Home » Developer & Programmer » JDeveloper, Java & XML » can't grant java.io.FilePermission (ORACLE 11.2.0.2.0)
can't grant java.io.FilePermission [message #559586] Wed, 04 July 2012 08:43 Go to next message
_jum
Messages: 486
Registered: February 2008
Senior Member
In ORACLE 11.2.0.1.0 I can grant java.io.FilePermission. I use (as SYS) a cript like:
DROP   USER SCOTT CASCADE;

User dropped.

CREATE USER SCOTT
  IDENTIFIED BY tiger
  DEFAULT TABLESPACE USERS
  TEMPORARY TABLESPACE TEMP
  PROFILE DEFAULT
  ACCOUNT UNLOCK;
  GRANT RESOURCE TO SCOTT;
  GRANT CONNECT TO SCOTT;
  ALTER USER SCOTT DEFAULT ROLE ALL;

User dropped.
User created.
Grant complete.
Grant complete.
User altered.
 
DECLARE
 KEYNUM NUMBER;
BEGIN
  SYS.DBMS_JAVA.GRANT_PERMISSION(
     grantee           => 'SCOTT'
    ,permission_type   => 'SYS:java.io.FilePermission'
    ,permission_name   => 'C:\TEMP'
    ,permission_action => 'read'
    ,key               => KEYNUM
    );
END;
/

PL/SQL procedure successfully completed.

SELECT * 
  FROM DBA_JAVA_POLICY 
 WHERE grantee='SCOTT';

KIND    GRANTEE TYPE_SCHEMA TYPE_NAME              NAME       ACTION  ENABLED SEQ
-----------------------------------------------------------------------------------
GRANT	SCOTT	SYS	    java.io.FilePermission C:\TEMP	read  ENABLED 198

In ORACLE 11.2.0.2.0 I can't grant java.io.FilePermission:
DROP   USER SCOTT CASCADE;

User dropped.

CREATE USER SCOTT
  IDENTIFIED BY tiger
  DEFAULT TABLESPACE USERS
  TEMPORARY TABLESPACE TEMP
  PROFILE DEFAULT
  ACCOUNT UNLOCK;
  GRANT RESOURCE TO SCOTT;
  GRANT CONNECT TO SCOTT;
  ALTER USER SCOTT DEFAULT ROLE ALL;

User dropped.
User created.
Grant complete.
Grant complete.
User altered.
 
DECLARE
 KEYNUM NUMBER;
BEGIN
  SYS.DBMS_JAVA.GRANT_PERMISSION(
     grantee           => 'SCOTT'
    ,permission_type   => 'SYS:java.io.FilePermission'
    ,permission_name   => 'C:\TEMP'
    ,permission_action => 'read'
    ,key               => KEYNUM
    );
END;
/

Error at line 15
ORA-29532: Java call terminated by uncaught Java exception: java.lang.SecurityException: policy table update java.io.FilePermission, C:\TEMP
ORA-06512: at "SYS.DBMS_JAVA", line 752
ORA-06512: at line 4
Script Terminated on line 15.

SELECT * 
  FROM DBA_JAVA_POLICY 
 WHERE grantee='SCOTT';

no rows selected.

What could be the reason ?
Re: can't grant java.io.FilePermission [message #559592 is a reply to message #559586] Wed, 04 July 2012 10:21 Go to previous messageGo to next message
Michel Cadot
Messages: 58488
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Check with PUBLIC.

Regards
Michel
Re: can't grant java.io.FilePermission [message #559594 is a reply to message #559592] Wed, 04 July 2012 11:13 Go to previous messageGo to next message
_jum
Messages: 486
Registered: February 2008
Senior Member
With grantee => 'PUBLIC' comes exactly the same error.
Re: can't grant java.io.FilePermission [message #559595 is a reply to message #559594] Wed, 04 July 2012 11:28 Go to previous messageGo to next message
Michel Cadot
Messages: 58488
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
No, I meant execute:
SELECT * 
  FROM DBA_JAVA_POLICY 
 WHERE grantee='PUBLIC'

Regards
Michel
Re: can't grant java.io.FilePermission [message #559598 is a reply to message #559586] Wed, 04 July 2012 12:47 Go to previous messageGo to next message
Barbara Boehmer
Messages: 7930
Registered: November 2002
Location: California, USA
Senior Member
The only way that I am able to reproduce the error is by attempting to run your code while connected as a user who lacks DBA privileges. Did you run it as SYS AS SYSDBA or what?

SCOTT@orcl_11gR2> SELECT * FROM v$version
  2  /

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
PL/SQL Release 11.2.0.1.0 - Production
CORE	11.2.0.1.0	Production
TNS for 64-bit Windows: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production

5 rows selected.

SCOTT@orcl_11gR2> connect grantor/grantor
Connected.
GRANTOR@orcl_11gR2> DECLARE
  2   KEYNUM NUMBER;
  3  BEGIN
  4    SYS.DBMS_JAVA.GRANT_PERMISSION(
  5  	  grantee	    => 'TEST'
  6  	 ,permission_type   => 'SYS:java.io.FilePermission'
  7  	 ,permission_name   => 'C:\TEMP'
  8  	 ,permission_action => 'read'
  9  	 ,key		    => KEYNUM
 10  	 );
 11  END;
 12  /
DECLARE
*
ERROR at line 1:
ORA-29532: Java call terminated by uncaught Java exception:
java.lang.SecurityException: policy table update java.io.FilePermission,
C:\TEMP
ORA-06512: at "SYS.DBMS_JAVA", line 752
ORA-06512: at line 4


GRANTOR@orcl_11gR2> connect scott/tiger
Connected.
SCOTT@orcl_11gR2> grant dba to grantor
  2  /

Grant succeeded.

SCOTT@orcl_11gR2> connect grantor/grantor
Connected.
GRANTOR@orcl_11gR2> DECLARE
  2   KEYNUM NUMBER;
  3  BEGIN
  4    SYS.DBMS_JAVA.GRANT_PERMISSION(
  5  	  grantee	    => 'TEST'
  6  	 ,permission_type   => 'SYS:java.io.FilePermission'
  7  	 ,permission_name   => 'C:\TEMP'
  8  	 ,permission_action => 'read'
  9  	 ,key		    => KEYNUM
 10  	 );
 11  END;
 12  /

PL/SQL procedure successfully completed.

Re: can't grant java.io.FilePermission [message #559624 is a reply to message #559598] Thu, 05 July 2012 00:50 Go to previous messageGo to next message
_jum
Messages: 486
Registered: February 2008
Senior Member
@Michel - here the results:
SELECT * 
  FROM DBA_JAVA_POLICY 
 WHERE grantee='PUBLIC';

KIND    GRANTEE TYPE_SCHEMA  TYPE_NAME          NAME                    ACTION  ENABLED SEQ
-----------------------------------------------------------------------------------
GRANT	PUBLIC	SYS java.lang.RuntimePermission	exitVM                          ENABLED	26
GRANT	PUBLIC	SYS java.lang.RuntimePermission	getenv.ORACLE_HOME		ENABLED	32
GRANT	PUBLIC	SYS java.lang.RuntimePermission	getenv.TNS_ADMIN		ENABLED	31
RESTRICT PUBLIC	SYS java.lang.RuntimePermission	loadLibrary.*                   ENABLED	97
GRANT	PUBLIC	SYS java.lang.RuntimePermission	modifyThread                    ENABLED	28
GRANT	PUBLIC	SYS java.lang.RuntimePermission	modifyThreadGroup               ENABLED	29
GRANT	PUBLIC	SYS java.lang.RuntimePermission	preferences                     ENABLED	30
GRANT	PUBLIC	SYS java.util.PropertyPermission *	                read    ENABLED	2
GRANT	PUBLIC	SYS java.util.PropertyPermission oracle.net.tns_admin	write	ENABLED	33
GRANT	PUBLIC	SYS java.util.PropertyPermission user.language	        write   ENABLED	25
RESTRICT PUBLIC	SYS oracle.aurora.rdbms.security.PolicyTablePermission 0:java.lang.RuntimePermission#loadLibrary.* ENABLED 98
GRANT	PUBLIC	SYS oracle.aurora.security.JServerPermission	DUMMY		DISABLED 114
GRANT	PUBLIC	SYS oracle.aurora.security.JServerPermission LoadClassInPackage.*	        ENABLED	34
RESTRICT PUBLIC	SYS oracle.aurora.security.JServerPermission LoadClassInPackage.java.*		ENABLED	35
RESTRICT PUBLIC	SYS oracle.aurora.security.JServerPermission LoadClassInPackage.oracle.aurora.*	ENABLED	36
RESTRICT PUBLIC	SYS oracle.aurora.security.JServerPermission LoadClassInPackage.oracle.jdbc.*	ENABLED	37
RESTRICT PUBLIC	SYS oracle.aurora.security.JServerPermission LoadClassInPackage.oracle.ord.*	ENABLED	128


@Barbara - I'm SYSDBA in this scenario, the only difference is the ORACLE version.
Re: can't grant java.io.FilePermission [message #559626 is a reply to message #559624] Thu, 05 July 2012 01:20 Go to previous messageGo to next message
Michel Cadot
Messages: 58488
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Quote:
I'm SYSDBA in this scenario, the only difference is the ORACLE version


- Never ever use SYS (or SYSDBA) but for maintenance purpose (startup, shutdown, backup, recover)
- SYS/SYSDBA is special
- SYS/SYSDBA is Oracle proprietary (try to open a SR/TAR starting with "i did that with SYS/SYSDBA" and you'll see the immediate answer)
- SYS/SYSDBA does not act like any other user
- When you use SYS/SYSDBA Oracle deactivates some code path and activates others
- Whatever you do with SYS/SYSDBA will neither validate nor invalidate the same thing with any other user.

NEVER EVER use SYS/SYSDBA for anything that can be done by another user.
Use SYS/SYSDBA ONLY for something that can't be done by someone else.


Regards
Michel
Re: can't grant java.io.FilePermission [message #559627 is a reply to message #559626] Thu, 05 July 2012 01:36 Go to previous messageGo to next message
_jum
Messages: 486
Registered: February 2008
Senior Member
@Michel I know, did it at first with DBA - but same result...
Is there anything special in the DBA_JAVA_POLICY for PUBLIC ?

[Updated on: Thu, 05 July 2012 01:37]

Report message to a moderator

Re: can't grant java.io.FilePermission [message #559632 is a reply to message #559627] Thu, 05 July 2012 02:02 Go to previous messageGo to next message
Michel Cadot
Messages: 58488
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Nothing I can see but as Barbara's example implies: are you sure you were DBA (that is the DBA role was active)?

Regards
Michel
Re: can't grant java.io.FilePermission [message #559637 is a reply to message #559632] Thu, 05 July 2012 03:14 Go to previous messageGo to next message
_jum
Messages: 486
Registered: February 2008
Senior Member
Changed back to DBA and tried again with no success:
SELECT granted_role,
       admin_option,
       default_role
  FROM user_role_privs 
 WHERE GRANTED_ROLE='DBA';

GRANTED_ROLE                   ADMIN_OPTION DEFAULT_ROLE
------------------------------ ------------ ------------
DBA                            NO           NO          
1 row selected.
Re: can't grant java.io.FilePermission [message #559640 is a reply to message #559637] Thu, 05 July 2012 03:56 Go to previous messageGo to next message
Michel Cadot
Messages: 58488
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Default_role is at NO, this mean you have to explicitly activate it.
Check with "select * from session_roles" before executing your PL/SQL.

Regards
Michel
Re: can't grant java.io.FilePermission [message #559650 is a reply to message #559640] Thu, 05 July 2012 05:03 Go to previous messageGo to next message
_jum
Messages: 486
Registered: February 2008
Senior Member
Thank You @Michel, overlooked this.
Changed the USER DEFAULT ROLE and now the session_roles shows DBA too, but the result is the same...
The ORA-29532 error only takes place, if a valid USERNAME is used for GRANTEE, in the other cases the procedure gives no error - but of course no entry in the DBA_JAVA_POLICY.
I wonder, if something in the JAVA-Installation of the server went wrong. But all JAVA objects are vaild.

In the meantime I'll change with the instance to ORACLE 11.2.0.1.0 server as workaround.
Re: can't grant java.io.FilePermission [message #559652 is a reply to message #559650] Thu, 05 July 2012 05:27 Go to previous messageGo to next message
Michel Cadot
Messages: 58488
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
Or maybe check in 11.2.0.3 instead of going back to base version.

Regards
Michel
Re: can't grant java.io.FilePermission [message #559653 is a reply to message #559652] Thu, 05 July 2012 05:32 Go to previous messageGo to next message
Michel Cadot
Messages: 58488
Registered: March 2007
Location: Nanterre, France, http://...
Senior Member
Account Moderator
It indeed works in 10.2.0.3:
SQL> select * from v$version;

BANNER
--------------------------------------------------------------------------------
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - Production
PL/SQL Release 11.2.0.3.0 - Production
CORE    11.2.0.3.0      Production
TNS for 32-bit Windows: Version 11.2.0.3.0 - Production
NLSRTL Version 11.2.0.3.0 - Production

SQL> DECLARE
  2   KEYNUM NUMBER;
  3  BEGIN
  4    SYS.DBMS_JAVA.GRANT_PERMISSION(
  5       grantee           => 'SCOTT'
  6      ,permission_type   => 'SYS:java.io.FilePermission'
  7      ,permission_name   => 'C:\TEMP'
  8      ,permission_action => 'read'
  9      ,key               => KEYNUM
 10      );
 11  END;
 12  /

PL/SQL procedure successfully completed.

SQL>
SQL> select username from dba_users where username='SCOTT';

USERNAME
------------------------------
SCOTT

Regards
Michel
Re: can't grant java.io.FilePermission [message #559662 is a reply to message #559653] Thu, 05 July 2012 07:20 Go to previous message
_jum
Messages: 486
Registered: February 2008
Senior Member
Will request at the DBA Laughing
Thanks @Michel for your valuable input and information!
Previous Topic: Apex Vrs ADF
Next Topic: How to enable a DFF field from PUI to ESS page(OAF) through personalization
Goto Forum:
  


Current Time: Tue Jul 22 15:00:13 CDT 2014

Total time taken to generate the page: 0.25318 seconds