Solved: Apigee hybrid Java callout permissions not working...

hgreenish · 04-20-2022 10:08 AM

I have a Java callout policy to wrap a websocket connection to the target host, but am being blocked by the Java permissions system, even though (as far as I can tell) the connection ought to be allowed based on what is described here.

My minimal repro java code looks like this:

public class DemoCallout implements Execution {

  @Override
  public ExecutionResult execute(MessageContext messageContext, ExecutionContext executionContext) {
    String hostname = messageContext.getVariable("hostname");
    String portString = messageContext.getVariable("port");
    int port = Integer.parseInt(portString);

    try {
      SecurityManager sm = System.getSecurityManager();
      InetAddress addr = InetAddress.getByName(hostname);
      sm.checkConnect(addr.getHostAddress(), port);
    } catch (Exception e) {
      messageContext.setVariable("demo_callout.error", e.getMessage());
      messageContext.setVariable("demo_callout.stack_trace", Arrays.toString(e.getStackTrace()));

      Fault fault = new Fault(Fault.Category.Messaging, "DemoError", e);
      executionContext.addFault(fault);
    }

    return ExecutionResult.SUCCESS;
  }
}

which fails with:

access denied (\"java.net.SocketPermission\" \"192.168.32.72:1344\" \"connect,resolve\")

My understanding of the java permissions reference page is that the connect permission should be automatically true for 192.168.x.x, but I have also tried explicitly adding a security policy file to the environment to explicitly allow the SocketPermission for the hostname, and both internal and external IP, and as a last-ditch attempt to allow all permissions, none of which have made a difference:

grant {
  permission java.net.SocketPermission "192.168.32.72:1344", "connect, resolve";
  permission java.net.SocketPermission "100.64.1.46:1344", "connect, resolve";
  permission java.net.SocketPermission "usdfw23as151v.mrshmc.com:1344", "connect, resolve";
  permission java.security.AllPermission;
}

I'm pretty certain it's a permissions problem rather than a firewall or somesuch, as it fails in the minimal case when we only check the permissions rather than actually trying to establish the socket connection.

I'm sure there must be something I'm missing, but after a couple of days trying I can't figure out what that is...

dchiesa1

after a couple of days trying I can't figure out what that is...

ouch. That stinks. I'm sorry about that.

What version of hybrid are you using?

There was a bug (internal ref: b/215773113) related to setting the securityPolicy. It did not work as documented. According to the release notes, that bug has been fixed in hybrid 1.6.5. And v1.5.8. And it is also fixed in hybrid 1.7.0. (click here and search for 215773113)

You may need to upgrade? There is no other workaround, as far as I know.

View solution in original post

dchiesa1

after a couple of days trying I can't figure out what that is...

ouch. That stinks. I'm sorry about that.

What version of hybrid are you using?

There was a bug (internal ref: b/215773113) related to setting the securityPolicy. It did not work as documented. According to the release notes, that bug has been fixed in hybrid 1.6.5. And v1.5.8. And it is also fixed in hybrid 1.7.0. (click here and search for 215773113)

You may need to upgrade? There is no other workaround, as far as I know.

hgreenish

Apparently our version is 1.5.6, so that may well be the problem - hopefully our infrastructure team can get things upgraded sooner rather than later!

Thanks 🙂

Apigee hybrid Java callout permissions not working as expected