000013452 - AAOP enabling Java 2 securtiy against sp3  AA does not come up and throws 'Access denied'

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013452
Applies To

file /web/soft/was61/bnym1/profiles/node3/logs/ffdc/st0rsamf61rs81_0000003a_12.05.08_16.55.14_0.txt
[5/8/12 16:55:14:961 EDT] 0000003a SecurityManag W   SECJ0314W: Current Java 2 Security policy reported a potential violation of Java 2 Security Permission. Please refer to InfoCenter for further information.

Permission:

      /web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml : Access denied (java.io.FilePermission /web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml read)


Code:

     com.rsa.csd.ws.axis2.LogHandler  in  {file:/web/sites/st0/rsamf61/data/jspwork/rs81Node/st0rsamf61rs81/st0rsamf61/AdaptiveAuthentication.war/_axis2/axis22379958949721437791rsa-logging-module-1.1.0.mar}

 

Stack Trace:

java.security.AccessControlException: Access denied (java.io.FilePermission /web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml read)
 at java.security.AccessController.checkPermission(AccessController.java:103)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:558)
 at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:214)
 at com.ibm.ws.classloader.SinglePathClassProvider.check(SinglePathClassProvider.java:571)
 at com.ibm.ws.classloader.SinglePathClassProvider.checkURL(SinglePathClassProvider.java:558)
 at com.ibm.ws.classloader.SinglePathClassProvider.getResource(SinglePathClassProvider.java:550)
 at com.ibm.ws.classloader.SinglePathClassProvider.getResourceAsStream(SinglePathClassProvider.java:585)

Issue

The enviroment for the customer was:

AIX 5.3, Web Sphere 6.1 .0.0.39.

Resolution

You need to add this to the was.ploicy also you need to copy the .mar files to AdaptiveAuthenticaion/WEB_INF/lib.

grant codeBase "file:${webComponent}"{
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "shutdownHooks";
permission com.ibm.oti.shared.SharedClassPermission "*", "read, write";
permission java.util.PropertyPermission "*", "write";
permission java.io.FilePermission "/web/soft/was61/-", "read";
permission java.io.FilePermission "/web/sites/st0/rsamf61/-","read, delete";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.io.FilePermission "/web/sites/st0/rsamf61/-","read, delete";
permission java.io.FilePermission "/AAOP/rsa/configs", "read, write, delete";
permission java.io.FilePermission "/AAOP/rsa/logs/-", "read, write, delete";
permission java.io.FilePermission "/AAOP/rsa/logs";
permission java.io.FilePermission "/AAOP/usr/IBM/java/jre/lib/-", "read";
permission java.io.FilePermission "/AAOP/usr/IBM/lib/-", "read";
permission com.ibm.websphere.security.WebSphereRuntimePermission "accessRuntimeClasses";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/AdaptiveAuthentication/AdaptiveAuthentication.war/axis2-web/-", "read";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/_axis2*","read, write";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/lib/cryptoj-4.1.jar", "read, write, delete";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/lib/-", "read, write, delete";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jsafe.fips140initialmode";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml", "read";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/-","read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.editors";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/AdaptiveAuthentication/AdaptiveAuthentication.war/axis2-web/-", "read, write, delete";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/AdaptiveAuthentication/AdaptiveAuthentication.war${/}","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/bnym/AdaptiveAuthentication.war/_axis2","read,write,delete";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.FilePermission "/AAOP/usr/IBM/properties/version/update/backup","read";
permission java.io.FilePermission "/AAOP/rsa/configs/c-applicationContext.xml","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/bnym/AdaptiveAuthentication.war/_axis2/-", "read,write,delete";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/properties", "read";
permission java.io.FilePermission "/AAOP/rsa/geoip/database", "read";
permission java.io.FilePermission "/AAOP/usr/IBM","read";
permission java.io.FilePermission "/AAOP/usr/IBM/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/properties", "read";
permission java.io.FilePermission "/AAOP/rsa/configs/-","read";
permission java.io.FilePermission "/AAOP/rsa/configs/addPayee.st","read";
permission java.io.FilePermission "/AAOP/rsa/geoip/-","read";
permission java.io.FilePermission "/AAOP/rsa/geoip/staging","read";
permission java.io.FilePermission "/AAOP/rsa/geoip/archive","read";
permission java.io.FilePermission "/AAOP/usr/IBM/properties/version", "read";
permission java.io.FilePermission "/.mime.types","read";
permission java.io.FilePermission "/usr/apps/aa/wurfl-data.zip","read";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jce.fips140initialmode";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.fips140initialmode";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jsafe.kat.strategy";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jce.kat.strategy";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.kat.strategy";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.eventhandler";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.integritycheck";
Permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.kat.fail";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.runtimetest.fail";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.testmode";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jce.no.verify.jar";
permission java.security.SecurityPermission "getProperty.com.rsa.crypto.default.random";
permission java.security.SecurityPermission "putProviderProperty.JsafeJCE";
permission java.security.SecurityPermission "insertProvider.JsafeJCE";

permission java.io.FilePermission "/WEB-INF/AdaptiveAuthenticationAdmin.wsdl", "read";
permission java.io.FilePermission "/tmp/-","read,write,delete";
permission java.io.FilePermission "/WEB-INF/AdaptiveAuthenticationAdmin.wsdl","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/spring-beans-2.5.6.SEC01.jar","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml", "read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/spectjweaver-1.6.8.jar","read,write,delete";

permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/-", "read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/-", "read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
};

grant codeBase "file:${jars}" {
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "shutdownHooks";
permission com.ibm.oti.shared.SharedClassPermission "*", "read, write";
permission java.util.PropertyPermission "*", "write";
permission java.io.FilePermission "/web/soft/was61/-", "read";
permission java.io.FilePermission "/web/sites/st0/rsamf61/-","read, delete";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.io.FilePermission "/web/sites/st0/rsamf61/-","read, delete";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/_axis2*","read, write";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/lib/cryptoj-4.1.jar", "read, write, delete";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/lib/-", "read, write, delete";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jsafe.fips140initialmode";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml", "read";
permission java.io.FilePermission "/web/sites/st0/rsamf61/deployed/st0rsamf61.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/-","read";
permission java.io.FilePermission "/AAOP/rsa/configs", "read, write, delete";
permission java.io.FilePermission "/AAOP/rsa/logs/-", "read, write, delete";
permission java.io.FilePermission "/AAOP/rsa/logs";
permission java.io.FilePermission "/AAOP/usr/IBM/java/jre/lib/-", "read";
permission java.io.FilePermission "/AAOP/usr/IBM/lib/-", "read";
permission com.ibm.websphere.security.WebSphereRuntimePermission "accessRuntimeClasses";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/AdaptiveAuthentication/AdaptiveAuthentication.war/axis2-web", "read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.editors";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/AdaptiveAuthentication/AdaptiveAuthentication.war/axis2-web/-", "read, write, delete";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/AdaptiveAuthentication/AdaptiveAuthentication.war${/}","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/bnym/AdaptiveAuthentication.war/_axis2","read,write,delete";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.FilePermission "/AAOP/usr/IBM/properties/version/update/backup","read";
permission java.io.FilePermission "/AAOP/rsa/configs/c-applicationContext.xml","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/temp/psoqa97Node02/server1/bnym/AdaptiveAuthentication.war/_axis2/-", "read,write,delete";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/properties", "read";
permission java.io.FilePermission "/AAOP/rsa/geoip/database", "read";
permission java.io.FilePermission "/AAOP/usr/IBM","read";
permission java.io.FilePermission "/AAOP/usr/IBM/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/properties", "read";
permission java.io.FilePermission "/AAOP/rsa/configs/-","read";
permission java.io.FilePermission "/AAOP/rsa/configs/addPayee.st","read";
permission java.io.FilePermission "/AAOP/rsa/geoip/-","read";
permission java.io.FilePermission "/AAOP/rsa/geoip/staging","read";
permission java.io.FilePermission "/AAOP/rsa/geoip/archive","read";
permission java.io.FilePermission "/AAOP/usr/IBM/properties/version", "read";
permission java.io.FilePermission "/.mime.types","read";
permission java.io.FilePermission "/usr/apps/aa/wurfl-data.zip","read";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jce.fips140initialmode";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.fips140initialmode";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jsafe.kat.strategy";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jce.kat.strategy";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.kat.strategy";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.eventhandler";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.integritycheck";
Permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.kat.fail";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.testmode";
permission java.security.SecurityPermission "getProperty.com.rsa.cryptoj.jce.no.verify.jar";
permission java.security.SecurityPermission "getProperty.com.rsa.crypto.default.random";
permission java.security.SecurityPermission "putProviderProperty.JsafeJCE";
permission java.security.SecurityPermission "insertProvider.JsafeJCE";
permission java.io.FilePermission "/WEB-INF/AdaptiveAuthenticationAdmin.wsdl", "read";
permission java.io.FilePermission "/tmp/-","read,write,delete";
permission java.io.FilePermission "/WEB-INF/AdaptiveAuthenticationAdmin.wsdl","read";

permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/spring-beans-2.5.6.SEC01.jar","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml", "read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/spectjweaver-1.6.8.jar","read";

permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/-","read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/lib/-", "read";
permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/-", "read";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
};

grant codeBase "file:${application}" { permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-datasource.xml", "read"; permission java.io.FilePermission "/AAOP/usr/IBM/profiles/AppSrv01/installedApps/psoqa97Node01Cell/bnym.ear/AdaptiveAuthentication.war/WEB-INF/classes/configs/d-config-configService.xml", "read"; };

 

This step is must as well.

Copy .mar files from AA/WEB-INF/modules to AA/WEB-INF/lib and rename as.jar.

cp /modules/rsa-logging-module-1.1.0.mar -> /lib/rsa-logging-module-1.1.0.jar cp /modules/soapmonitor-1.4.mar -> /lib/soapmonitor-1.4.jar cp /modules/addressing-1.4.mar -> /lib/addressing-1.4.mar

That will load them with the class loader application classes first.

Legacy Article IDa59119

Attachments

    Outcomes