Custom X-PACK realm policy issue

wgz521wgz521 · April 6, 2017, 4:11am

I applied all things I need to do but still get access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")

Code:

      AccessController.doPrivileged((PrivilegedAction<User>) () -> {
            if (null != auth(actualUser, new String(token.credentials().copyChars()))){
                return new User(actualUser, new String[] {"superuser"});
            }
            return null;
        });

In auth method the problem is caused by following code:

          ObjectMapper mapper = new ObjectMapper();
          AuthResult authResult = mapper.readValue(response.toString(), AuthResult.class);

my x-pack-extension-security.policy

grant {
          // needed because of problems in unbound LDAP library
          permission java.util.PropertyPermission "*", "read,write";

      // required to configure the custom mailcap for watcher
      permission java.lang.RuntimePermission "setFactory";

      // needed when sending emails for javax.activation
      // otherwise a classnotfound exception is thrown due to trying
      // to load the class with the application class loader
      permission java.lang.RuntimePermission "setContextClassLoader";
      permission java.lang.RuntimePermission "getClassLoader";
      // TODO: remove use of this jar as soon as possible!!!!
      permission java.lang.RuntimePermission "accessClassInPackage.com.sun.activation.registries";

      // bouncy castle
      permission java.security.SecurityPermission "putProviderProperty.BC";

      // needed for x-pack security extension
      permission java.security.SecurityPermission "createPolicy.JavaPolicy";
      permission java.security.SecurityPermission "getPolicy";
      permission java.security.SecurityPermission "setPolicy";

      // Netty SelectorUtil wants to change this, because of https://bugs.openjdk.java.net/browse/JDK-6427854
      // the bug says it only happened rarely, and that its fixed, but apparently it still happens rarely!
      permission java.util.PropertyPermission "sun.nio.ch.bugLevel", "write";

      // needed for multiple server implementations used in tests
      permission java.net.SocketPermission "*", "accept,connect";

      permission java.io.FilePermission "<<ALL FILES>>", "read,execute,readlink";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
      permission java.lang.RuntimePermission "accessDeclaredMembers";
    };

Don't know why this happened.

jaymode · April 13, 2017, 5:16pm

I suggest trying to remove all of the other lines from that file. Those permissions should be unnecessary for your custom extension. Also can you post the full stack trace?

system · May 11, 2017, 5:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") Elasticsearch	3	3334	December 15, 2017
AccessControlException Despite plugin-security.policy Elasticsearch	1	1110	October 31, 2017
How to customize plugin-security.policy for custom realm Elasticsearch	7	2888	February 14, 2017
Customize Java security manager settings? Elasticsearch	7	4031	February 17, 2017
Plugin jars security policy Elasticsearch	9	3772	July 5, 2017

Custom X-PACK realm policy issue

Related topics