Best IT Recipes

How to disable Java Security Manager?

Is there a way to completely disable Java Security Manager?

I am experimenting with db4o source code. It uses reflection to save objects, and it seems that the security manager does not allow to read and write private or protected fields.

My code is:

public static void main(String[] args) throws IOException { System.out.println("start"); new File( DB_FILE_NAME ).delete(); ObjectContainer container = Db4o.openFile( DB_FILE_NAME ); String ob = new String( "test" ); container.store( ob ); ObjectSet result = container.queryByExample( String.class ); System.out.println( "retrieved (" + result.size() + "):" ); while( result.hasNext() ) { System.out.println( result.next() ); } container.close(); System.out.println("finish"); }

Output:

 start
 [db4o 7.4.68.12069 2009-04-18 00:21:30] 
  AccessibleObject # setAccessible () is not available.  Private fields can not be stored.
 retrieved (0):
 finish


This thread suggests modifying the java.policy file so that it can reflect, but it doesn't seem to work for me.

I start the JVM with the arguments -Djava.security.manager -Djava.security.policy==/home/pablo/.java.policy
therefore, the specified policy file will be the only policy file used

The file is as follows:

 grant {
     permission java.security.AllPermission;
     permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 };

I spent the last 3 hours on this, and I have no idea how to do this. Any help was appreciated.

+16
java reflection security db4o
Apr 17 '09 at 10:40
source share
3 answers

You can try adding this to main () of your program:

 System.setSecurityManager(null);

Worked for me for a "trusted" WebStart application when I had problems with the security manager. Not sure if this will work for your db4o case, but it might be worth a try.

EDIT: I do not assume that this is a general solution to the problems of the security manager. I just suggested this as a way to debug the original problem with the poster. Obviously, if you want to use the security manager, you should not disable it.

+6
Apr 18 '09 at 0:18
source share

Do you really have two '=' characters on the java.security.policy command line? This will not work. Make sure you set the property as

 -Djava.security.policy=/home/pablo/.java.policy

To actually disable SecurityManager , just leaving the java.security.manager system property generally should be enough.



Update. When I read the documentation for policy files to learn more about the "==" syntax, I noticed that if the policy file is not in the current working directory, it needs to be specified as a URL (including the scheme). Have you tried the policy path prefix with the file: scheme?

I was also puzzled that (suppose you are working as a "pablo" user), it seems that this policy should be loaded by default from your home directory, so you do not need to specify it at all. On the other hand, if you are not working as a "pablo" user, the file may not be read.

+5
Apr 17 '09 at 22:54
source share

I found this example of how to make private fields and methods available to your code. Basically, it moves away from using Field.setAccessible (true) and Method.setAccessible (true)

Field example:

 Field privateStringField = PrivateObject.class. getDeclaredField("privateString"); privateStringField.setAccessible(true);

Method Example:

 Method privateStringMethod = PrivateObject.class. getDeclaredMethod("getPrivateString", null); privateStringMethod.setAccessible(true);

You can also use Groovy with Java code, as it (currently) bypasses most of the Java code access level restrictions. Although this message on the bulletin board seems to suggest that this feature " may change in future versions of Groovy .

+4
Apr 18 '09 at 5:55
source share


More articles:


All Articles