error when running EJB client in ACC with security manager on

From: Dies Koper <diesk_at_fast.au.fujitsu.com>
Date: Tue, 2 Jun 2009 11:33:45 +1000

Hi,

When I run an EJB client in the ACC with the security manager enabled, I
get an 'access denied' error message on GFv2.1:

D:\GFv2.1\glassfish-v2.1-b60e\glassfish>bin\appclient -client
ExitTestAppClientClient.jar
02/06/2009 10:44:00 AM com.sun.corba.ee.impl.util.Utility loadStub
WARNING: "IOP01211405: (BAD_OPERATION) Exception in loadStub"
org.omg.CORBA.BAD_OPERATION: vmcid: SUN minor code: 1405 completed: No
        at
com.sun.corba.ee.impl.logging.UtilSystemException.exceptionInLoadStub(UtilSystemException.java:179)
        at
com.sun.corba.ee.impl.logging.UtilSystemException.exceptionInLoadStub(UtilSystemException.java:197)
        at com.sun.corba.ee.impl.util.Utility.loadStub(Utility.java:856)
[...]
        at
com.sun.enterprise.naming.SerialContext.lookup(SerialContext.java:407)
        at javax.naming.InitialContext.lookup(InitialContext.java:392)
        at ejb30.Client.main(Client.java:14)
[...]
Caused by: java.security.AccessControlException: access denied
(com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission access)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        at
java.security.AccessController.checkPermission(AccessController.java:546)
        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at
com.sun.corba.ee.impl.presentation.rmi.StubInvocationHandlerImpl.<init>(StubInvocationHandlerImpl.java:105)
        at
com.sun.corba.ee.impl.presentation.rmi.bcel.StubFactoryBCELImpl.makeStub(StubFactoryBCELImpl.java:171)
        at com.sun.corba.ee.impl.util.Utility.loadStub(Utility.java:852)

When I add the following privileges to the grant block in
glassfish/lib/appclient.policy, the client can successfully access the
deployed EJB.

permission
com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission "access";
permission java.lang.RuntimePermission "accessDeclaredMembers";

The client application was trying to do a JNDI lookup:

Context gfic = new InitialContext();
ejb30.ExitTestRemote bean =
(ejb30.ExitTestRemote)gfic.lookup("java:comp/env/ejb/ExitTestBean");

Shouldn't we have these privileges enabled in GlassFish by default?

I'm not sure what the status of security manager support is in GF V3, so
I haven't tried it on GFv3 yet.

Thanks,
Dies