Java in Notes/Domino Explained: Security 101
As a Notes/Domino programmer you are probably familiar with the fact that the agent manager (AMgr) distinguishes between operations consider restricted and those considered unrestricted. Among restricted operations are those that access the file system, set the system clock etc. Whether an agent is allowed to use restricted operations are based on settings in two different locations:
- Whether the signer is granted access to restricted operations on the Security tab of the server document.
- Whether the agent is set to allow restricted operations on the second tab of the agent properties.
When running Java agents the access to restricted operations are governed by a SecurityManager "installed" (configured) when the JVM is initialized and before the NotesMain() method of the agent is invoked. Once a SecurityManager has been installed in the JVM (using the setSecurityManager() method of the java.lang.System class) a new one cannot be set. If you try a java.lang.SecurityException is thrown. This guarantees that the default installed SecurityManager cannot be replaced at runtime.
A SecurityManager is a class extending java.lang.SecurityManager. If a SecurityManager is installed in the JVM it is asked before a security sensitive operation is executed. The SecurityManager then has the option of overruling the execution of the operation by throwing a java.lang.SecurityException.
The following types of operations are controlled by the SecurityManager in agents:
- The ability to read files on disk
- The ability to write files on disk
- The ability to access the network
- The ability to work with class loaders
- The ability to execute external programs
- The ability to use Java classes calling with native code
- The ability to access system properties
The Java API of Notes/Domino contains two different SecurityManagers - one for agents and one for servlets. The SecurityManager for agents is COM.ibm.JEmpower.applet.AppletSecurity and the SecurityManager for servlers is lotus.notes.AgentSecurityManager. Both inherit directly from java.lang.SecurityManager.
Re: Java in Notes/Domino Explained: Security 101
Re: Java in Notes/Domino Explained: Security 101
Sorry for the short answer. I don't think you'll get commons logging or the http client to work without the agent having access to restricted operations - that's is my experience with many of the Jakarta libraries. I think it is the way the use dynamic classloading etc. that makes the Domino JVM go beserk.
Anyways - try running the agent with restricted operations if you haven't already and post any stacktrace you might have.
Re: Java in Notes/Domino Explained: Security 101
Here is the Stacktrace with additional hints of log4j : http://pastebin.com/711357
I can create normal http connections, even through a proxy, without having any problems. Only the SSL connection seems to make trouble.
I read an article about common-http client. It says that the only way to use SSL connection is to modify the java.security and the java.policy with this entrys: (policy file) permission java.util.PropertyPermission "java.protocol.handler.pkgs", "write"; (java.security) security.provider.3=com.sun.net.ssl.internal.ssl.Provider (and in the sourcecode) Class.forName("com.sun.net.ssl.internal.ssl.Provider"); System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); Its based on JSSE libs, so I attached them to the agent.
I tried to change this in my local settings and to run the agent local. But even then there is this Exception.
Thanks for answering so fast!
Re: Java in Notes/Domino Explained: Security 101
Re: Java in Notes/Domino Explained: Security 101
Yes I followed his guidelines by adding the 3 packages (jsse,jnet,jcert) to the agent librarys (edit project), changing the java.policy and java.security files with those 2 lines and adding Class.forName(...) and System.setProperty(...) to the java sourcecode.
Furtheron I registed a new SSL Protocol Factory to my httpclient:
Protocol.registerProtocol("https", new Protocol("https", new StrictSSLProtocolSocketFactory(), 443));
I tested the httpclient with eclipse and the ssl connection is working in this case, but in the agent I got that security exception.
Do I have to change something if want to do a ssl connection with the common-http client?
Re: Java in Notes/Domino Explained: Security 101
I quite sure it is the Notes SecurityManager that is causing havok for you... You didn't write it so I'm going to ask again to be safe:
- Did you enable the agent for restricted operations (on the security tab on the agent property box)?
- Which version of Notes/Domino are you running?
Re: Java in Notes/Domino Explained: Security 101
It is the Notes SecurityManager and I set the security lvl to 3 "Allow restricted operations with full adminstration rights"
Additionaly I found out that the provider is not registed!:
Provider[] providers = Security.getProviders();
for (int i=0,x=providers.length;i<x;i++){
System.out.println(providers[i]);
}
But I added all what is needed to run ssl in the policy and security file.
Re: Java in Notes/Domino Explained: Security 101
I solved it!!!!!
There is no way to attach the jars to the agent. The jvm can not get the Provider class then. You have to put the 3 packages into the ext folder.
Systout(provders[i]); now shows 3 providers and the ssl connection works!
Here the 4 steps:-
Put permission java.util.PropertyPermission "java.protocol.handler.pkgs", "write"; into the grant block of the java.policy.
-
Put security.provider.3=com.sun.net.ssl.internal.ssl.Provider into the security file. Instead of the 3 you have to take the next number in the sequence.
-
Copy the 3 jars files of Java Secure Socket Extension (JSSE) (jcert.jar, jnet.jar, jsse.jar) into the ext folder of the jvm @ your domino server.
- Paste that into your java source code: System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
Thanks for all :)