Sun Java System Application Server Enterprise Edition 8.1 2005Q2 Troubleshooting Guide

Chapter 4 Security Problems

This chapter covers problems that you may encounter as a result of security settings:

java.security.AccessControlException: Access Denied Error

Description

The following error occurs from an application client or in the server.log:

java.security.AccessControlException: access denied
(java.util.PropertyPermission name write...

There is a permissions issue in the policy files. Either the client.policy for the application client or the server.policy for server side components does not have permission to set the property.

Solution

Add the permission in client.policy (for the application client), or in server.policy (for EJB/web modules) for the application that needs to set the property. By default, applications only have “read” permission for properties.

For example, to grant read/write permission for all the files in the codebase directory, add or append the following to client.policy or server.policy:

grant codeBase "file:/.../build/sparc_SunOS/sec/-" {
   permission java.util.PropertyPermission "*", "read,write";
 };

javax.ejb.AccessLocalException: Client Not Authorized Error

Description

Role-mapping information is available in Sun-specific XML (for example, sun-ejb-jar.xml), and authentication is okay, but the following error message is displayed:

[...INFO|sun-appserver-pe8.0|javax.enterprise.system.container.ejb|...|
javax.ejb.AccessLocalException: Client not authorized for this invocation.
at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:...
at com.sun.ejb.containers.EJBObjectInvocationHandler.invoke(...)

Solution

Check whether the EJB module (.jar) or web module (.war) is packaged in an application (.ear) and does not have role-mapping information in application level, Sun-specific, sun-application.xml. For any application (.ear), security role-mapping information must be specified in sun-application.xml. It is acceptable to have both module-level XML and application-level XML.

Authentication is Not Working With the Solaris Realm

Check whether the installation and server startup was performed as a local user, instead of as the root user. Always start the Application Server as the root user, because the Solaris realm works only with the root user. It was not designed to work with any other local user. Note also that role mapping can happen on the local user.

Mutual Authentication Not Working With the Application Client

Description

This failure can occur when the keystore and truststore properties are not set properly.

Solution

Set the following properties on the JVM:

javax.net.ssl.keyStore=
<keystore-file-path\>;javax.net.ssl.trustStore=<truststore-file-path\>

To use the application client, set the environment variable VMARGS to the following value:

-Djavax.net.ssl.keyStore=
${admin.domain.dir}/${admin.domain}/config/keystore.jks
-Djavax.net.ssl.trustStore=
${admin.domain.dir}/${admin.domain}/config/cacerts.jks