7 Replies Latest reply: Oct 5, 2011 1:26 PM by 856328 RSS

    GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.

    856328
      As posted in the java.net forums:

      GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClassInternal(com.company.utils.Utils) security exception: access denied

      We have been fighting this issue for a couple of days. Searching the forums, etc. provided no clear answers or GF documentation. I am not saying I didn't miss something, but any help would be appreciated.

      I am working with Netbeans 7.0.1 and Glassfish 3.1.1. I am bringing an old product of many JSPs into the GF 3.1.1 realm and out of necessity it must remain a JSP project (for now). After working hard to combine these into one NB 7.0.1 project I build the project and deploy it.

      PROBLEM 1:

      After wringing out a few bugs I started getting a "security exception: access denied" error. This appears to happen when the Libraries I have included in the Netbeans project properties cannot be accessed. My login page comes up fine, but the Menu manager page it goes to tries to access (read) one of the programs in one of the library jar files. I receive the following error:

      WARNING: WebappClassLoader.findClassInternal(com.company.utils.Utils) security exception: access denied (java.io.FilePermission C:\Program Files\glassfish\glassfish-3.1\glassfish\domains\domain1\applications\CompanyApplication\WEB-INF\classes\com\company\utils\Utils.class read)
      java.security.AccessControlException: access denied (java.io.FilePermission C:\Program Files\glassfish\glassfish-3.1\glassfish\domains\domain1\applications\CompanyApplication\WEB-INF\classes\com\company\utils\Utils.class read)

      The 'com\company\utils\Utils.class' is actually in one of the library jar files the Netbeans packaged into the WEB-INF\lib directory. It is not one of the java files in the NB src\java directory that is deployed compliled in the WEB-INF\classes directory. Though it is not an EJB I tried copying the files in the deployed application WEB-INF\lib directory into the application\lib\applibs directory. I then put the library names in the Deploy Libraries entry when doing a clean deploy (undeploy/deploy) of the application. This generated diffferent errors. Then when I did another clean deploy and GF 3.1.1 actually let me get to the next JSP. I think GF was embarassed that it actually let it through because I have never gotten beyond my login page again.

      We even tried without success adding the following in the security.policy file:

      // permissions for Company Application Library Jar files
      grant codeBase "file:${com.sun.aas.instanceRoot}/applications/-" {
      permission java.io.FilePermission "<<ALL FILES>>", "read";
      };

      PROBLEM 2 - Even more frustrating

      After getting the error mentioned in PROBLEM 1 I then get the following error:

      WARNING: StandardWrapperValve[jsp]: PWC1406: Servlet.service() for servlet jsp threw exception
      java.security.AccessControlException: access denied (java.io.FilePermission C:\Program Files\glassfish\glassfish-3.1\glassfish\domains\domain1\logs\server.log read)

      GLASSFISH CAN NO LONGER READ FROM THE server.log IT IS WRITING TOO!!!! Even worse is that if I try to run another JSP based project it gets the same server.log error. If I try to redeploy or do a clean deploy of my main JSP project it also fails immediately with a java.security.AccessControlException. I cannot get rid of this AccessControlException until I completely stop Glassfish and start it again. This means that in a production environment that may have several applications, EJBs, whatever deployed will have to be shutdown completely because the JSP based project cannot simply be redeployed. That means that all other JSP based projects will quit working when the first AccessControlException takes place.

      For PROBLEM 1 or PROBLEM 2 if I have missed some pertinent documentation please point me to it. If there is some work around, some setup issues, or even for PROBLEM 2 away to clean out the AccessControlException cache without having to restart GLASSFISH please help me. Thank you.





      There was a followup statement too:


      I have tried creating a standalone test case without success (I cannot get it to fail). Part of what I tried to state in the post was this top of the stacktrace:

      WARNING: WebappClassLoader.findClassInternal(com.company.utils.Utils) security exception: access denied (java.io.FilePermission C:\Program Files\glassfish\glassfish-3.1\glassfish\domains\domain1\applications\CompanyApplication\WEB-INF\classes\com\company\utils\Utils.class read)
      java.security.AccessControlException: access denied (java.io.FilePermission C:\Program Files\glassfish\glassfish-3.1\glassfish\domains\domain1\applications\CompanyApplication\WEB-INF\classes\com\company\utils\Utils.class read)

      has validity as a permissions problem in the WEB-INF\classes\com\company\utils\ directory because that file isn't there. It is in the WEB-INF\lib directory so I would expect the program to be looking for the file in the Utils.jar file in WEB-INF\lib. I suppose that would be something like:

      C:\Program Files\glassfish\glassfish-3.1\glassfish\domains\domain1\applications\CompanyApplication\WEB-INF\lib\Utils.jar\Utils.class

      I am not sure how to force the compiler to make it look for the Utils.class in Utils.jar in WEB-INF\lib.
        • 1. Re: GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.
          han-dat
          can you check that your jar file is packaged properly, eg jar tvf Utils.jar
          • 2. Re: GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.
            856328
            That was a good suggestion. I would not have thought of that because Netbeans has for the most part always packaged the jar files correctly. Running your check I see it was as it should be. Thank you.

            If I understand the WebappClassLoader loading sequence correctly (as I have been told) it does 1) the parent classloader, 2) WEB/classes, and 3) the jar files. If I am wrong please let me know on this. If what I understand is correct why when it fails on step 2 does it not move on to step 3?
            • 3. Re: GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.
              856328
              In digging deeper I see that a jar file has already been read and used prior to this error. This makes it more confusing as the HTMLFactory is read without any problems whatsoever, but the Utils, or any further jar file that has been included in the properties library cannot be read. I saw a statement saying a method in one jar file cannot read a method in another library jar file. I have proven this not to be true in attempting to duplicate the problem simply in effort to find an answer.
              • 4. Re: GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.
                handat
                Actually, the classloading is a bit more complex than what you have described, but you got the concept right at least.
                As a debug step, try adding your Utils.jar file into the ext directory of your jre.
                • 5. Re: GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.
                  856328
                  I will try putting the Utils.jar in the ext directory of the jre as you said. When I copy the Utils.jar file to the applications/lib directory I get past that problem and run into a socketException. It doesn't seem right to have to do that when my setup worked once. What baffles me is that one time GF3.1 got pass this problem and brought up the JSP as expected. I have desperately tried to establish the setup conditions without avail.

                  One other thought is that the other programmer trying to find the solution to this problem read that a blogger eventually realized GF was generating the wrong error in similar test conditions. Therefore the error I am receiving could entirely be altogether misleading.

                  I reviewed and realized I may not have made clear the origin and history of the original project. When I say I am bringing in an old project here is what I have:

                  Netbeans 4.1 was used to build the original files, not as one project, but each .java file was compiled individually. Netbeans 4.1 is used to update or modify any components of the orginal product. The product has been running successfully for more than six years in a Netscape iplanet web server. All of the individual files (jsp, java, properties, html, etc.) are being brought into one project using Netbeans 7.0.1 and being deployed onto a Glassfish 3.1 server. We have our own standalone RMI (also built using NB4.1) built with JDK 1.4.2.
                  • 6. Re: GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.
                    856328
                    Problem 2 has been split out as it shows up in a different situation [     GF 3.1.1 - java.security.AccessControlException: access denied - server.log|https://forums.oracle.com/forums/thread.jspa?threadID=2289950&tstart=0] .
                    • 7. Re: GF3.1.1 JSP Project - WARNING: WebappClassLoader.findClass...access denied.
                      856328
                      The problem area has been found. We need to know the best method to replace the two lines of code we commented out. Here is what we found.

                      Glassfish 3.1.1 Security does not play well with old RMI security (JDK1.2 vintage). Furthermore, once the old RMI security has messed with the mind of GF3.1.1 security the GF security truly believes it has in some cases no permission to read its own server.log file.

                      Here is the offending code commented out in the Server Client Adapter (client wrapper):

                      Note: this is legacy rmi code. i.e. manually executed rmic on the appropriate classfiles as this was originally created for java 1.2.

                      // if(System.getSecurityManager() == null)
                      // System.setSecurityManager(new RMISecurityManager());

                      remote = (com.davisco.rmi.ServerAppServantAdapter_Stub)Naming.lookup(stringbuffer.toString());

                      A thank you goes out to www.velocityreviews.com/forums/t276590-access-denied-java-lang-runtimepermission-createsecuritymanager.html even if it is five years old.

                      Again, this is using the original version of RMI. How do we re-implement the RMI Security Manager without offending GF 3.1.1 security?