0

I have put some jars in the jvm/lib/ext folder on the Domino server for use in some classes in my database. Everything works except security.

If I place "permission java.security.AllPermission;" (no quotes) in my main grant of the java.policy, everything works, but if I try to narrow it down to a separate grant for just the database with the classes and just the jars in the ext folder, I receive all sorts of security exceptions. For example, I receive a reflection exception because one of the jars is performing reflection.

Here are the two separate grants I have attempted to use together in the file:

grant codeBase "file:/C:/path_to_domino_server_program_directory/jvm/lib/ext/-" {
     permission java.security.AllPermission;
}
grant codeBase "xspnsf://server:0/path_to_database/database.nsf/-" { 
     permission java.security.AllPermission;
};

Any help would be appreciated.

pipalia
  • 911
  • 1
  • 12
  • 46
  • By any chance, are you using XSSF (or another MS XML document format)? I've had a bit of trouble with those, dom4j is causing classloader problems I haven't been able to resolve. – Thimo Jansen Feb 16 '13 at 21:34
  • Yes the code is accessing MS docx format (which is MS XML). We have been able to get around these issues using main Grant, but when we narrow it down we have problems. – pipalia Feb 17 '13 at 12:28

2 Answers2

2

You shouldn't touch the permission for /lib/ext since they are already in the default policy file:

 // Standard extensions get all permissions by default
 grant codeBase "file:${java.home}/lib/ext/*" {
       permission java.security.AllPermission;
 };

so the libraries have all the rights already. But as Thimo pointed out: the classloader can get in your way. You might need to go through the source and check for the trouble makers. Prime candidates are reflection use.

For Apache POI quite some journey is needed. Christian just outlined the solution in his blog (always worth a read).

I would pack extra libraries into my own extension library, so it can be deployed using a updatesite.nsf (Invest in the books).

stwissel
  • 20,110
  • 6
  • 54
  • 101
  • We are using these packages among others: import org.docx4j.openpackaging.packages.WordprocessingMLPackage; import org.docx4j.openpackaging.parts.WordprocessingML.MainDocumentPart; and this line is causing issues when we log debugging information: this.docx = WordprocessingMLPackage.load(this.docXFile); – pipalia Feb 18 '13 at 21:10
  • Many thanks for your help Stephen, appreciate it. How do I find out what java.home refers to? I have Notes client installed on the server and well as Domino. Could java.home refer to Notes client directory as well? So just to be absolutely certain, is there an easy way to confirm what it refers to? – pipalia Feb 18 '13 at 21:12
  • Notes clients on the servers are a bit out of fashion! Don't do that on a production system. Java_Home is [notesdir]/jvm - always for Domino – stwissel Feb 19 '13 at 08:23
  • Agreed, although this is dev environment rather than production. Many thanks for confirming. – pipalia Feb 19 '13 at 11:28
1

I'm using this for POI:

grant { 
  permission java.lang.RuntimePermission "getClassLoader"; 
}

Depending on what you do you might need some others too but I don't think it's a good idea to grant all permissions. Of course it's even better if you can restrict the permissions to one NSF only but it seems to be troublesome. I'm not absolutely sure what you should use for server but if I understood this correctly it should be "server", not your server name:

you only need to change yourdatabase.nsf, the other parts are static, directory separators are / regardless of platform, the location is relative to the data directory and the whole codeBase value must be lower case (regardless of your file names).

Also you could try removing the JARs from jvm/ext and storing them to the NSF WEB-INF to make sure they use the NSF permissions.

Note that HTTP restart is needed after changing the java.policy file (which you probably know already).

Panu Haaramo
  • 2,932
  • 19
  • 41
  • Many thanks Panu for your response. I thought this was only supported for Java agents. Regular Java resources will result in a “ClassDefNotFound” Exception because they can’t see the Jars. I believe, until Notes 9, Java Resources can only use jars in lib/ext. Can you please confirm? – pipalia Feb 18 '13 at 21:18
  • You just need to include the JARs in Java Build Path: http://stackoverflow.com/questions/14464827/are-jar-files-in-webcontent-web-inf-lib-available-to-java-design-elements-in-dom/14465114 – Panu Haaramo Feb 18 '13 at 21:52
  • This we definitely must try - many thank Panu - I will keep you posted on here. – pipalia Feb 19 '13 at 11:29
  • I have successfully added JARs (about 32 of them) to the db and this is increasing the build time massively for every single change (on build automatically and over half an hour doing manual build), so not too sure whether this was a wise decision on my part. What's the worst that can happen with Grant all since this is a small business and I am the only developer here? – pipalia Feb 19 '13 at 21:47
  • 1
    a) I would move the Jars to an extension library and use an updatesite.nsf to deploy them, big jars in Design is a nightmare. Then declare a dependency on that ExtLib. b) As long as your server document has proper security, the Java security is just a nuisance – stwissel Feb 20 '13 at 02:05