aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard
verified publisher icon aws

Unable to create ClientConfiguration=>AmazonHttpClient within secure (SecurityManager) environments

Open SimoneAvogadro opened this issue 5 years ago • 2 comments

Migrating from 1.1.700 to 1.11.908 it's not anymore possible to use AmazonHttpClient / ClientConfiguration within restrictive security environments which forbid access to environment properties. The way in which the ClientConfiguration is defined implicitly accesses environment variables during class initialization (causing a security exception), thus it's not possible to avoid/ignore that access. Without a valid ClientConfiguration it's impossible to instantiate an AmazonHttpClient and so any code whic relies on this components is not usable anymore in those secure environements

Describe the bug

  • ClientConfiguration performs early initialization of internal state at class level
  • Class initialization (actually: static field member initialization) uses internal.RetryModeResolver which needs access to environment variables otherwise it fails without appeal

Expected Behavior

It should be possible to avoid access to environment variables, ideally the code should check if this access is permitted before trying or it should allow catching and ignoring that error.

Current Behavior

Any attempt to create a AmazonHttpClient requires the creation of a ClientConfiguration which results in a security exception as reported below:

java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getenv.AWS_RETRY_MODE")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    at java.security.AccessController.checkPermission(AccessController.java:886)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at com.boomi.security.ExtendedSecurityManager.checkPermissionImpl(ExtendedSecurityManager.java:207)
    at com.boomi.security.ExtendedSecurityManager.checkPermission(ExtendedSecurityManager.java:114)
    at java.lang.System.getenv(System.java:894)
    at com.amazonaws.retry.internal.RetryModeResolver.envVar(RetryModeResolver.java:67)
    at com.amazonaws.retry.internal.RetryModeResolver.resolveRetryMode(RetryModeResolver.java:72)
    at com.amazonaws.retry.internal.RetryModeResolver.<init>(RetryModeResolver.java:46)
    at com.amazonaws.retry.RetryPolicy.<clinit>(RetryPolicy.java:35)
    at com.amazonaws.retry.PredefinedRetryPolicies.<clinit>(PredefinedRetryPolicies.java:30)
    at com.amazonaws.ClientConfiguration.<clinit>(ClientConfiguration.java:89)

Steps to Reproduce

  • setup ~/.java.policy to deny access to environment variables
grant {
  permission java.io.FilePermission "<<ALL FILES>>", "read";
  permission java.net.SocketPermission "*:*", "connect,resolve";
  permission java.util.PropertyPermission "*", "read";
  permission javax.management.MBeanPermission "*", "registerMBean";
  permission javax.management.MBeanServerPermission "createMBeanServer";
  permission javax.management.MBeanServerPermission "findMBeanServer";
  permission javax.management.MBeanServerPermission "newMBeanServer";
  permission javax.management.MBeanTrustPermission "register";
};
  • this simple unit test will reproduce the issue:
	@Test 
	public void testcloudSecurityPolicy() {
		AmazonHttpClient c = new AmazonHttpClient(new ClientConfiguration());
	}

Possible Solution

there are multiple options:

  • best option: change ClientConfiguration and move all initialization within a "protected setUp()" method so that clients within secure environment can subclass it and manage/avoid security exceptions
  • change ClientConfiguration into an interface
  • change the initialization path so that id does not fail in case of secure environments

Context

currently we're woking on 1.11.700 and this works, this bug does not allow us to upgrade to the latest lib in order to meet compliance requirements

Your Environment

  • AWS Java SDK version used: 1.11.908
  • JDK version used:
  • Operating System and version:

SimoneAvogadro avatar Nov 26 '20 10:11 SimoneAvogadro

Hi @SimoneAvogadro apologies for the lack of response. We didn't anticipate this case, marking as bug. The retry mode was introduced in version 1.11.719.

So this is not a problem for any of the other environment variables used in the SDK?

debora-ito avatar Dec 10 '20 18:12 debora-ito

Hi @SimoneAvogadro apologies for the lack of response. We didn't anticipate this case, marking as bug. The retry mode was introduced in version 1.11.719.

So this is not a problem for any of the other environment variables used in the SDK?

Some other properties can we worked around (e.g. proxy) but this one is blocking for sure: I've been unable to check if other variables are blocking because I can't currently get past this point

SimoneAvogadro avatar Dec 10 '20 19:12 SimoneAvogadro