0

I am trying to lock down a Java program using the security manager. It provides a lot of guidance to you in the error state to tell you want it failed on.

I am down to three issue that don't show up as any "access denied" errors that come with the recommended policy entry.

This application works when the policy is

grant {
    // Allow everything for now
    permission java.security.AllPermission;
};

when it is the policy at the bottom of this post. These errors show up. I can't find any "denied" msgs for them

Issue 1:

Fri Dec 09 00:30:29 CST 2022:ExecGroup-0:err:java.security.NoSuchAlgorithmException: PBKDF2WithHmacSHA512 SecretKeyFactory not available
Fri Dec 09 00:30:29 CST 2022:ExecGroup-0:err:   at javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:122)
Fri Dec 09 00:30:29 CST 2022:ExecGroup-0:err:   at javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)

Issue 2

Fri Dec 09 00:30:29 CST 2022:ExecGroup-0:err:FATAL ERROR: java.lang.IllegalArgumentException: DatabaseUserid security exception

Issue 3

rmid: activation group inactive: java.rmi.ConnectException: Connection refused to host: SJohns-XPS7590.snafuHQ.local; nested exception is:
        java.net.ConnectException: Connection refused: connect
java.rmi.ConnectException: Connection refused to host: SJohns-XPS7590.snafuHQ.local; nested exception is:
        java.net.ConnectException: Connection refused: connect
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:623)
        at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
        at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:132)
        at java.rmi.activation.ActivationGroup_Stub.newInstance(Unknown Source)
        at sun.rmi.server.Activation$ObjectEntry.activate(Activation.java:1494)
        at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1180)
        at sun.rmi.server.Activation$ActivatorImpl.activate(Activation.java:409)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
        at sun.rmi.transport.Transport$1.run(Transport.java:200)
        at sun.rmi.transport.Transport$1.run(Transport.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
        at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.net.ConnectException: Connection refused: connect
        at java.net.DualStackPlainSocketImpl.connect0(Native Method)
        at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:607)
        at java.net.Socket.connect(Socket.java:556)
        at java.net.Socket.<init>(Socket.java:452)
        at java.net.Socket.<init>(Socket.java:229)
        at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:40)
        at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:148)
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:617)
        ... 24 more
access: access allowed ("java.util.PropertyPermission" "line.separator" "read")
Dec 09, 2022 12:30:32 AM sun.rmi.server.UnicastServerRef logCallException
FINE: RMI TCP Connection(3)-192.168.1.125: [192.168.1.125] exception:
java.rmi.activation.ActivationException: object activation failed after 2 tries; nested exception is:
        java.rmi.ConnectException: Connection refused to host: SJohns-XPS7590.snafuHQ.local; nested exception is:
        java.net.ConnectException: Connection refused: connect
        at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1223)
        at sun.rmi.server.Activation$ActivatorImpl.activate(Activation.java:409)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:357)
        at sun.rmi.transport.Transport$1.run(Transport.java:200)
        at sun.rmi.transport.Transport$1.run(Transport.java:197)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.Transport.serviceCall(Transport.java:196)
        at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:573)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:834)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:688)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:687)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: java.rmi.ConnectException: Connection refused to host: SJohns-XPS7590.snafuHQ.local; nested exception is:
        java.net.ConnectException: Connection refused: connect
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:623)
        at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
        at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
        at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:132)
        at java.rmi.activation.ActivationGroup_Stub.newInstance(Unknown Source)
        at sun.rmi.server.Activation$ObjectEntry.activate(Activation.java:1494)
        at sun.rmi.server.Activation$GroupEntry.activate(Activation.java:1180)
        ... 18 more
Caused by: java.net.ConnectException: Connection refused: connect
        at java.net.DualStackPlainSocketImpl.connect0(Native Method)
        at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:607)
        at java.net.Socket.connect(Socket.java:556)
        at java.net.Socket.<init>(Socket.java:452)
        at java.net.Socket.<init>(Socket.java:229)
        at sun.rmi.transport.proxy.RMIDirectSocketFactory.createSocket(RMIDirectSocketFactory.java:40)
        at sun.rmi.transport.proxy.RMIMasterSocketFactory.createSocket(RMIMasterSocketFactory.java:148)
        at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:617)
        ... 24 more

LOCK DOWN POLICY FILE

// https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8229532
// https://stackoverflow.com/questions/57433655/classnotfoundexception-issued-by-urlclassloader-when-the-security-manager-is-ena

//grant {
    // Allow everything for now
    //permission java.security.AllPermission;
//};

grant codeBase "file:/C:/apps/snafu/foobar/*" {
    
    //
    // Allow everything for now
    //permission java.security.AllPermission;
    
    permission java.net.SocketPermission "127.0.0.1:*", "accept,connect,resolve";
    permission java.net.SocketPermission "localhost:6990", "listen,accept,connect,resolve";
    permission java.net.SocketPermission "localhost:6993", "listen,accept,connect,resolve";
    permission java.net.SocketPermission "SJohns-XPS7590.snafuHQ.local:*", "listen,accept,connect,resolve";
    permission java.net.SocketPermission "192.168.1.125:6993", "listen,accept,connect,resolve";

    permission java.util.PropertyPermission "user.dir", "read";
    permission java.util.PropertyPermission "user.home", "read";
    permission java.util.PropertyPermission "LicenseFilename", "read";
    permission java.util.PropertyPermission "HostId", "read";
    permission java.util.PropertyPermission "InstanceID", "read";
    permission java.util.PropertyPermission "slc.ps_loc", "write";
    permission java.util.PropertyPermission "org.owasp.esapi.SecurityConfiguration", "read";
    permission java.util.PropertyPermission "org.owasp.esapi.logSpecial.discard", "read";
    permission java.util.PropertyPermission "org.owasp.esapi.resources", "read";
    permission java.util.PropertyPermission "*", "read,write";
    permission java.util.PropertyPermission "org.owasp.esapi.opsteam", "read";
    
    permission java.util.logging.LoggingPermission "control";
    
    permission java.io.FilePermission ".", "read";
    permission java.io.FilePermission "C:/Apps/snafu/foobar/-", "read,write,delete";

    permission java.lang.management.ManagementPermission "monitor";

    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

    permission java.lang.RuntimePermission "setFactory";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.lang.RuntimePermission "getenv.*";
    permission java.lang.RuntimePermission "getProtectionDomain";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
    permission java.lang.RuntimePermission "loadLibrary.sunec";
    permission java.lang.RuntimePermission "loadLibrary.sunmscapi";
    
    permission javax.management.MBeanTrustPermission "register";
    permission javax.management.MBeanServerPermission "createMBeanServer";
    permission javax.management.MBeanPermission "*", "queryNames";
    permission javax.management.MBeanPermission "*", "registerMBean,unregisterMBean";

    permission java.security.SecurityPermission "putProviderProperty.SunJCE";
};
SRJ
  • 189
  • 3
  • 15

0 Answers0