RuntimeException: java.lang.ExceptionInInitializerError[myuser][ITW-CORE][2023-03-10 08:48:27.707 MST][ERROR][net.sourceforge.jnlp.Launcher][My Tool#428b8743]
General Throwable encountered:
java.lang.ExceptionInInitializerError
	at org.apache.log4j.Logger.getLogger(Logger.java:117)
	at edu.mydomain.clientMain.<clinit>(clientMain.java:29)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:406)
	at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:71)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:660)
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/path/to/logs/client.log" "write")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
	at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:272)
	at java.base/java.lang.SecurityManager.checkWrite(SecurityManager.java:752)
	at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:225)
	at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
	at org.apache.log4j.FileAppender.setFile(FileAppender.java:294)
	at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:207)
	at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165)
	at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307)
	at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:172)
	at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:104)
	at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:809)
	at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:735)
	at org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:615)
	at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:502)
	at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:547)
	at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483)
	at org.apache.log4j.LogManager.<clinit>(LogManager.java:127)
	... 9 more


	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:681)
Caused by: java.lang.ExceptionInInitializerError
	at org.apache.log4j.Logger.getLogger(Logger.java:117)
	at edu.mydomain.clientMain.<clinit>(clientMain.java:29)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:406)
	at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:71)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:660)
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/path/to/logs/client.log" "write")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
	at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:272)
	at java.base/java.lang.SecurityManager.checkWrite(SecurityManager.java:752)
	at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:225)
	at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
	at org.apache.log4j.FileAppender.setFile(FileAppender.java:294)
	at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:207)
	at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165)
	at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307)
	at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:172)
	at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:104)
	at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:809)
	at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:735)
	at org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:615)
	at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:502)
	at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:547)
	at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483)
	at org.apache.log4j.LogManager.<clinit>(LogManager.java:127)
	... 9 more
dfaes][

And this could be a relevant info in the stdout:

Code: Select all

[myuser][ITW-CORE][2023-03-10 08:48:21.180 MST][DEBUG][net.sourceforge.jnlp.config.DeploymentConfiguration][main#73a8dfcc] Won't save property 'deployment.security.trusted.policy' since its current value is its default value ('null')
[myuser][ITW-CORE][2023-03-10 08:48:21.180 MST][DEBUG][net.sourceforge.jnlp.config.DeploymentConfiguration][main#73a8dfcc] Will not lock property 'deployment.security.trusted.policy'
Thanks for the help!

Janak Mulani
Posts: 726
Joined: 24 Mar 2020, 13:37

Re: FilePermission issue with OWS and RHEL8

Post by Janak Mulani »

please post the complete stage 1 and stage 2 OWS log files.

danmoser
Posts: 3
Joined: 08 Mar 2023, 18:38

Re: FilePermission issue with OWS and RHEL8

Post by danmoser »

I don't know exactly what was causing this problem, but I found a way to solve it. As we can see in the error message, and it was related to log4j.

I was using log4j 2.17 but still with log4j 1.x syntax to write the logs. I needed to update the syntax to log4j 2.x, and it worked just fine, both in Windows and Linux.

Thanks for offering help, @Janak !

Post Reply