4 Replies Latest reply on Apr 24, 2012 11:57 PM by EJP

    SocketPermission - Client Port?

      I've been developing a web application that gets deployed in Apache Tomcat 6, running Java 6 Update 31. There is a requirement to include a module that will simply listen to incoming TCP traffic on port X for future processing. Everything was working great until we went to enable the Java Security Manager (an IA requirement).

      Once it was enabled, we started getting AccessControlExceptions, but this was expected, since nothing in our policy file was explicitly allowing this traffic. So, I added the following lines to Tomcat's "catalina.policy" file (where 54321 is the port the app is listening on):

      grant {
      permission java.net.SocketPermission "*:54321", "accept, resolve";

      However, we were still seeing AccessControlExceptions, such as:

      java.security.AccessControlException: access denied (java.net.SocketPermission accept,resolve)

      Looking at that error line, I noticed that "" is in fact the IP of the client, so "1527" must be the client-side port for the socket. This is verified by the fact that this port changes each time this is attempted...

      So, my question is: why does my web application need to care about the client port? My understanding is that outgoing connections simply use arbitrary/random ports. It seems to me that on my side, with respect to this policy file, I should only need to specify the ports I want to listen to. However, the only way I can get this to work is if I change "54321" to "*" in the above permission line, thereby opening the JVM up to the world.

      Am I misunderstanding something about the syntax here? How can I make sure that my application accepts connections from ANY host, from ANY client-side port, on server port 54321?

        • 1. Re: SocketPermission - Client Port?
          there are 2 separate restrictions you need to deal with when running your own socket listener.

          the first restriction is setting up the listener in the first place. in order to do this you need to be granted to right to listen on a specific port on a specific local interface. in your example, this would look like:

          permission java.net.SocketPermission "*:54321", "listen,resolve";

          the second restriction is "who you can accept connections from", which is based on the client host and port. if you want to accept connections from anywhere, this permission would look like:

          permission java.net.SocketPermission "*", "accept";

          Edited by: jtahlborn on Apr 24, 2012 2:10 PM
          • 2. Re: SocketPermission - Client Port?
            Ok, that does make sense. However, one concern that I have is from the Javadoc for SocketPermission:

            'The "listen" action is only meaningful when used with "localhost"'

            Further, why is it that the application works correctly with only the following line:

            permission java.net.SocketPermission "*:*", "accept";

            In other words, I don't need to add "listen" in order to make it work. Sorry if I'm not grasping something simple here. And thanks for the response!

            • 3. Re: SocketPermission - Client Port?
              Crosspost: http://www.coderanch.com/t/573360/sockets/java/SocketPermission-Remote-Port
              • 4. Re: SocketPermission - Client Port?
                The catalina.policy file must already have a listen permission in it somewhere. Tomcat listens.