Thank for reply. I grante additional permissions to derbynet.jar: but not work. But I solve security policy problem with following work.
I modify 'grant codeBase "file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\derbynet.jar" ' to 'grant codeBase "file:///C:/Apache/db-derby-10.8.2.2-bin-slave/lib/derbynet.jar" ' and before start slave server I set DERBY_HOME with slave database installed path setx DERBY_HOME C:\Apache\db-derby-10.8.2.2-bin-slave then server start nicely and replication work propery. thanks a lot . YongHwan ,Jung 2014-07-30 22:21 GMT+09:00 Rick Hillegas <[email protected]>: > Thanks for including your policy file and the stack trace. This appears to > be a bug in Derby. I have filed https://issues.apache.org/ > jira/browse/DERBY-6680 to track this issue. Try granting the following > additional permissions to derbynet.jar: > > permission java.util.PropertyPermission "derby.ui.codeset", "read"; > permission java.util.PropertyPermission "derby.ui.locale", "read"; > > > Thanks for finding this bug, > -Rick > > > On 7/29/14 7:14 PM, 정용환 wrote: > >> >> Thanks for reply >> >> Its my custom sucurity policy >> >> grant codeBase "file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\derby. >> jar" >> { >> // >> // These permissions are needed for everyday, embedded Derby usage. >> // >> permission java.lang.RuntimePermission "createClassLoader"; >> permission java.util.PropertyPermission "derby.*", "read"; >> permission java.util.PropertyPermission "user.dir", "read"; >> permission java.util.PropertyPermission "derby.storage.jvmInstanceId", >> "write"; >> // The next two properties are used to determine if the VM is 32 or 64 >> bit. >> permission java.util.PropertyPermission "sun.arch.data.model", "read"; >> permission java.util.PropertyPermission "os.arch", "read"; >> permission java.io.FilePermission "C:\derby\slave","read"; >> permission java.io.FilePermission "C:\derby\slave${/}-", >> "read,write,delete"; >> >> // >> // This permission lets a DBA reload the policy file while the server >> // is still running. The policy file is reloaded by invoking the >> // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure. >> // >> permission java.security.SecurityPermission "getPolicy"; >> // >> // This permission lets you backup and restore databases >> // to and from arbitrary locations in your file system. >> // >> // This permission also lets you import/export data to and from >> // arbitrary locations in your file system. >> // >> // You may want to restrict this access to specific directories. >> // >> permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; >> >> // >> // Permissions needed for JMX based management and monitoring, which is >> only >> // available for JVMs supporting "platform management", that is J2SE 5.0 >> or better. >> // >> // Allows this code to create an MBeanServer: >> // >> permission javax.management.MBeanServerPermission "createMBeanServer"; >> // >> // Allows access to Derby's built-in MBeans, within the domain >> org.apache.derby. >> // Derby must be allowed to register and unregister these MBeans. >> // It is possible to allow access only to specific MBeans, attributes or >> // operations. To fine tune this permission, see the javadoc of >> // javax.management.MBeanPermission or the JMX Instrumentation and Agent >> // Specification. >> // >> permission javax.management.MBeanPermission "org.apache.derby.*#[org. >> apache.derby:*]","registerMBean,unregisterMBean"; >> // >> // Trusts Derby code to be a source of MBeans and to register these in >> the MBean server. >> // >> permission javax.management.MBeanTrustPermission "register"; >> // getProtectionDomain is an optional permission needed for printing >> classpath >> // information to derby.log >> permission java.lang.RuntimePermission "getProtectionDomain"; >> // >> // The following permission must be granted for >> Connection.abort(Executor) to work. >> // Note that this permission must also be granted to outer >> (application) code domains. >> // >> permission java.sql.SQLPermission "callAbort"; >> permission java.net.SocketPermission "192.168.0.10:9001 < >> http://192.168.0.10:9001>", "listen"; >> >> >> //add to replicate >> permission java.net.SocketPermission "192.168.0.10", "accept,resolve"; >> }; >> grant codeBase "file:///C:\Apache\db-derby-10.8.2.2-bin-slave\lib\ >> derbynet.jar" >> { >> // >> // This permission lets the Network Server manage connections from >> clients. >> // >> // Accept connections from any host. Derby is listening to the host >> // interface specified via the -h option to "NetworkServerControl >> // start" on the command line, via the address parameter to the >> // org.apache.derby.drda.NetworkServerControl constructor in the API >> // or via the property derby.drda.host; the default is localhost. >> // You may want to restrict allowed hosts, e.g. to hosts in a specific >> // subdomain, e.g. "*.acme.com <http://acme.com>". >> >> permission java.net.SocketPermission "*", "accept"; >> // >> // Needed for server tracing. >> // >> permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-", >> "read,write,delete"; >> // >> // JMX: Uncomment this permission to allow the ping operation of the >> // NetworkServerMBean to connect to the Network Server. >> //permission java.net.SocketPermission "*", "connect,resolve"; >> >> // >> // Needed by sysinfo. The file permission is needed to >> // check the existence of jars on the classpath. You can >> // limit this permission to just the locations which hold >> // your jar files. >> // >> // In this template file, this block of permissions is granted >> // to derbynet.jar under the assumption that derbynet.jar is >> // the first jar file in your classpath which contains the >> // sysinfo classes. If that is not the case, then you will want >> // to grant this block of permissions to the first jar file >> // in your classpath which contains the sysinfo classes. >> // Those classes are bundled into the following Derby >> // jar files: >> // >> // derbynet.jar >> // derby.jar >> // derbyclient.jar >> // derbytools.jar >> // >> permission java.util.PropertyPermission "user.*", "read"; >> permission java.util.PropertyPermission "java.home", "read"; >> permission java.util.PropertyPermission "java.class.path", "read"; >> permission java.util.PropertyPermission "java.runtime.version", "read"; >> permission java.util.PropertyPermission "java.fullversion", "read"; >> permission java.lang.RuntimePermission "getProtectionDomain"; >> permission java.io.FilePermission "<<ALL FILES>>", "read"; >> permission java.io.FilePermission "java.runtime.version", "read"; >> permission java.io.FilePermission "java.fullversion", "read"; >> }; >> >> And >> Following is excute script in startNetworkServer.bat >> >> "%_JAVACMD%" -Djava.security.manager -Djava.security.policy=C:\ >> Apache\db-derby-10.8.2.2-bin-slave\lib\igoServer.policy >> -Djava.security.debug=access:failure %DERBY_OPTS% -classpath >> "%LOCALCLASSPATH%" org.apache.derby.drda.NetworkServerControl start >> %DERBY_CMD_LINE_ARGS% >> >> >> And there is no log in derby.log , >> So I get log -Djava.security.debug=access:failure >> >> following is summury of excetion stack trace of the security exception >> >> >> access: access denied (java.util.PropertyPermission derby.ui.codeset read) >> java.lang.Exception: Stack trace >> at java.lang.Thread.dumpStack(Thread.java:1206) >> at java.security.AccessControlContext.checkPermission( >> AccessControlContext.java:313) >> at java.security.AccessController.checkPermission( >> AccessController.java:546) >> at java.lang.SecurityManager.checkPermission( >> SecurityManager.java:532) >> at java.lang.SecurityManager.checkPropertyAccess( >> SecurityManager.java:1285) >> at java.lang.System.getProperty(System.java:650) >> at org.apache.derby.iapi.tools.i18n.LocalizedResource.run(Unknown >> Source) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.derby.iapi.tools.i18n.LocalizedResource.getEnvProperty(Unknown >> Source) >> at org.apache.derby.iapi.tools.i18n.LocalizedResource.init(Unknown >> Source) >> at org.apache.derby.iapi.tools.i18n.LocalizedResource.<init>(Unknown >> Source) >> at org.apache.derby.impl.drda.NetworkServerControlImpl.init(Unknown >> Source) >> at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown >> Source) >> at org.apache.derby.drda.NetworkServerControl.main(Unknown >> Source) >> access: domain that failed ProtectionDomain >> (file:/C:/Apache/db-derby-10.8.2.2-bin/lib/derby.jar >> <no signer certificates>) >> sun.misc.Launcher$AppClassLoader@19821f >> <no principals> >> java.security.Permissions@1f7d134 ( >> (java.util.PropertyPermission line.separator read) >> (java.util.PropertyPermission java.vm.version read) >> (java.util.PropertyPermission java.vm.specification.version read) >> (java.util.PropertyPermission java.vm.specification.vendor read) >> (java.util.PropertyPermission java.vendor.url read) >> (java.util.PropertyPermission java.vm.name <http://java.vm.name> read) >> (java.util.PropertyPermission os.name <http://os.name> read) >> >> (java.util.PropertyPermission java.vm.vendor read) >> (java.util.PropertyPermission path.separator read) >> (java.util.PropertyPermission java.specification.name < >> http://java.specification.name> read) >> >> (java.util.PropertyPermission os.version read) >> (java.util.PropertyPermission os.arch read) >> (java.util.PropertyPermission java.class.version read) >> (java.util.PropertyPermission java.version read) >> (java.util.PropertyPermission file.separator read) >> (java.util.PropertyPermission java.vendor read) >> (java.util.PropertyPermission java.vm.specification.name < >> http://java.vm.specification.name> read) >> >> (java.util.PropertyPermission java.specification.version read) >> (java.util.PropertyPermission java.specification.vendor read) >> (java.io.FilePermission \C:\Apache\db-derby-10.8.2.2-bin\lib\derby.jar >> read) >> (java.net.SocketPermission localhost:1024- listen,resolve) >> (java.lang.RuntimePermission stopThread) >> (java.lang.RuntimePermission exitVM) >> ) >> >> access: access denied (java.util.PropertyPermission derby.ui.locale read) >> java.lang.Exception: Stack trace >> at java.lang.Thread.dumpStack(Thread.java:1206) >> at java.security.AccessControlContext.checkPermission( >> AccessControlContext.java:313) >> at java.security.AccessController.checkPermission( >> AccessController.java:546) >> at java.lang.SecurityManager.checkPermission( >> SecurityManager.java:532) >> at java.lang.SecurityManager.checkPropertyAccess( >> SecurityManager.java:1285) >> at java.lang.System.getProperty(System.java:650) >> at org.apache.derby.iapi.tools.i18n.LocalizedResource.run(Unknown >> Source) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.derby.iapi.tools.i18n.LocalizedResource.getEnvProperty(Unknown >> Source) >> at org.apache.derby.iapi.tools.i18n.LocalizedResource.init(Unknown >> Source) >> at org.apache.derby.iapi.tools.i18n.LocalizedResource.<init>(Unknown >> Source) >> at org.apache.derby.impl.drda.NetworkServerControlImpl.init(Unknown >> Source) >> at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown >> Source) >> at org.apache.derby.drda.NetworkServerControl.main(Unknown >> Source) >> access: domain that failed ProtectionDomain >> (file:/C:/Apache/db-derby-10.8.2.2-bin/lib/derby.jar >> <no signer certificates>) >> sun.misc.Launcher$AppClassLoader@19821f >> <no principals> >> java.security.Permissions@c7e553 ( >> (java.util.PropertyPermission line.separator read) >> (java.util.PropertyPermission java.vm.version read) >> (java.util.PropertyPermission java.vm.specification.version read) >> (java.util.PropertyPermission java.vm.specification.vendor read) >> (java.util.PropertyPermission java.vendor.url read) >> (java.util.PropertyPermission java.vm.name <http://java.vm.name> read) >> (java.util.PropertyPermission os.name <http://os.name> read) >> >> (java.util.PropertyPermission java.vm.vendor read) >> (java.util.PropertyPermission path.separator read) >> (java.util.PropertyPermission java.specification.name < >> http://java.specification.name> read) >> >> (java.util.PropertyPermission os.version read) >> (java.util.PropertyPermission os.arch read) >> (java.util.PropertyPermission java.class.version read) >> (java.util.PropertyPermission java.version read) >> (java.util.PropertyPermission file.separator read) >> (java.util.PropertyPermission java.vendor read) >> (java.util.PropertyPermission java.vm.specification.name < >> http://java.vm.specification.name> read) >> >> (java.util.PropertyPermission java.specification.version read) >> (java.util.PropertyPermission java.specification.vendor read) >> (java.io.FilePermission \C:\Apache\db-derby-10.8.2.2-bin\lib\derby.jar >> read) >> (java.net.SocketPermission localhost:1024- listen,resolve) >> (java.lang.RuntimePermission stopThread) >> (java.lang.RuntimePermission exitVM) >> ) >> access: access denied (java.util.PropertyPermission derby.system.home >> read) >> java.lang.Exception: Stack trace >> at java.lang.Thread.dumpStack(Thread.java:1206) >> at java.security.AccessControlContext.checkPermission( >> AccessControlContext.java:313) >> at java.security.AccessController.checkPermission( >> AccessController.java:546) >> at java.lang.SecurityManager.checkPermission( >> SecurityManager.java:532) >> at java.lang.SecurityManager.checkPropertyAccess( >> SecurityManager.java:1285) >> at java.lang.System.getProperty(System.java:650) >> at >> org.apache.derby.impl.services.monitor.FileMonitor.PBinitialize(Unknown >> Source) >> at org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown >> Source) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.derby.impl.services.monitor.FileMonitor.initialize(Unknown >> Source) >> at org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown >> Source) >> at >> org.apache.derby.iapi.services.monitor.Monitor.getMonitorLite(Unknown >> Source) >> at >> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown >> Source) >> at >> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown >> Source) >> at >> org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown >> Source) >> at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown >> Source) >> at org.apache.derby.drda.NetworkServerControl.main(Unknown >> Source) >> access: access denied (java.io.FilePermission derby.properties read) >> java.lang.Exception: Stack trace >> at java.lang.Thread.dumpStack(Thread.java:1206) >> at java.security.AccessControlContext.checkPermission( >> AccessControlContext.java:313) >> at java.security.AccessController.checkPermission( >> AccessController.java:546) >> at java.lang.SecurityManager.checkPermission( >> SecurityManager.java:532) >> at java.lang.SecurityManager.checkRead(SecurityManager.java:871) >> at java.io.File.exists(File.java:731) >> at org.apache.derby.impl.services.monitor.FileMonitor. >> PBapplicationPropertiesStream(Unknown Source) >> at org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown >> Source) >> at java.security.AccessController.doPrivileged(Native Method) >> at org.apache.derby.impl.services.monitor.FileMonitor. >> applicationPropertiesStream(Unknown Source) >> at org.apache.derby.impl.services.monitor.BaseMonitor. >> readApplicationProperties(Unknown Source) >> at org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown >> Source) >> at >> org.apache.derby.iapi.services.monitor.Monitor.getMonitorLite(Unknown >> Source) >> at >> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown >> Source) >> at >> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown >> Source) >> at >> org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown >> Source) >> at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown >> Source) >> at org.apache.derby.drda.NetworkServerControl.main(Unknown >> Source) >> access: access denied (java.util.PropertyPermission >> derby.drda.logConnections read) >> java.lang.Exception: Stack trace >> at java.lang.Thread.dumpStack(Thread.java:1206) >> at java.security.AccessControlContext.checkPermission( >> AccessControlContext.java:313) >> at java.security.AccessController.checkPermission( >> AccessController.java:546) >> at java.lang.SecurityManager.checkPermission( >> SecurityManager.java:532) >> at java.lang.SecurityManager.checkPropertyAccess( >> SecurityManager.java:1285) >> at java.lang.System.getProperty(System.java:650) >> at >> org.apache.derby.impl.services.monitor.FileMonitor.PBgetJVMProperty(Unknown >> Source) >> at org.apache.derby.impl.services.monitor.FileMonitor.run(Unknown >> Source) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.derby.impl.services.monitor.FileMonitor.getJVMProperty(Unknown >> Source) >> at >> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown >> Source) >> at >> org.apache.derby.iapi.services.property.PropertyUtil.getSystemProperty(Unknown >> Source) >> at >> org.apache.derby.impl.drda.NetworkServerControlImpl.getPropertyInfo(Unknown >> Source) >> at org.apache.derby.impl.drda.NetworkServerControlImpl.<init>(Unknown >> Source) >> at org.apache.derby.drda.NetworkServerControl.main(Unknown >> Source) >> >> access: access denied (java.io.FilePermission derby.log read) >> java.lang.Exception: Stack trace >> at java.lang.Thread.dumpStack(Thread.java:1206) >> at java.security.AccessControlContext.checkPermission( >> AccessControlContext.java:313) >> at java.security.AccessController.checkPermission( >> AccessController.java:546) >> at java.lang.SecurityManager.checkPermission( >> SecurityManager.java:532) >> at java.lang.SecurityManager.checkRead(SecurityManager.java:871) >> at java.io.File.exists(File.java:731) >> at >> org.apache.derby.impl.services.stream.SingleStream.PBmakeFileHPW(Unknown >> Source) >> at org.apache.derby.impl.services.stream.SingleStream.run(Unknown >> Source) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.derby.impl.services.stream.SingleStream.makeFileHPW(Unknown >> Source) >> at >> org.apache.derby.impl.services.stream.SingleStream.createDefaultStream(Unknown >> Source) >> at >> org.apache.derby.impl.services.stream.SingleStream.makeStream(Unknown >> Source) >> at org.apache.derby.impl.services.stream.SingleStream.boot(Unknown >> Source) >> at org.apache.derby.impl.services.monitor.BaseMonitor.boot(Unknown >> Source) >> at >> org.apache.derby.impl.services.monitor.TopService.bootModule(Unknown >> Source) >> at >> org.apache.derby.impl.services.monitor.BaseMonitor.startModule(Unknown >> Source) >> at >> org.apache.derby.iapi.services.monitor.Monitor.startSystemModule(Unknown >> Source) >> at >> org.apache.derby.impl.services.monitor.BaseMonitor.runWithState(Unknown >> Source) >> at org.apache.derby.impl.services.monitor.FileMonitor.<init>(Unknown >> Source) >> at >> org.apache.derby.iapi.services.monitor.Monitor.startMonitor(Unknown >> Source) >> at org.apache.derby.iapi.jdbc.JDBCBoot.boot(Unknown Source) >> at org.apache.derby.jdbc.EmbeddedDriver.boot(Unknown Source) >> at org.apache.derby.jdbc.EmbeddedDriver.<clinit>(Unknown Source) >> at java.lang.Class.forName0(Native Method) >> at java.lang.Class.forName(Class.java:169) >> at >> org.apache.derby.impl.drda.NetworkServerControlImpl.startNetworkServer(Unknown >> Source) >> at >> org.apache.derby.impl.drda.NetworkServerControlImpl.blockingStart(Unknown >> Source) >> at >> org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown >> Source) >> at org.apache.derby.drda.NetworkServerControl.main(Unknown >> Source) >> >> Thank you >> >> 2014-07-29 21:48 GMT+09:00 Rick Hillegas <[email protected] >> <mailto:[email protected]>>: >> >> >> Could you attach the security policy you are using as well as the >> derby.log file which shows the complete stack trace of the >> security exception? >> >> Thanks, >> -Rick >> >> >> On 7/28/14 10:03 PM, 정용환 wrote: >> >> >> >> Hellow, I am derby user in korea. >> >> >> >> I have a problem while I try to replication. >> >> >> >> I success to replication with embeded mode. >> >> and replication with server mode with no security manager. >> >> >> >> but replication not work with server mode with security manager. >> >> >> >> manual said >> >> "If you want to perform replication with the security manager >> enabled, you must modify >> the security policy file on both the master and slave systems >> to allow the master-slave >> network connection." >> >> >> >> so I try to modify security policy file >> >> follow with "Customizing the Network Server's security policy" >> section >> >> but when I start server with >> >> C:\Apache\db-derby-10.8.2.2-bin-slave\bin\startNetworkServer.bat >> -h 192.168.0.10 -p 1530 >> >> and following is part of startNetworkServer.bat >> >> "%_JAVACMD%" -Djava.security.manager >> -Djava.security.policy=C:\Apache\db-derby-10.8.2.2-bin-slave\lib >> %DERBY_OPTS% -classpath "%LOCALCLASSPATH%" >> org.apache.derby.drda.NetworkServerControl start >> %DERBY_CMD_LINE_ARGS% >> >> cmd log >> "Thread[main,5,main] java.security.AccessControlException : >> access denied (java.io.FilePermission derby.log read)" >> >> then server start >> but when I connect db >> , error messege show >> "data volume is not enough , expected minimum volume is 6 byte but >> received volume is obyte. connect is end." >> >> please give me hint or solution to solve that problem. >> >> OS is window 7 >> >> >> Thank you. >> >> >> >> >
