javaserverrmiaccesscontrolexception

RMI Server refuses to start: java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:1099" "connect,resolve")


OK, so I tried to google this and tried a million different things, none of which helped.

Currently I am launching my server with the following command:

java -Djava.security.policy=rmi_generated.policy -Djava.security.debug=access,failure MainLauncher aiserver.AIServer

MainLauncher basically just loads bin/ and lib/ to class path + invokes aiserver.AIServer.main, shouldn't really affect anything relevant to this.

Here's the part that launches the actual server:

PolicyFileGenerator.generate();
if (System.getSecurityManager() == null)
        System.setSecurityManager ( new RMISecurityManager() );
try {
    Naming.bind("AIService",server);
} catch (MalformedURLException | RemoteException
        | AlreadyBoundException ex) {
        throw new RuntimeException("failed binding server",ex);
}

And here's the exception I get:

Exception in thread "main" java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at lib.ClassPathHack.launch(ClassPathHack.java:62)
    at MainLauncher.main(MainLauncher.java:7)
Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:1099" "connect,resolve")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
    at java.net.Socket.connect(Socket.java:584)
    at java.net.Socket.connect(Socket.java:538)
    at java.net.Socket.<init>(Socket.java:434)
    at java.net.Socket.<init>(Socket.java:211)
    at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:40)
    at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:148)
    at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
    at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
    at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
    at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
    at java.rmi.Naming.bind(Naming.java:128)
    at com.kt.commons.services.RMIServerHelper.register(RMIServerHelper.java:86)
    at aiserver.AIServer.main(AIServer.java:13)

Here are the current contents of the generated RMI policy file. It will be generated to ./rmi_generated.policy.

grant codeBase "file:/home/jp/projects/aiservice/bin" {
    permission java.security.AllPermission;
    permission java.net.SocketPermission "localhost:1099", "connect, resolve";
    permission java.net.SocketPermission "127.0.0.1:1099", "connect, resolve";
    permission java.net.SocketPermission "localhost:80", "connect, resolve";

};

And here's what JVM vomits when I give the -Djava.security.debug=access,failure flag.

jp@jp-ThinkPad-Edge-E530 ~/projects/aiservice $ java -Djava.security.policy=rmi_generated.policy -Djava.security.debug=access,failure MainLauncher aiserver.AIServer
rmi_generated.policy
/home/jp/projects/aiservice
access: access allowed ("java.io.FilePermission" "/home/jp/projects/aiservice/lib/ktcommons.jar" "read")
access: access denied ("java.net.SocketPermission" "jp-ThinkPad-Edge-E530" "resolve")
java.lang.Exception: Stack trace
    at java.lang.Thread.dumpStack(Thread.java:1329)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:447)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkConnect(SecurityManager.java:1048)
    at java.net.InetAddress.getLocalHost(InetAddress.java:1456)
    at java.rmi.registry.LocateRegistry.getRegistry(LocateRegistry.java:158)
    at java.rmi.registry.LocateRegistry.getRegistry(LocateRegistry.java:123)
    at java.rmi.Naming.getRegistry(Naming.java:221)
    at java.rmi.Naming.bind(Naming.java:123)
    at com.kt.commons.services.RMIServerHelper.register(RMIServerHelper.java:86)
    at aiserver.AIServer.main(AIServer.java:13)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at lib.ClassPathHack.launch(ClassPathHack.java:62)
    at MainLauncher.main(MainLauncher.java:7)
access: access allowed ("java.security.SecurityPermission" "getPolicy")
access: access allowed ("java.io.FilePermission" "/home/jp/projects/aiservice/lib/ktcommons.jar" "read")
access: domain that failed ProtectionDomain  (file:/home/jp/projects/aiservice/lib/ktcommons.jar <no signer certificates>)
 sun.misc.Launcher$AppClassLoader@73d16e93
 <no principals>
 java.security.Permissions@73035e27 (
 ("java.lang.RuntimePermission" "exitVM")
 ("java.lang.RuntimePermission" "stopThread")
 ("java.net.SocketPermission" "localhost:0" "listen,resolve")
 ("java.io.FilePermission" "/home/jp/projects/aiservice/lib/ktcommons.jar" "read")
 ("java.util.PropertyPermission" "java.specification.version" "read")
 ("java.util.PropertyPermission" "java.version" "read")
 ("java.util.PropertyPermission" "os.arch" "read")
 ("java.util.PropertyPermission" "java.specification.vendor" "read")
 ("java.util.PropertyPermission" "java.vm.specification.name" "read")
 ("java.util.PropertyPermission" "java.vm.vendor" "read")
 ("java.util.PropertyPermission" "path.separator" "read")
 ("java.util.PropertyPermission" "os.version" "read")
 ("java.util.PropertyPermission" "file.separator" "read")
 ("java.util.PropertyPermission" "line.separator" "read")
 ("java.util.PropertyPermission" "java.vm.specification.vendor" "read")
 ("java.util.PropertyPermission" "java.specification.name" "read")
 ("java.util.PropertyPermission" "java.vendor.url" "read")
 ("java.util.PropertyPermission" "java.vendor" "read")
 ("java.util.PropertyPermission" "java.vm.version" "read")
 ("java.util.PropertyPermission" "java.vm.name" "read")
 ("java.util.PropertyPermission" "java.vm.specification.version" "read")
 ("java.util.PropertyPermission" "os.name" "read")
 ("java.util.PropertyPermission" "java.class.version" "read")
)


access: access allowed ("java.util.PropertyPermission" "java.rmi.server.hostname" "read")
access: access allowed ("java.util.PropertyPermission" "sun.rmi.transport.connectionTimeout" "read")
access: access allowed ("java.util.PropertyPermission" "sun.rmi.transport.tcp.handshakeTimeout" "read")
access: access allowed ("java.util.PropertyPermission" "sun.rmi.transport.tcp.responseTimeout" "read")
access: access allowed ("java.lang.RuntimePermission" "sun.rmi.runtime.RuntimeUtil.getInstance")
access: access allowed ("java.util.PropertyPermission" "jdk.net.ephemeralPortRange.low" "read")
access: access allowed ("java.lang.RuntimePermission" "loadLibrary.net")
access: access allowed ("java.io.FilePermission" "/usr/lib/jvm/java-8-oracle/jre/lib/amd64/libnet.so" "read")
access: access allowed ("java.util.PropertyPermission" "os.name" "read")
access: access allowed ("java.util.PropertyPermission" "jdk.net.ephemeralPortRange.high" "read")
access: access denied ("java.net.SocketPermission" "127.0.0.1:1099" "connect,resolve")
java.lang.Exception: Stack trace
    at java.lang.Thread.dumpStack(Thread.java:1329)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:447)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
    at java.net.Socket.connect(Socket.java:584)
    at java.net.Socket.connect(Socket.java:538)
    at java.net.Socket.<init>(Socket.java:434)
    at java.net.Socket.<init>(Socket.java:211)
    at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:40)
    at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:148)
    at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
    at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
    at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
    at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
    at java.rmi.Naming.bind(Naming.java:128)
    at com.kt.commons.services.RMIServerHelper.register(RMIServerHelper.java:86)
    at aiserver.AIServer.main(AIServer.java:13)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at lib.ClassPathHack.launch(ClassPathHack.java:62)
    at MainLauncher.main(MainLauncher.java:7)
access: access allowed ("java.security.SecurityPermission" "getPolicy")
access: access allowed ("java.io.FilePermission" "/home/jp/projects/aiservice/lib/ktcommons.jar" "read")
access: domain that failed ProtectionDomain  (file:/home/jp/projects/aiservice/lib/ktcommons.jar <no signer certificates>)
 sun.misc.Launcher$AppClassLoader@73d16e93
 <no principals>
 java.security.Permissions@483bf400 (
 ("java.lang.RuntimePermission" "exitVM")
 ("java.lang.RuntimePermission" "stopThread")
 ("java.net.SocketPermission" "localhost:0" "listen,resolve")
 ("java.io.FilePermission" "/home/jp/projects/aiservice/lib/ktcommons.jar" "read")
 ("java.util.PropertyPermission" "java.specification.version" "read")
 ("java.util.PropertyPermission" "java.version" "read")
 ("java.util.PropertyPermission" "os.arch" "read")
 ("java.util.PropertyPermission" "java.specification.vendor" "read")
 ("java.util.PropertyPermission" "java.vm.specification.name" "read")
 ("java.util.PropertyPermission" "java.vm.vendor" "read")
 ("java.util.PropertyPermission" "path.separator" "read")
 ("java.util.PropertyPermission" "os.version" "read")
 ("java.util.PropertyPermission" "file.separator" "read")
 ("java.util.PropertyPermission" "line.separator" "read")
 ("java.util.PropertyPermission" "java.vm.specification.vendor" "read")
 ("java.util.PropertyPermission" "java.specification.name" "read")
 ("java.util.PropertyPermission" "java.vendor.url" "read")
 ("java.util.PropertyPermission" "java.vendor" "read")
 ("java.util.PropertyPermission" "java.vm.version" "read")
 ("java.util.PropertyPermission" "java.vm.name" "read")
 ("java.util.PropertyPermission" "java.vm.specification.version" "read")
 ("java.util.PropertyPermission" "os.name" "read")
 ("java.util.PropertyPermission" "java.class.version" "read")
)


Exception in thread "main" java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:483)
    at lib.ClassPathHack.launch(ClassPathHack.java:62)
    at MainLauncher.main(MainLauncher.java:7)
Caused by: java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:1099" "connect,resolve")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
    at java.net.Socket.connect(Socket.java:584)
    at java.net.Socket.connect(Socket.java:538)
    at java.net.Socket.<init>(Socket.java:434)
    at java.net.Socket.<init>(Socket.java:211)
    at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:40)
    at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:148)
    at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
    at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
    at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
    at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
    at sun.rmi.registry.RegistryImpl_Stub.bind(Unknown Source)
    at java.rmi.Naming.bind(Naming.java:128)
    at com.kt.commons.services.RMIServerHelper.register(RMIServerHelper.java:86)
    at aiserver.AIServer.main(AIServer.java:13)
    ... 6 more

Based on what I googled, a likely cause for this is that JVM does not find my .policy file, but this does not seem to be the case as I get different error messages if I insert some syntax errors to the policy file.

Another common cause seems to be having incorrect codeBase path in the policy file. To rule that out I've tried the following ones:

None of which helped.

And yes, I have rmiregistry running.

I have also tried doing all this with sudo.

FWIW the java version I'm running is:

java version "1.8.0_25" Java(TM) SE Runtime Environment (build 1.8.0_25-b17) Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

on Linux Mint 17.1


Solution

  • Turns out that I needed to grant permissions for a few different codeBases to get this work.

    grant codeBase "file:/home/jp/projects/aiservice/bin" {...

    grant codeBase "file:/home/jp/projects/aiservice/" {...

    grant codeBase "file:/home/jp/projects/aiservice/lib/ktcommons.jar" {...

    It's still not working, but hey, at least I get a different exception now!