{ Community }
  • Academy
  • Docs
  • Developers
  • Resources
    • Community Articles
    • Apigee on GitHub
    • Code Samples
    • Videos & eBooks
    • Accelerator Methodology
  • Support
  • Ask a Question
  • Spaces
    • Product Announcements
    • General
    • Edge/API Management
    • Developer Portal (Drupal-based)
    • Developer Portal (Integrated)
    • API Design
    • APIM on Istio
    • Extensions
    • Business of APIs
    • Academy/Certification
    • Analytics
    • Events
    • Hybrid
    • Integration (AWS, PCF, Etc.)
    • Microgateway
    • Monetization
    • Private Cloud Deployment
    • Insights
    • IoT Apigee Link
    • BaaS/Usergrid
    • BaaS Transition/Migration
    • Apigee-127
    • New Customers
    • Topics
    • Questions
    • Articles
    • Ideas
    • Leaderboard
    • Badges
  • Log in
  • Sign up

Get answers, ideas, and support from the Apigee Community

  • Home /
  • General /
avatar image
0
Question by Ramya14R142 · Jul 10, 2018 at 01:51 PM · 186 Views javacallout

Java Callout Security Exception when using Jackson or Gson to parse JSON

When we are executing custom jar file in apigee getting following exception,

Exception Occured :java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")

Note:All variables and methods inside the class declared as public.

Comment
Add comment
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Close

2 Answers

  • Sort: 
avatar image
1

Answer by Dino-at-Google   · Oct 22 at 02:30 AM

I've looked into this and it seems to me that now, Apigee prohibits the use of both Jackson or Gson for JSON parsing. That;s a shame. Both of those libraries use reflection, and if you try to use them, you get a stacktrace like this:

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
 at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
 at java.security.AccessController.checkPermission(AccessController.java:884)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
 at com.apigee.securitypolicy.InternalSecurityManager.checkPermission(InternalSecurityManager.java:85)
 at java.lang.Class.checkMemberAccess(Class.java:2348)
 at java.lang.Class.getDeclaredConstructor(Class.java:2177)
 at com.google.gson.internal.ConstructorConstructor.newDefaultConstructor(ConstructorConstructor.java:101)
 at com.google.gson.internal.ConstructorConstructor.get(ConstructorConstructor.java:85)
 at com.google.gson.internal.bind.MapTypeAdapterFactory.create(MapTypeAdapterFactory.java:127)
 at com.google.gson.Gson.getAdapter(Gson.java:458)
 at com.google.gson.Gson.fromJson(Gson.java:931)
 at com.google.gson.Gson.fromJson(Gson.java:870)
 at com.google.apigee.edgecallouts.GsonTest.execute(GsonTest.java:37)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$ClassLoadWrappedExecution.execute(JavaCalloutStepDefinition.java:204)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:271)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:269)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.execute(JavaCalloutStepDefinition.java:269)
 at com.apigee.steps.javacallout.JavaCalloutStepDefinition$CallOutWrapper.execute(JavaCalloutStepDefinition.java:138)
 at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:156)
 at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:74)
 at com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:45)
 at com.apigee.threadpool.CallableWrapperForMDCPreservation.call(CallableWrapperForMDCPreservation.java:26)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
 at java.util.concurrent.FutureTask.run(FutureTask.java:266)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)

There is a workaround, which may work for some basic cases. Use the javax.json parser.

Here's a repo that shows how to do it.

Comment
Add comment · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image
0

Answer by Dino-at-Google   · Jul 10, 2018 at 04:35 PM

Yes. You will need to examine the stack trace more closely. The exception may not refer to your class; it may refer to a different class. In fact the permission violation may be due to some logic in a 3rd-party class that your class uses. If the 3rd-party class uses reflection, or other prohibited Java operations, you will see a similar security exception.

Look closely at the stack trace. You may get a better clue.

Comment
Add comment Show 9 · Link
10 |5000 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by Apigeeks only
  • Viewable by the original poster
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users
avatar image Ramya14R142 · Jul 11, 2018 at 05:27 AM 0
Link

We are only using following two maven dependency in java callout jar,

  1. <dependency>

<groupId>com.auth0</groupId>

<artifactId>java-jwt</artifactId>

<version>3.3.0</version>

</dependency>

2.<dependency>

<groupId>com.google.code.gson</groupId>

<artifactId>gson</artifactId>

<version>2.8.2</version>

</dependency>

How to view full Exception log in apigee for java callout errors?

avatar image Dino-at-Google ♦♦ Ramya14R142   · Jul 11, 2018 at 04:06 PM 0
Link

Your Java code needs to catch the exception, generate the stacktrace, and then store it into a context variable.

For example:

public ExecutionResult execute(MessageContext msgCtxt, ExecutionContext exeCtxt) {
  ExecutionResult calloutResult = ExecutionResult.ABORT;
  ..
  try {
      // do the thing
      calloutResult = ExecutionResult.SUCCESS;
  }
  catch (Exception e) {
      String stacktrace = ExceptionUtils.getStackTrace(e);
      msgCtxt.setVariable(varName("stacktrace"), stacktrace);
      String error = e.toString();
      msgCtxt.setVariable(varName("exception"), error);
  }
  return calloutResult;
}

Here is some working example code.

avatar image Ramya14R142 Dino-at-Google ♦♦ · Jul 12, 2018 at 06:04 AM 0
Link

Hi Currently

I able to get Exception logs in my policy response.Following sample of code used for converting java object to JSON string using Gson external library jar(This external jar included my java callout jar).

import com.apigee.flow.execution.Action;
import com.apigee.flow.execution.ExecutionContext;
import com.apigee.flow.execution.ExecutionResult;
import com.apigee.flow.execution.spi.Execution;
import com.apigee.flow.message.MessageContext;
import com.google.gson.Gson;
import com.dnb.apigee.TestPOJO;
import org.apache.commons.lang.exception.ExceptionUtils;


public class MainClassTest implements Execution{


	public ExecutionResult execute(MessageContext messageContext, ExecutionContext arg1) {
		
		try{
		Gson gson = new Gson();
		TestPOJO testPOJO = new TestPOJO();
		testPOJO.setName("AAA");
		testPOJO.setCompany("BBBB");
	 	String finalValue= gson.toJson(testPOJO);
	    messageContext.setVariable("Final Respopnse  :" ,finalValue);
		}catch(RuntimeException  ex){
			 ExecutionResult executionResult = new ExecutionResult(false, Action.ABORT);
	            executionResult.setErrorResponse(ex.getMessage());
	            executionResult.addErrorResponseHeader("ExceptionClass", ex.getClass().getName());
	            messageContext.setVariable("JAVA_ERROR", ex.getMessage());
	            messageContext.setVariable("JAVA_STACKTRACE", ExceptionUtils.getStackTrace(ex));
	            return executionResult;
		}
		return ExecutionResult.SUCCESS;  
	}
}


					

I am not able to call external library jar methods getting the following exception,

java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at
java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at
com.apigee.securitypolicy.InternalSecurityManager.checkPermission(InternalSecurityManager.java:84) at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:128) at
com.google.gson.internal.ConstructorConstructor.newDefaultConstructor(ConstructorConstructor.java:101) at com.google.gson.internal.ConstructorConstructor.get(ConstructorConstructor.java:83) at
com.google.gson.internal.bind.ReflectiveTypeAdapterFactory.create(ReflectiveTypeAdapterFactory.java:99) at com.google.gson.Gson.getDelegateAdapter(Gson.java:506) at
com.google.gson.internal.bind.TreeTypeAdapter.delegate(TreeTypeAdapter.java:89) at com.google.gson.internal.bind.TreeTypeAdapter.write(TreeTypeAdapter.java:74) at com.google.gson.Gson.toJson(Gson.java:669) at
com.google.gson.Gson.toJson(Gson.java:648) at com.google.gson.Gson.toJson(Gson.java:603) at com.google.gson.Gson.toJson(Gson.java:583) at com.dnb.apigee.MainClassTest.execute(MainClassTest.java:47) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$ClassLoadWrappedExecution.execute(JavaCalloutStepDefinition.java:202) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:268) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution$1.run(JavaCalloutStepDefinition.java:266) at java.security.AccessController.doPrivileged(Native Method) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$SecurityWrappedExecution.execute(JavaCalloutStepDefinition.java:266) at
com.apigee.steps.javacallout.JavaCalloutStepDefinition$CallOutWrapper.execute(JavaCalloutStepDefinition.java:138) at com.apigee.messaging.runtime.steps.StepExecution.execute(StepExecution.java:146) at
com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:74) at
com.apigee.flow.execution.AbstractAsyncExecutionStrategy$AsyncExecutionTask.call(AbstractAsyncExecutionStrategy.java:45) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

Show more comments

Follow this Question

Answers Answers and Comments

42 People are following this question.

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Related Questions

Java callouts are they supported on free version 2 Answers

How to i send request to target endpoint, if i assign variable value as a=10 through javascipt or javacallout policy. 1 Answer

How to use resource files for Javacallout 2 Answers

Is code written on Java 11 supported on cloud edge? 1 Answer

Run a polling job in Apigee? 3 Answers

  • Products
    • Edge - APIs
    • Insights - Big Data
    • Plans
  • Developers
    • Overview
    • Documentation
  • Resources
    • Overview
    • Blog
    • Apigee Institute
    • Academy
    • Documentation
  • Company
    • Overview
    • Press
    • Customers
    • Partners
    • Team
    • Events
    • Careers
    • Contact Us
  • Support
    • Support Overview
    • Documentation
    • Status
    • Edge Support Portal
    • Privacy Policy
    • Terms & Conditions
© 2019 Apigee Corp. All rights reserved. - Apigee Community Terms of Use - Powered by AnswerHub
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Post an idea
  • Spaces
  • Product Announcements
  • General
  • Edge/API Management
  • Developer Portal (Drupal-based)
  • Developer Portal (Integrated)
  • API Design
  • APIM on Istio
  • Extensions
  • Business of APIs
  • Academy/Certification
  • Analytics
  • Events
  • Hybrid
  • Integration (AWS, PCF, Etc.)
  • Microgateway
  • Monetization
  • Private Cloud Deployment
  • Insights
  • IoT Apigee Link
  • BaaS/Usergrid
  • BaaS Transition/Migration
  • Apigee-127
  • New Customers
  • Explore
  • Topics
  • Questions
  • Articles
  • Ideas
  • Members
  • Badges