This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers"),access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")

Posted on 06-21-2018 06:03 AM
Not applicable
Reply posted on --/--/---- --:-- AM

I'm using MultithreadEventExecutorGroup in a java callout.

Under the water NioEventGroup uses reflection to spin up new executors.

Apigee throws java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") then.

Following https://docs.apigee.com/api-platform/reference/java-permission-reference this should be allowed.

Did anybody have a similar experience?

Stack trace:


java.lang.IllegalStateException: failed to create a child event loop at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:88) ... at com.apigee.steps.javacallout.JavaCalloutStepDefinition$ClassLoadWrappedExecution.execute(JavaCalloutStepDefinition.java:203) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:269) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:267) at java.security.AccessController.doPrivileged(Native Method) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.execute(JavaCalloutStepDefinition.java:267) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$CallOutWrapper.execute(JavaCalloutStepDefinition.java:138) at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:151) at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:74) at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:45) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at com.apigee.securitypolicy.InternalSecurityManager.checkPermission(InternalSecurityManager.java:84) at java.lang.Class.checkMemberAccess(Class.java:2348) at java.lang.Class.getDeclaredField(Class.java:2067) at io.netty.channel.nio.NioEventLoop$5.run(NioEventLoop.java:214) at java.security.AccessController.doPrivileged(Native Method) at io.netty.channel.nio.NioEventLoop.openSelector(NioEventLoop.java:210) at io.netty.channel.nio.NioEventLoop.<init>(NioEventLoop.java:149) at io.netty.channel.nio.NioEventLoopGroup.newChild(NioEventLoopGroup.java:127) at io.netty.channel.nio.NioEventLoopGroup.newChild(NioEventLoopGroup.java:36) at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:84) at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:58) at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:47) at io.netty.channel.MultithreadEventLoopGroup.<init>(MultithreadEventLoopGroup.java:59) at io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:77) at io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:72) at io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:59) at io.grpc.netty.Utils$DefaultEventLoopGroupResource.create(Utils.java:184) at io.grpc.netty.Utils$DefaultEventLoopGroupResource.create(Utils.java:168) at io.grpc.internal.SharedResourceHolder.getInternal(SharedResourceHolder.java:104) at io.grpc.internal.SharedResourceHolder.get(SharedResourceHolder.java:74) at io.grpc.netty.NettyChannelBuilder$NettyTransportFactory.<init>(NettyChannelBuilder.java:467) at io.grpc.netty.NettyChannelBuilder.buildTransportFactory(NettyChannelBuilder.java:312) at io.grpc.internal.AbstractManagedChannelImplBuilder.build(AbstractManagedChannelImplBuilder.java:324) at com.kramphub.envy.client.v1.EnvyClientGrpc.<init>(EnvyClientGrpc.java:41) at com.kramphub.envy.client.v1.EnvyClientBuilder.buildGrpc(EnvyClientBuilder.java:9) at com.kramphub.envy.client.v1.EnvyClientBuilder.buildGrpc(EnvyClientBuilder.java:6) at com.kramphub.callout.EnvyCallout.execute(EnvyCallout.java:51) ...

,

I'm using MultithreadEventExecutorGroup in a java callout.

Under the water NioEventGroup uses reflection to spin up new executors.

Apigee throws java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") then.

Following https://docs.apigee.com/api-platform/reference/java-permission-reference this should be allowed.

Did anybody have a similar experience?

Stack trace:


java.lang.IllegalStateException: failed to create a child event loop at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:88) ... at com.apigee.steps.javacallout.JavaCalloutStepDefinition$ClassLoadWrappedExecution.execute(JavaCalloutStepDefinition.java:203) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:269) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:267) at java.security.AccessController.doPrivileged(Native Method) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.execute(JavaCalloutStepDefinition.java:267) at com.apigee.steps.javacallout.JavaCalloutStepDefinition$CallOutWrapper.execute(JavaCalloutStepDefinition.java:138) at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:151) at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:74) at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:45) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at com.apigee.securitypolicy.InternalSecurityManager.checkPermission(InternalSecurityManager.java:84) at java.lang.Class.checkMemberAccess(Class.java:2348) at java.lang.Class.getDeclaredField(Class.java:2067) at io.netty.channel.nio.NioEventLoop$5.run(NioEventLoop.java:214) at java.security.AccessController.doPrivileged(Native Method) at io.netty.channel.nio.NioEventLoop.openSelector(NioEventLoop.java:210) at io.netty.channel.nio.NioEventLoop.<init>(NioEventLoop.java:149) at io.netty.channel.nio.NioEventLoopGroup.newChild(NioEventLoopGroup.java:127) at io.netty.channel.nio.NioEventLoopGroup.newChild(NioEventLoopGroup.java:36) at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:84) at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:58) at io.netty.util.concurrent.MultithreadEventExecutorGroup.<init>(MultithreadEventExecutorGroup.java:47) at io.netty.channel.MultithreadEventLoopGroup.<init>(MultithreadEventLoopGroup.java:59) at io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:77) at io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:72) at io.netty.channel.nio.NioEventLoopGroup.<init>(NioEventLoopGroup.java:59) at io.grpc.netty.Utils$DefaultEventLoopGroupResource.create(Utils.java:184) at io.grpc.netty.Utils$DefaultEventLoopGroupResource.create(Utils.java:168) at io.grpc.internal.SharedResourceHolder.getInternal(SharedResourceHolder.java:104) at io.grpc.internal.SharedResourceHolder.get(SharedResourceHolder.java:74) at io.grpc.netty.NettyChannelBuilder$NettyTransportFactory.<init>(NettyChannelBuilder.java:467) at io.grpc.netty.NettyChannelBuilder.buildTransportFactory(NettyChannelBuilder.java:312) at io.grpc.internal.AbstractManagedChannelImplBuilder.build(AbstractManagedChannelImplBuilder.java:324) at com.kramphub.envy.client.v1.EnvyClientGrpc.<init>(EnvyClientGrpc.java:41) at com.kramphub.envy.client.v1.EnvyClientBuilder.buildGrpc(EnvyClientBuilder.java:9) at com.kramphub.envy.client.v1.EnvyClientBuilder.buildGrpc(EnvyClientBuilder.java:6) at com.kramphub.callout.EnvyCallout.execute(EnvyCallout.java:51) ...

0 1 2,664
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

As you can see, there is an access control violation.

Apigee Edge is not a general purpose App Server, and there are restrictions on what you can do within a Java callout. You've come across one of the restrictions. This page documents the permissions.

It sure looks like reflection is not allowed. 

java.lang.Class.getDeclaredField(Class.java:2067) at

The solution is: don't do that.

By the way,

The doc states that accessDeclaredMembers is permitted. Your observations differ from that. I'd suggest you open a ticket with Apigee support to clarify what is the intended permission. From my view of the stacktrace, there appears to be a bug somewhere - either the documentation or the implementation is wrong.

0 Likes