java.net.SocketPermission access denied for custom plugin for ES 6.1.2

Elastic Stack Elasticsearch
1

I am using apache httpcore-nio to make an http request from my ES plugin to another application. Even after adding permission in plugin security policy file and wrapping the call with AccessController.doPrivileged in my plugin, I am getting the below error.

I/O reactor terminated abnormally
java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:8000" "connect,resolve")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_144]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_144]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_144]
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051) ~[?:1.8.0_144]
at sun.nio.ch.SocketChannelImpl.connect(SocketChannelImpl.java:625) ~[?:?]
at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processSessionRequests(DefaultConnectingIOReactor.java:273) ~[httpcore-nio-4.4.5.jar:4.4.5]

Any help appreciated.

2

Is that the full stack trace? Can you paste/link your plugin security policy file? And show your doPriv block?

3

This is the full stack trace:

[2018-02-27T03:22:03,045][ERROR][o.a.h.i.n.c.InternalHttpAsyncClient] I/O reactor terminated abnormally
java.security.AccessControlException: access denied ("java.net.SocketPermission" "127.0.0.1:8000" "connect,resolve")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_144]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_144]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_144]
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051) ~[?:1.8.0_144]
at sun.nio.ch.SocketChannelImpl.connect(SocketChannelImpl.java:625) ~[?:?]
at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processSessionRequests(DefaultConnectingIOReactor.java:273) ~[httpcore-nio-4.4.5.jar:4.4.5]
at org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor.processEvents(DefaultConnectingIOReactor.java:139) ~[httpcore-nio-4.4.5.jar:4.4.5]
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor.execute(AbstractMultiworkerIOReactor.java:348) ~[httpcore-nio-4.4.5.jar:4.4.5]
at org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager.execute(PoolingNHttpClientConnectionManager.java:192) ~[httpasyncclient-4.1.2.jar:4.1.2]
at org.apache.http.impl.nio.client.CloseableHttpAsyncClientBase$1.run(CloseableHttpAsyncClientBase.java:64) [httpasyncclient-4.1.2.jar:4.1.2]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_144]

code block:

                    httpclient.start();
		final CountDownLatch latch = new CountDownLatch(1);			
                    AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
				@Override
				public Void run() throws IOException {
					httpclient.execute(get, new FutureCallback<HttpResponse>() {
						@Override
						public void completed(final HttpResponse response) {
							try {
								latch.countDown();
								callbackResponse = response;
							} catch (IllegalStateException e) {
								throw new RuntimeException();
							}
						}

						@Override
						public void failed(final Exception ex) {
							latch.countDown();								
						}

						@Override
						public void cancelled() {
							latch.countDown();								
						}

					});
					return null;
				}
			});
		} catch (PrivilegedActionException e) {
			throw (IOException) e.getCause();
		}
4

I dont' think your doPrivileged block will work as intended. See how the Elasticsearch rest client does this in RestClientBuilder.

1 Like
5

That helped. Thanks a lot.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.