-Djava.security.manager=problems for service providers

Peter Firmstone peter.firmstone at zeus.net.au
Tue Mar 27 13:15:18 UTC 2018


I tested the JDK 9 pre releases and didn't experience issues, will have 
to test again against the latest.   Note on JDK1.8.0_162 it doesn't only 
affect the PolicyFile provider.

Thanks,

Peter.

On 27/03/2018 11:06 PM, Alan Bateman wrote:
> Moving this to security-dev.
>
> From the stack trace, it looks like you are using JDK 8 or older. 
> There are several changes in JDK 9 and newer in the PolicyFile code to 
> how it loads its resources that may help with the issues you are seeing.
>
> -Alan
>
> On 27/03/2018 13:56, Peter Firmstone wrote:
>> Not sure if this is the right place to mention this.
>>
>> Anyone notice that specifying a custom security manager at jvm start 
>> up causes issues with service providers loading?   If using the sun 
>> PolicyFile implementation, the policy doesn't load due to the 
>> provider failure, I have a custom policy implementation that will 
>> allow the jvm to run in this state, and other providers are also not 
>> loading, such as the logger and JCE.
>>
>> Note that it doesn't occur if the security manager is set 
>> programmatically in the main method at start up, only if it's set via 
>> command line option.
>>
>> Examples of providers not loading:
>>
>>      [java] java.lang.NullPointerException
>>      [java] Can't load log handler "java.util.logging.ConsoleHandler"
>>      [java] java.lang.NullPointerException
>>      [java] java.lang.NullPointerException
>>      [java]     at 
>> java.util.logging.LogManager$5.run(LogManager.java:965)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> java.util.logging.LogManager.loadLoggerHandlers(LogManager.java:958)
>>      [java]     at 
>> java.util.logging.LogManager.initializeGlobalHandlers(LogManager.java:1578)
>>      [java]     at 
>> java.util.logging.LogManager.access$1500(LogManager.java:145)
>>      [java]     at 
>> java.util.logging.LogManager$RootLogger.accessCheckedHandlers(LogManager.java:1667)
>>      [java]     at 
>> java.util.logging.Logger.getHandlers(Logger.java:1777)
>>      [java]     at java.util.logging.Logger.log(Logger.java:735)
>>      [java]     at java.util.logging.Logger.doLog(Logger.java:765)
>>      [java]     at java.util.logging.Logger.log(Logger.java:788)
>>      [java]     at 
>> org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:496)
>>      [java]     at 
>> org.apache.river.api.security.ConcurrentPolicyFile$2.run(ConcurrentPolicyFile.java:469)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> org.apache.river.api.security.ConcurrentPolicyFile.readPoliciesNoCheckGuard(ConcurrentPolicyFile.java:468)
>>      [java]     at 
>> org.apache.river.api.security.ConcurrentPolicyFile.readPolicyPermissionGrants(ConcurrentPolicyFile.java:243)
>>      [java]     at 
>> org.apache.river.api.security.ConcurrentPolicyFile.<init>(ConcurrentPolicyFile.java:253)
>>      [java]     at 
>> org.apache.river.api.security.ConcurrentPolicyFile.<init>(ConcurrentPolicyFile.java:226)
>>      [java]     at 
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:154)
>>      [java]     at 
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:133)
>>      [java]     at 
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)
>>      [java]     at 
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:162)
>>      [java]     at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>      [java]     at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>      [java]     at 
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>      [java]     at 
>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>      [java]     at java.lang.Class.newInstance(Class.java:442)
>>      [java]     at sun.misc.Launcher.<init>(Launcher.java:93)
>>      [java]     at sun.misc.Launcher.<clinit>(Launcher.java:54)
>>      [java]     at 
>> java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
>>      [java]     at 
>> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
>>
>>
>>      [java] Error occurred during initialization of VM
>>      [java] java.lang.ExceptionInInitializerError
>>      [java]     at 
>> java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
>>      [java]     at 
>> java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
>>      [java]     at 
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
>>      [java]     at 
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
>>      [java]     at 
>> sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
>>      [java]     at 
>> sun.security.provider.PolicyFile.init(PolicyFile.java:626)
>>      [java]     at 
>> sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
>>      [java]     at 
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
>>      [java]     at 
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
>>      [java]     at 
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
>>      [java]     at 
>> sun.security.provider.PolicyFile.init(PolicyFile.java:439)
>>      [java]     at 
>> sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
>>      [java]     at 
>> java.security.Policy.getPolicyNoCheck(Policy.java:196)
>>      [java]     at java.security.Policy.getPolicy(Policy.java:154)
>>      [java]     at net.jini.security.Security$7.run(Security.java:1054)
>>      [java]     at net.jini.security.Security$7.run(Security.java:1052)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> net.jini.security.Security.getPolicy(Security.java:1052)
>>      [java]     at 
>> net.jini.security.Security.getContext(Security.java:506)
>>      [java]     at 
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:140)
>>      [java]     at 
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:132)
>>      [java]     at 
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)
>>      [java]     at 
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:160)
>>      [java]     at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>      [java]     at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>      [java]     at 
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>      [java]     at 
>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>      [java]     at java.lang.Class.newInstance(Class.java:442)
>>      [java]     at sun.misc.Launcher.<init>(Launcher.java:93)
>>      [java]     at sun.misc.Launcher.<clinit>(Launcher.java:54)
>>      [java]     at 
>> java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
>>      [java]     at 
>> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
>>      [java] Caused by: java.lang.NullPointerException
>>      [java]     at 
>> java.util.ResourceBundle$RBClassLoader.<clinit>(ResourceBundle.java:502)
>>      [java]     at 
>> java.util.ResourceBundle.getLoader(ResourceBundle.java:482)
>>      [java]     at 
>> java.util.ResourceBundle.getBundle(ResourceBundle.java:783)
>>      [java]     at 
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:47)
>>      [java]     at 
>> sun.security.util.ResourcesMgr$1.run(ResourcesMgr.java:44)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> sun.security.util.ResourcesMgr.getString(ResourcesMgr.java:43)
>>      [java]     at 
>> sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:888)
>>      [java]     at 
>> sun.security.provider.PolicyFile.init(PolicyFile.java:626)
>>      [java]     at 
>> sun.security.provider.PolicyFile.access$400(PolicyFile.java:258)
>>      [java]     at 
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:521)
>>      [java]     at 
>> sun.security.provider.PolicyFile$3.run(PolicyFile.java:495)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:495)
>>      [java]     at 
>> sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:480)
>>      [java]     at 
>> sun.security.provider.PolicyFile.init(PolicyFile.java:439)
>>      [java]     at 
>> sun.security.provider.PolicyFile.<init>(PolicyFile.java:297)
>>      [java]     at 
>> java.security.Policy.getPolicyNoCheck(Policy.java:196)
>>      [java]     at java.security.Policy.getPolicy(Policy.java:154)
>>      [java]     at net.jini.security.Security$7.run(Security.java:1054)
>>      [java]     at net.jini.security.Security$7.run(Security.java:1052)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> net.jini.security.Security.getPolicy(Security.java:1052)
>>      [java]     at 
>> net.jini.security.Security.getContext(Security.java:506)
>>      [java] Unexpected exception:
>>      [java]     at 
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:140)
>>      [java]     at 
>> org.apache.river.api.security.CombinerSecurityManager.<init>(CombinerSecurityManager.java:132)
>>      [java]     at 
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:137)
>>      [java]     at 
>> org.apache.river.tool.SecurityPolicyWriter.<init>(SecurityPolicyWriter.java:160)
>>      [java]     at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>      [java]     at 
>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>      [java]     at 
>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>      [java]     at 
>> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>>      [java]     at java.lang.Class.newInstance(Class.java:442)
>>      [java]     at sun.misc.Launcher.<init>(Launcher.java:93)
>>      [java]     at sun.misc.Launcher.<clinit>(Launcher.java:54)
>>      [java]     at 
>> java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1451)
>>      [java]     at 
>> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1436)
>>
>>
>>
>>      [java] java.lang.ExceptionInInitializerError
>>      [java]     at 
>> javax.crypto.JceSecurityManager.<clinit>(JceSecurityManager.java:65)
>>      [java]     at 
>> javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2586)
>>      [java]     at 
>> javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2610)
>>      [java]     at 
>> sun.security.ssl.CipherSuite$BulkCipher.isUnlimited(CipherSuite.java:535)
>>      [java]     at 
>> sun.security.ssl.CipherSuite$BulkCipher.<init>(CipherSuite.java:507)
>>      [java]     at 
>> sun.security.ssl.CipherSuite.<clinit>(CipherSuite.java:614)
>>      [java]     at 
>> sun.security.ssl.SSLContextImpl.getApplicableCipherSuiteList(SSLContextImpl.java:294)
>>      [java]     at 
>> sun.security.ssl.SSLContextImpl.access$100(SSLContextImpl.java:42)
>>      [java]     at 
>> sun.security.ssl.SSLContextImpl$AbstractTLSContext.<clinit>(SSLContextImpl.java:425)
>>      [java]     at java.lang.Class.forName0(Native Method)
>>      [java]     at java.lang.Class.forName(Class.java:264)
>>      [java]     at 
>> java.security.Provider$Service.getImplClass(Provider.java:1634)
>>      [java]     at 
>> java.security.Provider$Service.newInstance(Provider.java:1592)
>>      [java]     at 
>> sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
>>      [java]     at 
>> sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
>>      [java]     at 
>> javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
>>      [java]     at 
>> net.jini.jeri.ssl.Utilities.getServerSSLContextInfo(Utilities.java:712)
>>      [java]     at 
>> net.jini.jeri.ssl.Utilities.getSupportedCipherSuites(Utilities.java:284)
>>      [java]     at 
>> net.jini.jeri.ssl.SslEndpointImpl.getConnectionContexts(SslEndpointImpl.java:750)
>>      [java]     at 
>> net.jini.jeri.ssl.SslEndpointImpl.getCallContext(SslEndpointImpl.java:326)
>>      [java]     at 
>> net.jini.jeri.ssl.SslEndpointImpl.newRequest(SslEndpointImpl.java:185)
>>      [java]     at 
>> net.jini.jeri.ssl.SslEndpoint.newRequest(SslEndpoint.java:550)
>>      [java]     at 
>> net.jini.jeri.BasicObjectEndpoint.newCall(BasicObjectEndpoint.java:421)
>>      [java]     at 
>> net.jini.jeri.BasicInvocationHandler.invokeRemoteMethod(BasicInvocationHandler.java:688)
>>      [java]     at 
>> net.jini.jeri.BasicInvocationHandler.invoke(BasicInvocationHandler.java:571)
>>      [java]     at com.sun.proxy.$Proxy2.registerGroup(Unknown Source)
>>      [java]     at 
>> org.apache.river.start.SharedActivationGroupDescriptor.create(SharedActivationGroupDescriptor.java:370)
>>      [java]     at 
>> org.apache.river.qa.harness.SharedGroupAdmin.start(SharedGroupAdmin.java:204)
>>      [java]     at 
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:639)
>>      [java]     at 
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:660)
>>      [java]     at 
>> org.apache.river.qa.harness.ActivatableServiceStarterAdmin.getServiceSharedLogDir(ActivatableServiceStarterAdmin.java:388)
>>      [java]     at 
>> org.apache.river.qa.harness.ActivatableServiceStarterAdmin.start(ActivatableServiceStarterAdmin.java:224)
>>      [java]     at 
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:639)
>>      [java]     at 
>> org.apache.river.qa.harness.AdminManager.startService(AdminManager.java:660)
>>      [java]     at 
>> org.apache.river.qa.harness.AdminManager.startLookupService(AdminManager.java:679)
>>      [java]     at 
>> org.apache.river.test.spec.lookupservice.QATestRegistrar.construct(QATestRegistrar.java:458)
>>      [java]     at 
>> org.apache.river.test.spec.lookupservice.test_set00.EvntLeaseExpiration.construct(EvntLeaseExpiration.java:88)
>>      [java]     at 
>> org.apache.river.qa.harness.MasterTest.doTest(MasterTest.java:228)
>>      [java]     at 
>> org.apache.river.qa.harness.MasterTest.access$000(MasterTest.java:48)
>>      [java]     at 
>> org.apache.river.qa.harness.MasterTest$1.run(MasterTest.java:174)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> javax.security.auth.Subject.doAsPrivileged(Subject.java:483)
>>      [java]     at 
>> org.apache.river.qa.harness.MasterTest.doTestWithLogin(MasterTest.java:171)
>>      [java]     at 
>> org.apache.river.qa.harness.MasterTest.main(MasterTest.java:150)
>>      [java] Caused by: java.lang.SecurityException: Can not 
>> initialize cryptographic mechanism
>>      [java]     at 
>> javax.crypto.JceSecurity.<clinit>(JceSecurity.java:93)
>>      [java]     ... 44 more
>>      [java] Caused by: java.lang.SecurityException: Cannot locate 
>> policy or framework files!
>>      [java]     at 
>> javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:316)
>>      [java]     at 
>> javax.crypto.JceSecurity.access$000(JceSecurity.java:50)
>>      [java]     at javax.crypto.JceSecurity$1.run(JceSecurity.java:85)
>>      [java]     at java.security.AccessController.doPrivileged(Native 
>> Method)
>>      [java]     at 
>> javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)
>



More information about the security-dev mailing list