rmi policy
Hi there,
I am trying to get the RMI tutorial (http://java.sun.com/docs/books/tutorial/rmi/index.html) to work with ClassFileServer (http://java.sun.com/javase/technologies/core/basic/rmi/class-server.zip) as mentioned in the tutorial. The ClassFileServer was instantiated inside the RMI server instead of running one separately. I am currently having a problem with understanding a policy file as I am a newbie in this area. I could get the server running using the following server.policy:
grant codeBase"file:home/ann/src/"{
permission java.security.AllPermission;
};
grant codeBase"file:/home/ann/public_html/classes/class-server.jar"{
permission java.security.AllPermission;
};
But as soon as I replace the above with below, I got the following error: java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:{port number} accept, resolve)
grant codeBase"file:home/ann/src/"{
// The following is needed for name rebind...
permission java.net.SocketPermission"localhost:1099","connect, resolve";
};
grant codeBase"file:/home/ann/public_html/classes/class-server.jar"{
permission java.security.AllPermission;
};
Error stack trace indicated that the following line in ClassServer causes the problem: socket = server.accept();
My question is why this is possible as I have given all classes in the class-server.jar (ClassServer resides in this jar file) all access to everything (as indicated by line 'permission java.security.AllPermission').
Second question is: how then should the correct server.policy file look like? Any help would be greatly appreciated.
[2166 byte] By [
seek123a] at [2007-11-27 3:42:31]
# 1
grant {permission java.security.AllPermission "", "";};
# 2
Hi,Thanks for the reply. Yes, I know that this will work. But I really don't want to grant unnecessary access for security reason I suppose. Also I read it somewhere that we are not supposed to use this wide-open policy for production...Cheers
# 3
> permission java.net.SocketPermission "localhost:1099", "connect, resolve";permission java.net.SocketPermission "localhost:1099", "connect, accept, resolve";
ejpa at 2007-7-12 8:46:07 >
# 4
Hi,Thanks for the reply. I tried your suggestion to no avail... :(
# 5
If you're still getting an AccessControlException from ServerSocket.accept() with that permission, you can't be setting the policy file location correctly, or maybe the codebase specification is wrong. You have 'file:home/ann/src/', shouldn't that be 'file:/home/ann/src/'?
If that doesn't fix it, can you run your program with -Djava.securiyt.debuyg=access,failure? This will show you (a) what permissions are in effect and (b) much more detail about the access control failure.
ejpa at 2007-7-12 8:46:07 >
# 6
Sorry, I missed something here. Those permissions are only letting you accept from 'localhost'. You need to add a permission entry for accepting:
> > permission java.net.SocketPermission "localhost:1099", "connect, accept, resolve";
permission java.net.SocketPermission "localhost:1099", "connect, resolve";
permission java.net.SocketPermission "*:1025-", "accept, resolve";
ejpa at 2007-7-12 8:46:07 >
# 7
Hi ejp,
Thanks for the reply. Following your suggestion, I kind of got that to work. It solved the original problem, but I am having new problems now. The following is what my server.policy looks like:
grant codeBase "file:/home/ann/src/" {
permission java.net.SocketPermission "*:1025-", "accept, resolve";
permission java.net.SocketPermission "*:1099", "connect, resolve";
};
grant codeBase "file:/home/ann/public_html/classes/class-server.jar" {
permission java.security.AllPermission;
};
First question, why doesn't rmiregistry seem to understand localhost? If I use permission java.net.SocketPermission "localhost:1099", "connect, resolve";
I will get 'access denied' error. Changing localhost to my machine's IP address solves the problem. Mapping this IP address to localhost in 'hosts' file (windows) does not solve the problem.
Second question. I now get java.lang.ClassNotFoundException: compute.Compute
using the above server.policy. I don't get this if the permissions for 'file:/home/ann/src/' are changed to the following:
grant codeBase "file:/home/ann/src/" {
permission java.security.AllPermission;
};
Any help will be greatly appreciated. Thanks.
# 8
(a) 'localhost' means 127.0.0.1 If you're not using 'localhost' or 127.0.0.1 in your lookup string, giving a SocketPermission to localhost has no effect.
(b) Your 2nd problem suggests that some required class is being found in file:/home/ann/src/ rather than in file:/home/ann/public_html/classes/class-server.jar, which seems to be your intention, and therefore is being associated with the wrong protection domain. You normally only deploy applications as JAR files so the point of file:/home/ann/src/ is pretty moot. But in any case you can control the order of searching of these codebases by the order in your classpath (or java.rmi.server.codebase setting).
ejpa at 2007-7-12 8:46:07 >
# 9
Actually the class that was not able to be found is hosted by a class server (this is an example class from Sun) that listens on port 2002. This class then reads the file from /home/ann/public_html/classes directory. When I started the rmi server, I specified the following -Djava.rmi.server.codebase=http://localhost:2002/ -Djava.rmi.server.hostname=localhost
. Funny enough, this works if I grant all permission to file:/home/ann/src/ (this is where the rmi server class lives).
This confuses me because the error that I got is not security related (ClassNotFound), yet if change the security policy file (by granting all permissions), it seems to resolve the issue.
# 10
That would suggest that your codebase server isn't working. Check its logs for requests and errors.
> -Djava.rmi.server.hostname=localhost
Why are you doing that? That will mean that only clients on the same machine as the remote object will be able to connect to it. If that's what you want, OK, but it's very unusual. Mostly this setting is used to provide the 'most public' of a number of possible IP addresses the server can be contacted on, or the external address of a NAT router. Your setting is the 'least public'.
ejpa at 2007-7-12 8:46:07 >
# 11
Hi ejp,This is mainly for testing. I won't be doing that once the code is in production. :)
