glassfish icon indicating copy to clipboard operation
glassfish copied to clipboard
verified publisher icon eclipse-ee4j

Domain file processor doesn't remove quotes from value of java.security.policy JVM option

Open Blavo opened this issue 2 years ago • 2 comments

If you have quotes round the value of the java.security.policy JVM option in a domain.xml file the domain file processor does not remove them before using the value to set java.security.policy. If a security manager is set the policy file will not be found because of the quotes, the resulting Policy object will be empty, and widespread permission failures will occur.

Environment Details

Glassfish 7.0.6

java version "17.0.7" 2023-04-18 LTS Java(TM) SE Runtime Environment (build 17.0.7+8-LTS-224) Java HotSpot(TM) 64-Bit Server VM (build 17.0.7+8-LTS-224, mixed mode, sharing)

Mac OS 12.4 (Monterey)

Database not applicable

Problem Description

If you have quotes round the value of the java.security.policy JVM option in a domain.xml file the domain file processor does not remove them before using the value to set java.security.policy. If a security manager is set the policy file will not be found because of the quotes, the resulting Policy object will be empty, and widespread permission failures will occur.

This differs from how the same JVM option is treated on the command line. On the command line the quotes are removed and there is no resulting issue.

This issue is awkward to debug because the lack of permissions prevents, for instance, displaying the value of java.security.policy or listing the permission of the current Policy object after the problem has occurred.

The problem is reliably reproducible.

Steps to reproduce

1 Restart a convenient 7.0.6 glassfish server to ensure it starts 2 Find the server's domain.xml file, find the java.security.policy JVM option therein, and put quotes round the value eg -Djava.security.policy="/Applications/glassfish7/glassfish/domains/domain1/config/server.policy" 3 Restart the server; it will fail to start because of permission problems 4 Remove the quotes 5 Restart the server

6 Run the attached client with -Djava.security.policy=xxx in the JVM options; the value of the java.security.policy is shown as xxx 7 Rerun the client with -Djava.security.policy="xxx" in the JVM options; the value of the java.security.policy is shown as xxx without quotes, the quotes having been removed

Impact of Issue

Took quite a while to figure out.

Client.txt

Blavo avatar Sep 04 '23 04:09 Blavo

Why do you need quotes? Quotes are a shell thing in order to keep the argument as a single argiment even if it contains spaces. GlassFish runs the command directly from Java, not from a shell. So you can have spaces in the JVM option and it will be treated as a single option, no need to use quotes.

OndroMih avatar Nov 18 '23 00:11 OndroMih

G’day,

You are right. The 'steps to reproduce' state that removing the quotes makes the problem go away.

However the syntax of the option (-Djava.security.policy=/Applications/CLT/LocalLoMAppS/RunTime/ServerResources/policy.txt follows that of a command line JVM option for the particular platform in use. (I doubt that using Windows file path separators in the option on a Mac platform would work.) So you, or at least I, would expect that syntax variants valid on the command line would be accepted. As such I would expect quotes to be handled as they would on the command line. I accept that glassfish doesn’t run the command directly but that implementation is unknown to the user. The user would expect to have to follow command line syntax conventions appropriate to their platform, including quoting space-filled paths, using a leading path separator to indicate an absolute path etc,. If the error resulting from putting quotes returned a more obvious error, such as ‘invalid file path’ or ‘file not found' whether or not glassfish handled the quotes would be of no consequence as diagnosing the error would be easy.

On 18 Nov 2023, at 11:38, Ondro Mihályi @.***> wrote:

Why do you need quotes? Quotes are a shell thing in order to keep the argument as a single argiment even if it contains spaces. GlassFish runs the command directly from Java, not from a shell. So you can have spaces in the JVM option and it will be treated as a single option, no need to use quotes.

— Reply to this email directly, view it on GitHub https://github.com/eclipse-ee4j/glassfish/issues/24575#issuecomment-1817288766, or unsubscribe https://github.com/notifications/unsubscribe-auth/AOKL4EKTYNJOEC7JE225AQ3YE77P3AVCNFSM6AAAAAA4JZ3TM6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMJXGI4DQNZWGY. You are receiving this because you authored the thread.

Blavo avatar Nov 18 '23 21:11 Blavo

This issue has been marked as inactive and old and will be closed in 7 days if there is no further activity. If you want the issue to remain open please add a comment

github-actions[bot] avatar Nov 18 '24 00:11 github-actions[bot]