0

Our company has a security policy for tomcat we will have to request if there is any new security policy required. I am using spring-cloud-starter-hystrix-1.4.1.RELEASE which is using archaius-core-0.7.4.jar. Our server administrators definitely not going to give the following permission which basically asking for read write permissions for everything

Caused by: java.lang.ExceptionInInitializerError
        at com.netflix.config.DynamicPropertyFactory.getInstance(DynamicPropertyFactory.java:277)
        at com.netflix.hystrix.contrib.metrics.eventstream.HystrixMetricsStreamServlet.<clinit>(HystrixMetricsStreamServlet.java:55)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at org.springframework.web.servlet.mvc.ServletWrappingController.afterPropertiesSet(ServletWrappingController.java:144)
        at org.springframework.cloud.netflix.endpoint.ServletWrappingEndpoint.afterPropertiesSet(ServletWrappingEndpoint.java:50)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$6.run(AbstractAutowireCapableBeanFactory.java:1677)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1674)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1624)
        ... 107 more
Caused by: java.lang.RuntimeException: Error initializing configuration
        at com.netflix.config.ConfigurationManager.<clinit>(ConfigurationManager.java:109)
        ... 120 more
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "*" "read,write")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1262)
        at java.lang.System.getProperties(System.java:630)
        at org.apache.commons.configuration.SystemConfiguration.<init>(SystemConfiguration.java:44)
        at com.netflix.config.ConfigurationManager.createDefaultConfigInstance(ConfigurationManager.java:146)
        at com.netflix.config.ConfigurationManager.getConfigInstance(ConfigurationManager.java:161)
        at com.netflix.config.ConfigurationManager.getConfigInstance(ConfigurationManager.java:176)
        at com.netflix.config.ConfigurationBasedDeploymentContext.<init>(ConfigurationBasedDeploymentContext.java:108)
        at com.netflix.config.ConfigurationManager.<clinit>(ConfigurationManager.java:104)
        ... 120 more

After researching on why archaius.dynamicProperty.disableSystemConfig value in ConfigurationManager is false by default which is letting archaius default system configuration. commons-configuration jar has a code which is using System.getProperties() and that is why I am seeing this error.

We are not using archaius so excluded ArchaiusAutoConfiguration.class from spring boot application class but it seems like it is still looking for configuration.

My question is how do i disable archaius ? Is ArchaiusAutoConfiguration exclusion from spring boot application class itself is not enough ? If i have to set archaius.dynamicProperty.disableSystemConfig value to true, how can i do it and where ?

Raised an issue on github as well https://github.com/Netflix/archaius/issues/539

Ravi Kancherla
  • 95
  • 2
  • 9
  • have you tried removing the dependency for `archaius` from maven or gradle? – Pankaj Gadge Jan 18 '18 at 06:54
  • Almost all the integrated Netflix software in Spring Cloud Netflix depends on archaius for configuration. Not sure how well it will function without it – spencergibb Jan 18 '18 at 07:01
  • @PankajGadge - yes, i have tried and got classnotfoundexception. Cannot avoid it – Ravi Kancherla Jan 18 '18 at 07:09
  • @spencergibb - user guide says to change the value of archaius.dynamicProperty.disableSystemConfig to true. I tried putting it in application.properties and config.properties. Both didn't work and application doesn't seem to read this value from these property files. If it recognizes this property, it won't try to get system properties and i think that resolves the problem – Ravi Kancherla Jan 18 '18 at 07:11
  • What user guide? – spencergibb Jan 18 '18 at 18:32

1 Answers1

0

The property archaius.dynamicProperty.disableSystemConfig must be declared as System Property. Archaius only tries to read this value of this property from System Property.

Source Code : https://github.com/Netflix/archaius/blob/master/archaius-core/src/main/java/com/netflix/config/ConfigurationManager.java#L165

I think that disabling ArchaiusAutoConfiguration itself is not a good idea. Netflix OSS is using archaius and Spring Cloud provides its properties - defined in Spring - into archaius. Therefore Netflix OSS inside Spring Cloud would not work properly without it.

yongsung.yoon
  • 5,489
  • 28
  • 32
  • Thank you. I was adding it from config.properties, application.properties but application wasn't able to read it from those. Finally i was able to get it working after adding it to catalina.bat as environment property – Ravi Kancherla Jan 19 '18 at 20:41