Access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")

I am trying to map the JSON response from other service to a POJO class(AMAUser class from an external jar ama-user-service.jar) using ObjectMapper.
I have configured the policy file as below in /elasticsearch-5.6.0/plugins/x-pack/plugin-security.policy

permission java.lang.RuntimePermission "accessDeclaredMembers";

And also wrapped up the sensitive code (mapper.readValue()) in Custom Realm as below; however, I still keep getting this access denied error in my logs and therefore mapping is not happening at all.

Would be grateful if someone please let me know if there is any issues with the code below or if there's any configurations I had missed out.

           if (sm != null) {
               // unprivileged code such as scripts do not have SpecialPermission
               sm.checkPermission(new SpecialPermission());
             userObj = AccessController.doPrivileged( 
               new PrivilegedExceptionAction<AMAUser>() { 
                    public AMAUser run() 
                            throws IOException, JsonGenerationException, JsonParseException {
                      return mapper.readValue(responseResult, AMAUser.class);

Since this question is about X-Pack custom realms I'm going to move it to the X-Pack category. I think you will get better visibility by people that can help you there. Hope thats ok

Let me step back for a moment, and ask how did you configure the dependency on ama-user-service.jar?
There should be no permissions required if the AMAUser.class is loaded by the same Classloader, ie add the dependency on ama-user-service.jar as a normal referenced jar library to your Custom Realm project.

For completeness check : If this class is in a package, java.lang.RuntimePermission "accessClassInPackage.{pkgName}" is also required. but you really should not need this and you should NOT tinker with the permissions file for the whole X-Pack.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.