Java Callout Security Exception when using Jackson or Gson to parse JSON

Question

When we are executing custom jar file in apigee getting following exception,

Exception Occured :java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")

Note:All variables and methods inside the class declared as public.

Answer 1

I've looked into this and it seems to me that now, Apigee prohibits the use of both Jackson or Gson for JSON parsing. That;s a shame. Both of those libraries use reflection, and if you try to use them, you get a stacktrace like this:

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
 at java.security.AccessController.checkPermission(AccessController.java:884)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
 at com.apigee.securitypolicy.InternalSecurityManager.checkPermission(InternalSecurityManager.java:85)
 at java.lang.Class.checkMemberAccess(Class.java:2348)
 at java.lang.Class.getDeclaredConstructor(Class.java:2177)
 at com.google.gson.internal.ConstructorConstructor.newDefaultConstructor(ConstructorConstructor.java:101)
 at com.google.gson.internal.ConstructorConstructor.get(ConstructorConstructor.java:85)
 at com.google.gson.internal.bind.MapTypeAdapterFactory.create(MapTypeAdapterFactory.java:127)
 at com.google.gson.Gson.getAdapter(Gson.java:458)
 at com.google.gson.Gson.fromJson(Gson.java:931)
 at com.google.gson.Gson.fromJson(Gson.java:870)
 at com.google.apigee.edgecallouts.GsonTest.execute(GsonTest.java:37)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$ClassLoadWrappedExecution.execute(JavaCalloutStepDefinition.java:204)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:271)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:269)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.execute(JavaCalloutStepDefinition.java:269)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$CallOutWrapper.execute(JavaCalloutStepDefinition.java:138)
 at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:156)
 at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:74)
 at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:45)
 at com.apigee.threadpool.CallableWrapperForMDCPreservation.call(CallableWrapperForMDCPreservation.java:26)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)

There is a workaround, which may work for some basic cases. Use the javax.json parser.

Here's a repo that shows how to do it.

Answer 2

Answer by Dino-at-Google · Jul 10, 2018 at 04:35 PM

Yes. You will need to examine the stack trace more closely. The exception may not refer to your class; it may refer to a different class. In fact the permission violation may be due to some logic in a 3rd-party class that your class uses. If the 3rd-party class uses reflection, or other prohibited Java operations, you will see a similar security exception.

Look closely at the stack trace. You may get a better clue.

Add comment Show 9 · Link

10 |5000 characters needed characters left characters exceeded

Ramya14R142 · Jul 11, 2018 at 05:27 AM 0

Link

We are only using following two maven dependency in java callout jar,

<dependency>

</dependency>

2.<dependency>

<groupId>com.google.code.gson</groupId>

</dependency>

How to view full Exception log in apigee for java callout errors?

Dino-at-Google ♦♦ Ramya14R142

· Jul 11, 2018 at 04:06 PM 0

Link

Your Java code needs to catch the exception, generate the stacktrace, and then store it into a context variable.

For example:

public ExecutionResult execute(MessageContext msgCtxt, ExecutionContext exeCtxt) {
  ExecutionResult calloutResult = ExecutionResult.ABORT;
  ..
  try {
      // do the thing
      calloutResult = ExecutionResult.SUCCESS;
  }
  catch (Exception e) {
      String stacktrace = ExceptionUtils.getStackTrace(e);
      msgCtxt.setVariable(varName("stacktrace"), stacktrace);
      String error = e.toString();
      msgCtxt.setVariable(varName("exception"), error);
  }
  return calloutResult;
}

Here is some working example code.

Ramya14R142 Dino-at-Google ♦♦ · Jul 12, 2018 at 06:04 AM 0

Link

Hi Currently

I able to get Exception logs in my policy response.Following sample of code used for converting java object to JSON string using Gson external library jar(This external jar included my java callout jar).

import com.apigee.flow.execution.Action;
import com.apigee.flow.execution.ExecutionContext;
import com.apigee.flow.execution.ExecutionResult;
import com.apigee.flow.execution.spi.Execution;
import com.apigee.flow.message.MessageContext;
import com.google.gson.Gson;
import com.dnb.apigee.TestPOJO;
import org.apache.commons.lang.exception.ExceptionUtils;


public class MainClassTest implements Execution{


	public ExecutionResult execute(MessageContext messageContext, ExecutionContext arg1) {
		
		try{
		Gson gson = new Gson();
		TestPOJO testPOJO = new TestPOJO();
		testPOJO.setName("AAA");
		testPOJO.setCompany("BBBB");
	 	String finalValue= gson.toJson(testPOJO);
	    messageContext.setVariable("Final Respopnse  :" ,finalValue);
		}catch(RuntimeException  ex){
			 ExecutionResult executionResult = new ExecutionResult(false, Action.ABORT);
	            executionResult.setErrorResponse(ex.getMessage());
	            executionResult.addErrorResponseHeader("ExceptionClass", ex.getClass().getName());
	            messageContext.setVariable("JAVA_ERROR", ex.getMessage());
	            messageContext.setVariable("JAVA_STACKTRACE", ExceptionUtils.getStackTrace(ex));
	            return executionResult;
		}
		return ExecutionResult.SUCCESS;  
	}
}

I am not able to call external library jar methods getting the following exception,

java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at
java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at
com.apigee.securitypolicy.InternalSecurityManager.checkPermission(InternalSecurityManager.java:84) at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:128) at
com.google.gson.internal.ConstructorConstructor.newDefaultConstructor(ConstructorConstructor.java:101) at com.google.gson.internal.ConstructorConstructor.get(ConstructorConstructor.java:83) at
com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:99) at com.google.gson.Gson.getDelegateAdapter(Gson.java:506) at
com.google.gson.internal.bind.TreeTypeAdapter.delegate(TreeTypeAdapter.java:89) at com.google.gson.internal.bind.TreeTypeAdapter.write(TreeTypeAdapter.java:74) at com.google.gson.Gson.toJson(Gson.java:669) at
com.google.gson.Gson.toJson(Gson.java:648) at com.google.gson.Gson.toJson(Gson.java:603) at com.google.gson.Gson.toJson(Gson.java:583) at com.dnb.apigee.MainClassTest.execute(MainClassTest.java:47) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$ClassLoadWrappedExecution.execute(JavaCalloutStepDefinition.java:202) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:268) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:266) at java.security.AccessController.doPrivileged(Native Method) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.execute(JavaCalloutStepDefinition.java:266) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$CallOutWrapper.execute(JavaCalloutStepDefinition.java:138) at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:146) at
com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:74) at
com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:45) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

Show more comments

Get answers, ideas, and support from the Apigee Community

Java Callout Security Exception when using Jackson or Gson to parse JSON

2 Answers

Follow this Question

Related Questions