1

I am working with Java security policies and it's still rather new for me. I will like to be able to run the code directly as a launch configuration, so I have a debugger and all the other nice IDE stuff.

I can get it to work until I use the codebase attribute in the policy.

I have a class in the package application that creates a LoginContext. The policy file is located in the root of my project. With this content it works fine:

grant {
   permission javax.security.auth.AuthPermission "createLoginContext.Sample";
   permission javax.security.auth.AuthPermission "doAsPrivileged";
};

But when I add the codebase it fails with Cannot create LoginContext. access denied ("javax.security.auth.AuthPermission" "createLoginContext.Sample")

grant codebase "file:./bin/application/-" {
   permission javax.security.auth.AuthPermission "createLoginContext.Sample";
   permission javax.security.auth.AuthPermission "doAsPrivileged";
};

I have tried these values for codebase

  1. file:application/-
  2. file:./application/-
  3. file:bin/application/-
  4. file:./bin/application/-
  5. file:C:/Full Path/to/project/bin/application/-
  6. file://C:/Full Path/to/project/bin/application/-

(In case it matters: The full path includes spaces)

Tobber
  • 7,211
  • 8
  • 33
  • 56

2 Answers2

1

I managed to find the problem using JAAS's debug output, which I can really recommend.

In short the codebase is always the binary root folder (or jar) not the package folder containing the class file. In my case it meant that the codebase of all classes was path/to/project/bin which didn't match path/to/project/bin/application/- specified in the policy.

To solve this one needs to have multiple bin-folders or "output folder" as Eclipse name them. To get this:

  1. Go into Project Properties > Java Build Path and select the Source tab
  2. Activate Allow output folders for source folders
  3. Add as many source folders you like, by clicking Add Folder
  4. For each source folder, specify the output folder by first selecting the output folder item and then click edit.

Mark of important buttons in Project Properties

After this you can have the policy point to each folder like this

grant codebase "file:binLogin/-" {
    permission javax.security.auth.AuthPermission "modifyPrincipals";
};

grant codebase "file:binApp/-" {
   permission javax.security.auth.AuthPermission "createLoginContext.Sample";
   permission javax.security.auth.AuthPermission "doAsPrivileged";
};

I hope this might help others in the future.

Tobber
  • 7,211
  • 8
  • 33
  • 56
0

I realize this might qualify as a comment, but it is a bit too large and might help you find the answer yourself.

Your code looks like it's adapted from this tutorial. If so, you can modify the code in that example that catches the exception:

  try {
      lc = new LoginContext("Sample",
                      new MyCallbackHandler());
  } catch (LoginException le) {
      System.err.println("Cannot create LoginContext. "
          + le.getMessage());
      System.exit(-1);
  } catch (SecurityException se) {
      System.err.println("Cannot create LoginContext. "
          + se.getMessage());
      System.exit(-1);
  }

to this:

  try {
      lc = new LoginContext("Sample",
                      new MyCallbackHandler());
  } catch (LoginException le) {
      System.err.println("Cannot create LoginContext. "
          + le.getMessage());
      le.printStackTrace();
      System.exit(-1);
  } catch (SecurityException se) {
      System.err.println("Cannot create LoginContext. "
          + se.getMessage());
      se.printStackTrace();
      System.exit(-1);
  }

That way, you (and we,) will learn something more about the error that might help you find the problem.

ljgw
  • 2,751
  • 1
  • 20
  • 39
  • Your right it is based on that tutorial, though the stacktrace didn't (me) help much. Turning on debugging helped though and I was able to find the problem (see my answer) Thanks for your help :) – Tobber Nov 27 '13 at 16:27