Questions tagged [securitymanager]

A security manager is an object that defines a security policy for an application. This policy specifies actions that are unsafe or sensitive. Any actions not allowed by the security policy cause a SecurityException to be thrown. An application can also query its security manager to discover which actions are allowed.

0
votes
0answers
5 views

Configuring protection domain for .war file in catalina.policy results in MalformedURLException error

I'm trying to use Tomcat's Security Manager with my web application but I keep getting the following error message: java.security.policy: error adding Entry: java.net.MalformedURLException: ...
3
votes
0answers
160 views

Tomcat 9.0 with security manager reports access denied on Windows

I started my Tomcat 9.0 on Windows 10 with: -Djava.security.manager -Djava.security.policy==C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf\catalina.policy -Djava.security.debug=access,...
0
votes
0answers
27 views

Java SQL - unauthorized access to logging stream associated with the DriverManager

Java's sql package include a security warning: NOTE: The class SQLPermission was added in the Java™ 2 SDK, Standard Edition, version 1.3 release. This class is used to prevent unauthorized access ...
8
votes
1answer
150 views

Replacement for Security Manager checkMemberAccess()

The Java Security Manager method checkMemberAccess() had a parameter that contained the class that Reflection was being called on. This method was deprecated, with a description saying to use ...
1
vote
0answers
24 views

Java SecurityManager: block Reflection to specific class [duplicate]

Let's say I have a package (com.example.private) with some classes that contain sensitive information. The methods and fields are private or package private to prevent access under normal ...
0
votes
0answers
33 views

org.grails.plugins:shiro Issue from Grails 2.5 to Grails 3

I'm upgarding from Grails 2.5 to Grails 3.3.8. As I see there is no update for org.grails.plugins:shiro:1.2.1 to work with Grails 3! I tried spring-security-shiro plugin but it doesn't replace grails ...
10
votes
2answers
416 views

Enable the Java SecurityManager with AllPermission

I'm trying to get myself familiar with the SecurityManager but even this simple scenario fails. When I run the following from inside my IDE or from command line I get the following exception; access ...
0
votes
0answers
94 views

Security misconfiguration setAccessible() reflection

We scanned our codes using HP fortify and tag all our reflection codes using setAccessible() method as security misconfiguration. Although it provided a recommendation I can't fully understand it. ...
0
votes
0answers
68 views

SecurityManager is not allowing read file although stated in the policy

This is my error: java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Temp\SettingsApp.policy" "read") This is my policy (dynamically made for each app) grant ...
0
votes
1answer
46 views

Using a security manager with reflection accessing a jar file

After implementing my platform to have the ability to load jar files dynamically using reflection, I come across a security issue. The jar file could be 'dangerous' and contain code that could effect ...
1
vote
0answers
107 views

When is ClassLoader checkPackageAccess method called

I would like to understand when the JVM calls the checkPackageAccess method of a ClassLoader. From the javadoc, I read that it is called by the JVM after loading class with the classloader. But I ...
3
votes
1answer
87 views

Why any file can be read with using java.security.SecurityManager in java?

I just want some files to be read and written in my Java program. So I use java.security.SecurityManager to manage this, but it seems unsatisfactory. The Main.java file is below import java.io.*; ...
1
vote
1answer
46 views

What is the initialized field in java.lang.SecurityManager for?

In java.lang.SecurityManager, there is a boolean field called initialized. public class SecurityManager { /* * Have we been initialized. Effective against finalizer attacks. */ ...
2
votes
2answers
101 views

MQQueueManager constructor hangs when a SecurityManager is installed

Host foo is an IBM MQ client (i.e. client mode connection over TCP/IP). Host bar is the system on which the queue manager is running. Bar grants permission (by IP address) for foo to instantiate a com....
0
votes
0answers
75 views

wildfly 12 - Failing permission check - ognl.OgnlInvokePermission

I have using Wildfly Security manager subsystem to set up security policies. I am not able to get the ognl.OgnlInvokePermission on any methods. E.g. I enabled ognl.OgnlInvokePermission under the ...
0
votes
0answers
93 views

FilePermission exception after enabling security manager in WIldfly

I'm getting file permission exception while reading a file after enabling security manager in wildfly. Everything works fine after disabling wildfly. My permissions.xml file has the required ...
4
votes
0answers
163 views

MissingResourceException while running

I have a large application that started receiving MissingResourceException: Can't find bundle for base name sun.text.resources.FormatData, locale en_US The error comes from my code at java....
0
votes
1answer
195 views

How to authenticate exist-db users in RESTXQ

(complete rephrase - since no answer): I am developing an exist-db application with user authentication and RESTXQ. My users log in via the login:set-user function from the login module. Here a ...
1
vote
1answer
61 views

Prevent debuggers to see variable value

Is there a way that I can configure properties of my JPA(I am using hibernate as implementation) entity such that no one can see its value while debugging? The property is transient and I don't want ...
3
votes
1answer
275 views

A java SecurityManager that is identical to NO security manager except for a single check adjustment for System.exit

I am not well versed in java security managers and therefore want to confirm my understanding: I have a java process that randomly stops (shutdown hook runs) even though there is no trace of someone ...
2
votes
1answer
2k views

JVM Security Manager File permissions - custom policy

I've found a somehow unexpected behaviour using JVM Security Manager custom policies. repo: https://github.com/pedrorijo91/jvm-sec-manager in branch master, go into the /code folder: custom policy ...
0
votes
0answers
107 views

“Can't find/load security.manager” java -Djava.security.manager MyApp

According to my book i have to start my application with following cmd: java -Djava.security.manager MyApp But my command prompt tells me that he can't find/load mainclass security.manager. I also ...
3
votes
2answers
149 views

How to create newInstance with enabled SecurityManager in Java

I need to create new instance of a class loaded from untrusted classfile. Now I do the following: classLoader.loadClass(UNSTRUSTED_CLASS).newInstance() The problem is that if I enable security ...
0
votes
2answers
209 views

Embedding Cassandra - Security Manager issues

I am attempting to upgrade an application that uses an embedded cassandra 2.1.1 (about time!), but the application in question sets it's own security manager. Cassandra 3.11 seems to not consider this ...
0
votes
1answer
260 views

Using java securityManager blocks me from reading files

In my java code I call another 3rd party java class. I want to catch that latter System.exit() exit code So I use security-manager as suggested in this post The problem is that I cannot read files ...
2
votes
1answer
127 views

Obtaining an instance of CommPortIdentifier on Android

I'm using Jamod 1.2 to establish Modbus TCP connection between an Android device and PLC. Everything was fine until I was asked to migrate to Modbus RTU (connecting via USB). Jamod has classes to work ...
0
votes
0answers
57 views

Is it possible to create a safe classloader in Java?

I plan on allowing users of my program to create their own subclasses to use as modules in my program. I've always read that classloaders were insecure, and I completely understand why. What I want to ...
2
votes
1answer
61 views

How a particular field is filtered from reflection access?

How Java restrict reflection access to the field private final ClassLoader classLoader in Class.java? (As shown in documentation in screenshot) I have found a link which describes that a ...
1
vote
1answer
1k views

Tomcat AccessControlException:access denied (“java.io.FilePermission” “logs” “read”)

I'm using Security Manager feature in tomcat and was able to make use of the Catalina.policy file in managing the permission. In spite of which I get this error log for my web-app Following ...
1
vote
0answers
173 views

What java permissions are needed to load log4j2 with security manager?

I have the following policy file: grant codeBase "file:./Cookie.jar", Principal javax.security.auth.kerberos.KerberosPrincipal "MyUsr@domain.com" Principal javax.security.auth.kerberos....
0
votes
0answers
181 views

AOSP file access controll - Android with Java Security Manager

I would like to implement a file access control in the Android framework. It has to be global - for each app. So each file call (for example open an image) should be checked by this controller. I ...
0
votes
1answer
479 views

Tomcat 8 java.lang.LinkageError: loader constraint violation

I am deploying a web service (which uses METRO 2.0 library and includes it in the war file) on tomcat with security manager enabled -Djava.security.manager -Djava.security.policy=C:\apache-tomcat-8.5....
0
votes
0answers
362 views

Java SecurityManager AccessControlException - Running from Network Share

I have a Java 8 application that evaluates user provided code via the Nashorn JavaScript ScriptEngine. To provide protection from evaluating malicious code, I am enabling the Java SecurityManager with ...
0
votes
1answer
219 views

Android AAR file protect from reflection

I have big problem with AAR files. I want make an AAR file and give it to some other businesses to have payment solutions with our business (like PayPal AAR file) and i don't want they can reflect our ...
0
votes
2answers
5k views

RMI binding fails with “No security manager: RMI class loader disabled”

I have an issue binding a remote object to the RMI registry. I've reduced my code to a very simple example that works fine when I test it on my computer (Windows 10). But if I start it on another ...
1
vote
0answers
308 views

Specify multiple different policy files when invoking execution of an application in Java

In the documentation and this it says it is also possible to specify an additional or a different policy file when invoking execution of an application. This can be done via the "-Djava.security....
0
votes
1answer
167 views

Wildfly Security Manager not processing JndiPermission

I'm trying to get my existing application to work with the Wildfly Security Manager. To start, I'm running my applications and adding the configuration that I need to standalone.xml like this in ...
0
votes
1answer
581 views

Prohibit scripts from accessing specific Java classes using Java security Manager

I'm already using Java 8 and it's Nashorn javascript engine. And In my application I access javaScript script files from Java classess for various purposes. And yet it's possible to access Java ...
0
votes
1answer
62 views

Why AccessController is not blocking the non-privileged access

Disclaimer: The old version of the question was confusing SecurityManager and AccessController. But now I know I've made a mistake and the question is refined. The stem is pretty straight forward; I'...
3
votes
0answers
71 views

Block reflection field/method access from classloader

I'm doing a plugin system with a security manager to restrict the plugin's actions. My problem is, it will be easy to bypass the system when people are able to access every field using reflection. I ...
9
votes
3answers
2k views

Java Security Manager completely disable reflection

I've been reading quite a lot of questions on Stackoverflow about this question but couldn't quit find a solution or answer for my problem. If there is already one I would be grateful if somebody ...
2
votes
1answer
619 views

How to build a sandbox environment

Hi SecurityManager Experts out there ;-) I have written a small plugin framework that loads plugins with separate isolated classloaders. For a successfull undeploy of a plugin it is important to make ...
0
votes
1answer
82 views

Balana “evaluate” command causing NoClassDefFoundError

I got a jar for balana 1.0.5 from here: http://maven.wso2.org/nexus/content/groups/wso2-public/org/wso2/balana/org.wso2.balana/1.0.5/ I have an instance of pdp with no configuration and I'm trying to ...
1
vote
1answer
111 views

java 9 b132 eclipse neon setsecuritymanager cannot be resolved

Using java 1.9 (b132), Eclipse Neon (4.6.0), I am working through a large legacy java client front end project in preparation for java 9. Most of the code works, but this problem I cannot resolve. I ...
0
votes
0answers
199 views

AccessControl.doPrivileged Problems

I'm having a problem with extensions, privileges, permissions, and the SecurityManager in Java. I'm using a SecurityManager because I'm using RMI, but that doesn't really come into this. If I can just ...
0
votes
0answers
78 views

Is it possible to start the OrientDb server without using reflection?

I'm running OrientDb 2.2.6 in embedded mode. I have to grant security permissions to my code so the SecurityManager allows it to run. One permission I would particularly prefer not to grant is ("java....
0
votes
0answers
111 views

Tomcat AccessControlException despite using AllPermission

I'm attempting to deploy a WAR to Tomcat and running into problems with the Java Security Manager. This is Tomcat 7.0.55 running Java 1.8.0, and Tomcat is started with parameters like this: -...
4
votes
0answers
181 views

Configure Security Manager for application that does not allow to set security policy

I want to deploy a web application ( app.war) on wildfly server. the web app has its own custom security manager set that does not allow changing java security policy. I am able to deploy the web app ...
1
vote
1answer
527 views

Java set security permission of created instances

So I have a bit of code, that creates an instance of a class. Class<?> c = Class.forName("MyClass"); Constructor<?> cons = c.getConstructor(); cons.setAccessible(true); Object instance = ...
1
vote
1answer
807 views

Can java security manager be enabled by default at the installation level?

As per understanding its possible to manipulate the general notion of final keyword using reflection. Also its possible to prevent the same using a security manager. Is it possible to enable the ...

http://mssss.yulina-kosm.ru