Discussions
Categories
- 196.7K All Categories
- 2.2K Data
- 235 Big Data Appliance
- 1.9K Data Science
- 449.8K Databases
- 221.6K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 549 MySQL Community Space
- 477 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3K ORDS, SODA & JSON in the Database
- 532 SQLcl
- 4K SQL Developer Data Modeler
- 186.9K SQL & PL/SQL
- 21.3K SQL Developer
- 295.4K Development
- 17 Developer Projects
- 138 Programming Languages
- 292.1K Development Tools
- 104 DevOps
- 3.1K QA/Testing
- 645.9K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 153 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.1K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 17 Java Essentials
- 158 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 203 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 396 LiveLabs
- 37 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.6K Other Languages
- 2.3K Chinese
- 170 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 230 Portuguese
java.net.SocketPermission - socket range
Arek
Member Posts: 56
Hi,
We're calling an external Java class (RMI server) from Java Stored Procedure (RMI client). The RMI server listens on 1099 socket and therefore we needed to grant
dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', 'localhost:1099', 'connect,resolve' ) - which is fine.
The problem is however a reverse "connection" established on another socket which seems to be chosen dynamically. We're receiving the following error at runtime:
"java.security.AccessControlException: the Permission (java.net.SocketPermission localhost:56675 connect,resolve) has not been granted to SLAB. The PL/SQL to grant this is dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', '172.16.30.3
0:56675', 'connect,resolve' )
[...]"
which as far as I can tell means that this time 56675 socket has been chosen for the reverse connection. We could grant java.net.SocketPermission on this one too and it would work fine, however it may not work the next time we run the program as a different socket can be chosen.
The idea would be to either:
a) grant SocketPermission to the whole localhost - but we don't want that
b) grant SocketPermission for a single socket or (better - range of sockets) and make sure that the RMI Client and RMI server uses this single socket only (this range of sockets respectively). How can this be done?
Any ideas?
Cheers
Arek
We're calling an external Java class (RMI server) from Java Stored Procedure (RMI client). The RMI server listens on 1099 socket and therefore we needed to grant
dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', 'localhost:1099', 'connect,resolve' ) - which is fine.
The problem is however a reverse "connection" established on another socket which seems to be chosen dynamically. We're receiving the following error at runtime:
"java.security.AccessControlException: the Permission (java.net.SocketPermission localhost:56675 connect,resolve) has not been granted to SLAB. The PL/SQL to grant this is dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', '172.16.30.3
0:56675', 'connect,resolve' )
[...]"
which as far as I can tell means that this time 56675 socket has been chosen for the reverse connection. We could grant java.net.SocketPermission on this one too and it would work fine, however it may not work the next time we run the program as a different socket can be chosen.
The idea would be to either:
a) grant SocketPermission to the whole localhost - but we don't want that
b) grant SocketPermission for a single socket or (better - range of sockets) and make sure that the RMI Client and RMI server uses this single socket only (this range of sockets respectively). How can this be done?
Any ideas?
Cheers
Arek
Best Answer
-
Hi Arek:
AFAIK is not a problem of RMI implementation.
Typically posix socket implementation when an application is listening in a specific port number once the connection is accepted is followed by a clone() call which find a free port number above of 1024 and use it.
So there is no chance to change this behavior
Marcelo.
Answers
-
Hi Arek:
Try this:
exec dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', 'localhost:1024-', 'listen,resolve');
exec dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', 'localhost:1024-', 'accept, resolve');
exec dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', 'localhost:1024-', 'connect, resolve');
exec dbms_java.grant_permission( 'LUCENE', 'SYS:java.net.SocketPermission', 'localhost:1099', 'connect,resolve' );
these grants are working fine with my RMI server.
Best regards, Marcelo.
-
oops replace LUCENE by SLAB in last grant.
Marcelo. -
Thank you Marcello,
Yes, it works, but it is more or less the same as allowing the whole localhost.
However - if we wanted to be picky - is there a way to limit the range to 100 ports only?
Setting permissions is the easy part:
dbms_java.grant_permission( 'SLAB', 'SYS:java.net.SocketPermission', '172.16.30.30:1099-1199', 'connect,resolve' );
etc
But how can we configure the RMI server and/or the database (which should it be?) to use only ports in this range?
Cheers
Arek -
Hi Arek:
AFAIK is not a problem of RMI implementation.
Typically posix socket implementation when an application is listening in a specific port number once the connection is accepted is followed by a clone() call which find a free port number above of 1024 and use it.
So there is no chance to change this behavior
Marcelo. -
I see.
Thanks Marcello
This discussion has been closed.