On 5/20/13 5:21 AM, Thomas wrote:
Rick Hillegas<rick.hillegas@...> writes:
I am running the 10.9.1.0 server using the basic security manager with the
default security policy settings.
Trying to inspect the system property settings from a stored procedure which
includes using java.lang.System.getProperty() I am getting:
Error: The exception 'java.security.AccessControlException: access denied
("java.util.PropertyPermission"
"derby.authentication.native.passwordLifetimeMillis" "read")' was thrown
while evaluating an expression.
SQLState: 38000
ErrorCode: -1
Error: Java exception: 'access denied ("java.util.PropertyPermission"
"derby.authentication.native.passwordLifetimeMillis" "read"):
java.security.AccessControlException'.
SQLState: XJ001
ErrorCode: 99999
I tried adding the line
permission java.util.PropertyPermission "java.lang.System.getProperty",
"read";
to the security.policy file and restarted the server, but I am still getting
the same error.
Can someone please advise which addition/change to security.policy is
exactely needed to prevent the error message? Would also be interested in
getting a hint on security risk behind that I should consider prior to
making that change? (if there would be none, I would suspect reading the
system properties would be possible using the dafult configuration).
Many thanks in advance.
Hi Thomas,
The grammar of permissions descriptors can be confusing. You may want to
take a look at the template policy file which ships with Derby and at
the section titled "Running Derby under a security manager" in the
Developer's Guide:
http://db.apache.org/derby/docs/10.10/devguide/index.html.
You will want to grant your application jars the following minimal
permission:
permission java.util.PropertyPermission
"derby.authentication.native.passwordLifetimeMillis", "read";
...and if you need to read other Derby properties, you may want to
broaden this permission to:
permission java.util.PropertyPermission "derby.*", "read";
I don't see much security risk in letting your application read the
Derby properties. Certainly not much risk in reading the password
timeout property. The only security-sensitive Derby properties are the
credentials properties used by the deprecated BUILTIN authentication scheme.
Hope this helps,
-Rick
