This article is participating in “Java Theme Month – Java Debug Notes Event”, see < Event link > for more details.
Abnormal problem
In the actual project site, there was such a phenomenon: in the BS report system, the report needed to be printed, but there was no reaction when I clicked the print button. Everything was fine before, but why did it suddenly fail?
By opening the Java console view, found the following mistakes: Java. Security. AccessControlException: access denied (java.net.SocketPermission..
The specific exception logs are as follows:
java.security.AccessControlException:access denied (java.net.SocketPermission http://report.xx.xx.com:8000 connect,resolve)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.plugin2.applet.Applet2SecurityManager.checkConnect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at sun.net.NetworkClient.doConnect(Unknown Source)
at sun.net.www.http.HttpClient.openServer(Unknown Source)
Copy the codeThen I remembered that this problem occurred after the unified adjustment of the environmental IP to the domain name based on the requirements of the final launch of the project. After comparison, it was found that this problem was closely related to the adjustment to the domain name.
Cause analysis,
This paper analyzes the implementation of error and exception log and report printing. The original report printing is implemented by Java APLlet, but the spanning access of applet will cause security problems.
The solution
By looking at a number of resources, the summary can be addressed in the following two ways:
1. Add authorization in the java.policy file in the JRE directory on the client
Grant {} in the java.policy file in the lib/security directory of the JRE installation directory add the following permissions:
(for example: C: Program Files\Java\jdk1.8.0_171\jre\lib\security\)
permission java.net.SocketPermission "*:*", "accept,connect,resolve";
Copy the codeThe first * in *:* indicates allowed IP addresses or domain names. If * indicates all IP addresses or domain names. The second * indicates a port or range of ports, * indicates all ports, and can be 8080 or 8080-, or 8080- indicates that ports greater than or equal to 8080 are allowed.
“Accept,connect,resolve” indicates the allowed operations: accept,connect,resolve.
Disadvantages: Policy files need to be modified on all clients using the system.
2. Create your own policy file in the application system
You can also create your own policy file, such as myPolicy.policy, to which you can add the authorization described above, and add the policy file we created to the java.security file in the lib/security directory:
policy.url.x=file:${java.home}/lib/security/myPolicy.policy
Copy the codeAlternatively, instead of adding an included policy file to java.security, it is possible to start with a parameter java-djava.security.policy =myPolicy.policy.