As a Notes/Domino programmer you are probably familiar with the fact that the agent manager (AMgr) distinguishes between operations consider restricted and those considered unrestricted. Among restricted operations are those that access the file system, set the system clock etc. Whether an agent is allowed to use restricted operations are based on settings in two different locations:
- Whether the signer is granted access to restricted operations on the Security tab of the server document.
- Whether the agent is set to allow restricted operations on the second tab of the agent properties.
The default setting in the agent properties is not to allow access to restricted operations.
When running Java agents the access to restricted operations are governed by a SecurityManager “installed” (configured) when the JVM is initialized and before the NotesMain() method of the agent is invoked. Once a SecurityManager has been installed in the JVM (using the setSecurityManager() method of the java.lang.System class) a new one cannot be set. If you try a java.lang.SecurityException is thrown. This guarantees that the default installed SecurityManager cannot be replaced at runtime.
A SecurityManager is a class extending java.lang.SecurityManager. If a SecurityManager is installed in the JVM it is asked before a security sensitive operation is executed. The SecurityManager then has the option of overruling the execution of the operation by throwing a java.lang.SecurityException.
The following types of operations are controlled by the SecurityManager in agents:
- The ability to read files on disk
- The ability to write files on disk
- The ability to access the network
- The ability to work with class loaders
- The ability to execute external programs
- The ability to use Java classes calling with native code
- The ability to access system properties
The Java API of Notes/Domino contains two different SecurityManagers – one for agents and one for servlets. The SecurityManager for agents is COM.ibm.JEmpower.applet.AppletSecurity and the SecurityManager for servlers is lotus.notes.AgentSecurityManager. Both inherit directly from java.lang.SecurityManager.
Hello,
Im trying to use common-httpclient, common-logging with log4j and jsse for opening a SSL connection. It seems that when I try to open a SSL connection there is such a SecurityException. May its because of the Protocol Handler – Im not sure. So, is there any way to get a SSL connection without setting any permissions in the java.policy document ?
Thanks at all for this great article!
Could you post the stacktrace?
Sorry for the short answer. I don’t think you’ll get commons logging or the http client to work without the agent having access to restricted operations – that’s is my experience with many of the Jakarta libraries. I think it is the way the use dynamic classloading etc. that makes the Domino JVM go beserk.
Anyways – try running the agent with restricted operations if you haven’t already and post any stacktrace you might have.
Here is the Stacktrace with additional hints of log4j : http://pastebin.com/711357
I can create normal http connections, even through a proxy, without having any problems. Only the SSL connection seems to make trouble.I read an article about common-http client. It says that the only way to use SSL connection is to modify the java.security and the java.policy with this entrys: (policy file) permission java.util.PropertyPermission “java.protocol.handler.pkgs”, “write”;
(java.security) security.provider.3=com.sun.net.ssl.internal.ssl.Provider
(and in the sourcecode)
Class.forName(“com.sun.net.ssl.internal.ssl.Provider”);
System.setProperty(“java.protocol.handler.pkgs”, “com.sun.net.ssl.internal.www.protocol”);
Its based on JSSE libs, so I attached them to the agent.I tried to change this in my local settings and to run the agent local. But even then there is this Exception.
Thanks for answering so fast!
While researching this I came across this post on Bob Obringers weblog. Have you tried following his guidelines?
Yes I followed his guidelines by adding the 3 packages (jsse,jnet,jcert) to the agent librarys (edit project), changing the java.policy and java.security files with those 2 lines and adding Class.forName(…) and System.setProperty(…) to the java sourcecode.
Furtheron I registed a new SSL Protocol Factory to my httpclient:
Protocol.registerProtocol(“https”, new Protocol(“https”, new StrictSSLProtocolSocketFactory(), 443));
I tested the httpclient with eclipse and the ssl connection is working in this case, but in the agent I got that security exception.
Do I have to change something if want to do a ssl connection with the common-http client?
I quite sure it is the Notes SecurityManager that is causing havok for you… You didn’t write it so I’m going to ask again to be safe:
Did you enable the agent for restricted operations (on the security tab on the agent property box)?
Which version of Notes/Domino are you running?
It is the Notes SecurityManager and I set the security lvl to 3 “Allow restricted operations with full adminstration rights”
Additionaly I found out that the provider is not registed!:
Provider[] providers = Security.getProviders();
for (int i=0,x=providers.length;i<x;i++){ System.out.println(providers[i]);
}
But I added all what is needed to run ssl in the policy and security file.
I have multipe choices to run the agent but it has to work on 6.5.x. I tested it on 6.5.2 , 6.5.5 with the local jvm by hitting agent -> run.
I solved it!!!!!
There is no way to attach the jars to the agent. The jvm can not get the Provider class then. You have to put the 3 packages into the ext folder. Systout(provders[i]); now shows 3 providers and the ssl connection works!
Here the 4 steps:
Put permission java.util.PropertyPermission “java.protocol.handler.pkgs”, “write”; into the grant block of the java.policy.
Put security.provider.3=com.sun.net.ssl.internal.ssl.Provider into the security file. Instead of the 3 you have to take the next number in the sequence.
Copy the 3 jars files of Java Secure Socket Extension (JSSE) (jcert.jar, jnet.jar, jsse.jar) into the ext folder of the jvm @ your domino server.
Paste that into your java source code: System.setProperty(“java.protocol.handler.pkgs”, “com.sun.net.ssl.internal.www.protocol”);
and after those 4 points you can use HTTPUrlConnection or Common-HTTPClient for a ssl connection.
Thanks for all 🙂