I'm migrating some auto-signed WebStart (WS) applications from Oracle's Java 8 to OpenJDK11+OpenWebStart. However I'm getting strange java.io.FilePermission errors after the migration (in other words, when launching the application's JNLP with Oracle's WS it works fine but with OpenWebStart that error is triggered). The errors are coming from the log4j2 log files that are saved in a remote server.
I've added this to the JAR's MANIFEST.MF, with no effect:
Codebase: *.mydomain.edu
Permissions: all-permissions
The way I found to solve the error was to manually change the java.policy file (at ~/.config/icedtea-web/security) with this:
grant codeBase "*.mydomain.edu" {
permission java.io.FilePermission "<<ALL FILES>>", "read, write, execute, delete";
};
(Of course, this is not a recommended solution since the applications are used by many different users.)
My question is: how could I solve this in a more robust way? Is there a way to include a custom java.policy inside the JAR file? Or OpenWebStart requires an extra log4j2 configuration that I'm missing?
PS: I've tried to post this at OpenWebStart forum, but my account there was not activated for some reason not informed.
Update: I've made a test launching this application from a Windows machine, and it worked just fine! Thus, the java.io.FilePermission error is related to my Linux RHEL8 system.
I don't know exactly what was causing it, but I found a way to solve it. I checked the OWS error message and saw that it was related to log4j (at the bottom).
I was using log4j 2.17 but still with log4j 1.x syntax to write the logs. I needed to update the syntax to log4j 2.x, and it worked just fine, both in Windows and Linux.
The OWS error:
WARNING: package javax.jnlp not in java.desktop
[myuser][ITW-CORE][2023-03-10 08:48:26.431 MST][WARN ][net.adoptopenjdk.icedteaweb.manifest.ManifestAttributesChecker][My Tool#428b8743] This application does not specify a Codebase in its manifest. Please verify with the applet''s vendor. Continuing. See: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html for details.
[myuser][ITW-CORE][2023-03-10 08:48:26.554 MST][WARN ][net.sourceforge.jnlp.JNLPFile][AWT-EventQueue-0#23a5fd2] Application title was not found in manifest. Check with application vendor
[myuser][ITW-CORE][2023-03-10 08:48:26.813 MST][WARN ][net.sourceforge.jnlp.JNLPFile][My Tool#428b8743] Application title was not found in manifest. Check with application vendor
Exception in thread "My Tool" java.lang.RuntimeException: java.lang.ExceptionInInitializerError[myuser][ITW-CORE][2023-03-10 08:48:27.707 MST][ERROR][net.sourceforge.jnlp.Launcher][My Tool#428b8743]
General Throwable encountered:
java.lang.ExceptionInInitializerError
at org.apache.log4j.Logger.getLogger(Logger.java:117)
at edu.mydomain.clientMain.<clinit>(clientMain.java:29)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:406)
at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:71)
at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:660)
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/path/to/logs/client.log" "write")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:272)
at java.base/java.lang.SecurityManager.checkWrite(SecurityManager.java:752)
at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:225)
at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
at org.apache.log4j.FileAppender.setFile(FileAppender.java:294)
at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:207)
at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165)
at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307)
at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:172)
at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:104)
at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:809)
at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:735)
at org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:615)
at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:502)
at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:547)
at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483)
at org.apache.log4j.LogManager.<clinit>(LogManager.java:127)
... 9 more
at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:681)
Caused by: java.lang.ExceptionInInitializerError
at org.apache.log4j.Logger.getLogger(Logger.java:117)
at edu.mydomain.clientMain.<clinit>(clientMain.java:29)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:406)
at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:71)
at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:660)
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/path/to/logs/client.log" "write")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at net.sourceforge.jnlp.runtime.JNLPSecurityManager.checkPermission(JNLPSecurityManager.java:272)
at java.base/java.lang.SecurityManager.checkWrite(SecurityManager.java:752)
at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:225)
at java.base/java.io.FileOutputStream.<init>(FileOutputStream.java:158)
at org.apache.log4j.FileAppender.setFile(FileAppender.java:294)
at org.apache.log4j.RollingFileAppender.setFile(RollingFileAppender.java:207)
at org.apache.log4j.FileAppender.activateOptions(FileAppender.java:165)
at org.apache.log4j.config.PropertySetter.activate(PropertySetter.java:307)
at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:172)
at org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:104)
at org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:809)
at org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:735)
at org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:615)
at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:502)
at org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:547)
at org.apache.log4j.helpers.OptionConverter.selectAndConfigure(OptionConverter.java:483)
at org.apache.log4j.LogManager.<clinit>(LogManager.java:127)
... 9 more