Access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")

Vivek_Unni · November 17, 2017, 1:04pm

I am trying to map the JSON response from other service to a POJO class(AMAUser class from an external jar ama-user-service.jar) using ObjectMapper.
I have configured the policy file as below in /elasticsearch-5.6.0/plugins/x-pack/plugin-security.policy

permission java.lang.RuntimePermission "accessDeclaredMembers";

And also wrapped up the sensitive code (mapper.readValue()) in Custom Realm as below; however, I still keep getting this access denied error in my logs and therefore mapping is not happening at all.

Would be grateful if someone please let me know if there is any issues with the code below or if there's any configurations I had missed out.

           if (sm != null) {
               // unprivileged code such as scripts do not have SpecialPermission
               sm.checkPermission(new SpecialPermission());
              }
             userObj = AccessController.doPrivileged( 
               new PrivilegedExceptionAction<AMAUser>() { 
                   @Override 
                    public AMAUser run() 
                            throws IOException, JsonGenerationException, JsonParseException {
                      return mapper.readValue(responseResult, AMAUser.class);
                    } 
                } 
            );

colings86 · November 17, 2017, 1:33pm

Since this question is about X-Pack custom realms I'm going to move it to the X-Pack category. I think you will get better visibility by people that can help you there. Hope thats ok

Albert_Zaharovits · November 17, 2017, 2:53pm

Let me step back for a moment, and ask how did you configure the dependency on ama-user-service.jar?
There should be no permissions required if the AMAUser.class is loaded by the same Classloader, ie add the dependency on ama-user-service.jar as a normal referenced jar library to your Custom Realm project.

For completeness check https://docs.oracle.com/javase/7/docs/technotes/guides/security/permissions.html : If this class is in a package, java.lang.RuntimePermission "accessClassInPackage.{pkgName}" is also required. but you really should not need this and you should NOT tinker with the permissions file for the whole X-Pack.

system · December 15, 2017, 2:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Custom X-PACK realm policy issue Elasticsearch	2	722	May 11, 2017
[Elasticsearch Plugin] AccessControlException on jackson.databind Elasticsearch	7	2105	February 22, 2018
Customize Java security manager settings? Elasticsearch	7	3956	February 17, 2017
java.security.AccessControlException: access denied ("org.joda.time.JodaTimePermission" "DateTimeZone.setDefault") Elasticsearch	6	2208	January 15, 2019
Integration Testing for a Custom Plugin - Security Policy Issue Elasticsearch	1	1063	February 27, 2019

Access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")

Related topics