Rick,
Neither Netbeans nor ij dumped the stack, I’m afraid.
The full message is
Error code 30000, SQL state 38000: The exception
'java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was thrown
while evaluating an expression.
Error code 99999, SQL state XJ001: Java exception: 'access denied
("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"):
java.security.AccessControlException’.
Line 1, column 1
Did get it working after a while with the security policy below, but ij will
not now run complaining
Exception in thread "main" java.security.AccessControlException: access denied
("java.util.PropertyPermission" "*" "read,write")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262)
at java.lang.System.getProperties(System.java:630)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at org.apache.derby.impl.tools.ij.ij$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.derby.impl.tools.ij.ij.initFromEnvironment(Unknown Source)
at org.apache.derby.impl.tools.ij.utilMain.initFromEnvironment(Unknown
Source)
at org.apache.derby.impl.tools.ij.Main.<init>(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.getMain(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
at org.apache.derby.tools.ij.main(Unknown Source)
=========================================================================================
//
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// This template policy file gives examples of how to configure the
// permissions needed to run a Derby network server with the Java
// Security manager.
//
grant codeBase
"file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derby.jar"
{
// These permissions are needed for everyday, embedded Derby usage.
//
permission java.lang.RuntimePermission "createClassLoader";
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
// Next, the permission to read "derby.*" properties is granted to
// derby.jar. This is necessary for the engine to read derby properties.
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
// The next two properties are used to determine if the VM is 32 or 64 bit.
//
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${derby.system.home}${/}-",
"read,write,delete";
// This permission lets a DBA reload the policy file while the server is
// still running. The policy file is reloaded by invoking the
// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
//
permission java.security.SecurityPermission "getPolicy";
// This permission lets you backup and restore databases to and from
// arbitrary locations in your file system.
//
// This permission also lets you import/export data to and from arbitrary
// locations in your file system.
//
// You may want to restrict this access to specific directories.
//
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
// Permissions needed for JMX based management and monitoring.
//
// Allows this code to create an MBeanServer:
//
permission javax.management.MBeanServerPermission "createMBeanServer";
// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby. Derby must be allowed to register and unregister these
// MBeans. It is possible to allow access only to specific MBeans,
// attributes or operations. To fine tune this permission, see the javadoc of
// javax.management.MBeanPermission or the JMX Instrumentation and Agent
// Specification.
//
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
// Trusts Derby code to be a source of MBeans and to register these in the
// MBean server.
//
permission javax.management.MBeanTrustPermission "register";
// getProtectionDomain is an optional permission needed for printing
// classpath information to derby.log
//
permission java.lang.RuntimePermission "getProtectionDomain";
//
// The following permission must be granted for Connection.abort(Executor) to
// work. Note that this permission must also be granted to outer
// (application) code domains.
//
permission java.sql.SQLPermission "callAbort";
// Needed by file permissions restriction system:
//
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
// My additions
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
};
grant codeBase
"file:///Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/db/lib/derbynet.jar"
{
// These permissions lets the Network Server manage connections from clients.
// Accept connections from any host. Derby is listening to the host interface
// specified via the -h option to "NetworkServerControl start" on the command
// line, via the address parameter to the
// org.apache.derby.drda.NetworkServerControl constructor in the API or via
// the property derby.drda.host; the default is localhost. You may want to
// restrict allowed hosts, e.g. to hosts in a specific subdomain,
// e.g. "*.example.com".
permission java.net.SocketPermission "*", "accept";
// Allow the server to listen to the socket on the default port (1527).
// If you have specified another port number with the -p option to
// "NetworkServerControl start" on the command line, or with the portNumber
// parameter to the NetworkServerControl constructor in the API, or with the
// property derby.drda.portNumber, you should change the port number in the
// permission statement accordingly.
permission java.net.SocketPermission "localhost:1527", "listen";
// Needed for server tracing.
//
permission java.io.FilePermission
"file:///Users/nwalton/.derby/dummy/traces${/}-",
"read,write,delete";
// Needed by file permissions restriction system:
//
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine",
"read, write";
// Needed to start the monitoring MBeans
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
// JMX: Uncomment this permission to allow the ping operation of the
// NetworkServerMBean to connect to the Network Server.
//
permission java.net.SocketPermission "*", "connect,resolve";
// Needed by sysinfo. The file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files.
//
// In this template file, this block of permissions is granted to
// derbynet.jar under the assumption that derbynet.jar is the first jar file
// in your classpath which contains the sysinfo classes. If that is not the
// case, then you will want to grant this block of permissions to the first
// jar file in your classpath which contains the sysinfo classes. Those
// classes are bundled into the following Derby jar files:
//
// derbynet.jar
// derby.jar
// derbyclient.jar
// derbytools.jar
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "<<ALL FILES>>", "read";
// My additions
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
//permission java.net.SocketPermission "127.0.0.1:1527" "connect,resolve",
};
Nick
> On 19 Feb 2017, at 16:38, Rick Hillegas <[email protected]> wrote:
>
> Thanks for raising this issue, Nicholas. Can you include the full stack trace
> for the error? The template policy may need to grant some additional
> privilege to the engine jar file. It is also possible that you have run into
> the following defect: https://issues.apache.org/jira/browse/DERBY-4354
> <https://issues.apache.org/jira/browse/DERBY-4354>
>
> Thanks,
> -Rick
>
> On 2/17/17, 9:42 AM, nicholas walton wrote:
>>
>> Hi,
>>
>> I need to extend Java’s aggregate functions to include Median, using the
>> code below
>>
>> import java.util.ArrayList;
>> import java.util.Collections;
>> import org.apache.derby.agg.Aggregator;
>>
>> public class median<V extends Comparable<V>>
>> implements Aggregator<V,V,median<V>>
>> {
>> private ArrayList<V> _values;
>>
>> public median() {}
>>
>> public void init() { _values = new ArrayList<V>(); }
>>
>> public void accumulate( V value ) { _values.add( value ); }
>>
>> public void merge( median<V> other )
>> {
>> _values.addAll( other._values );
>> }
>>
>> public V terminate()
>> {
>> Collections.sort( _values );
>>
>> int count = _values.size();
>>
>> if ( count == 0 ) { return null; }
>> else { return _values.get( count/2 ); }
>> }
>> }
>>
>> To install I used
>>
>> CALL
>> SQLJ.INSTALL_JAR('/Users/nwalton/Documents/Databases/derbyStats/dist/derbyStats.jar',
>> 'NWALTON.median',0);
>> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY
>> ('derby.database.classpath','NWALTON.median’);
>>
>> CREATE DERBY AGGREGATE "NWALTON"."MEDIAN" FOR DOUBLE RETURNS DOUBLE EXTERNAL
>> NAME 'aggregates.median’ ;
>>
>> At first this works fine in a trigger or in plain SQL but after a while I
>> get the following error
>>
>> Error code 30000, SQL state 38000: The exception
>> 'java.security.AccessControlException: access denied
>> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect")' was
>> thrown while evaluating an expression.
>> Error code 99999, SQL state XJ001: Java exception: 'access denied
>> ("java.lang.RuntimePermission" "accessClassInPackage.sun.reflect"):
>> java.security.AccessControlException'.
>> Line 1, column 1
>>
>> I’ve Googled to no avail for an answer! Can anyone suggest a solution. I’m
>> running OS X Sierra Apache Derby Network Server - 10.6.2.1 - (999685) under
>> Java version 1.8.0_31-b13.
>>
>> Thanks in advance
>>
>> Nick
>
