spring-bootspring-cloudspring-cloud-netflixapache-commons-confignetflix-archaius

ArchaiusAutoConfiguration excluded from spring boot but still not disabling default system configuration


Our company has a security policy for tomcat we will have to request if there is any new security policy required. I am using spring-cloud-starter-hystrix-1.4.1.RELEASE which is using archaius-core-0.7.4.jar. Our server administrators definitely not going to give the following permission which basically asking for read write permissions for everything

Caused by: java.lang.ExceptionInInitializerError
        at com.netflix.config.DynamicPropertyFactory.getInstance(DynamicPropertyFactory.java:277)
        at com.netflix.hystrix.contrib.metrics.eventstream.HystrixMetricsStreamServlet.<clinit>(HystrixMetricsStreamServlet.java:55)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at org.springframework.web.servlet.mvc.ServletWrappingController.afterPropertiesSet(ServletWrappingController.java:144)
        at org.springframework.cloud.netflix.endpoint.ServletWrappingEndpoint.afterPropertiesSet(ServletWrappingEndpoint.java:50)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$6.run(AbstractAutowireCapableBeanFactory.java:1677)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1674)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1624)
        ... 107 more
Caused by: java.lang.RuntimeException: Error initializing configuration
        at com.netflix.config.ConfigurationManager.<clinit>(ConfigurationManager.java:109)
        ... 120 more
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262)
        at java.lang.System.getProperties(System.java:630)
        at org.apache.commons.configuration.SystemConfiguration.<init>(SystemConfiguration.java:44)
        at com.netflix.config.ConfigurationManager.createDefaultConfigInstance(ConfigurationManager.java:146)
        at com.netflix.config.ConfigurationManager.getConfigInstance(ConfigurationManager.java:161)
        at com.netflix.config.ConfigurationManager.getConfigInstance(ConfigurationManager.java:176)
        at com.netflix.config.ConfigurationBasedDeploymentContext.<init>(ConfigurationBasedDeploymentContext.java:108)
        at com.netflix.config.ConfigurationManager.<clinit>(ConfigurationManager.java:104)
        ... 120 more

After researching on why archaius.dynamicProperty.disableSystemConfig value in ConfigurationManager is false by default which is letting archaius default system configuration. commons-configuration jar has a code which is using System.getProperties() and that is why I am seeing this error.

We are not using archaius so excluded ArchaiusAutoConfiguration.class from spring boot application class but it seems like it is still looking for configuration.

My question is how do i disable archaius ? Is ArchaiusAutoConfiguration exclusion from spring boot application class itself is not enough ? If i have to set archaius.dynamicProperty.disableSystemConfig value to true, how can i do it and where ?

Raised an issue on github as well https://github.com/Netflix/archaius/issues/539


Solution

  • The property archaius.dynamicProperty.disableSystemConfig must be declared as System Property. Archaius only tries to read this value of this property from System Property.

    Source Code : https://github.com/Netflix/archaius/blob/master/archaius-core/src/main/java/com/netflix/config/ConfigurationManager.java#L165

    I think that disabling ArchaiusAutoConfiguration itself is not a good idea. Netflix OSS is using archaius and Spring Cloud provides its properties - defined in Spring - into archaius. Therefore Netflix OSS inside Spring Cloud would not work properly without it.