Security manager changes :: Java DB / Derby – Access Denied

Security manager installed using the Basic server security policy.
access denied ("""localhost:1527""listen,resolve")

Java 7u51 contains changes in the security manager. It was allowed to use ports >1024. Now this port range was moved much higher. To be able to use lower ports there has to be a line in java.policy which is located in $JAVA_HOME/jre/lib/security

Here the official release notes from

“Change in Default Socket Permissions

The default socket permissions assigned to all code including untrusted code have been changed in this release. Previously, all code was able to bind any socket type to any port number greater than or equal to 1024. It is still possible to bind sockets to the ephemeral port range on each system. The exact range of ephemeral ports varies from one operating system to another, but it is typically in the high range (such as from 49152 to 65535). The new restriction is that binding sockets outside of the ephemeral range now requires an explicit permission in the system security policy.

Most applications using client tcp sockets and a security manager will not see any problem, as these typically bind to ephemeral ports anyway. Applications using datagram sockets or server tcp sockets (and a security manager) may encounter security exceptions where none were seen before. If this occurs, users should review whether the port number being requested is expected, and if this is the case, a socket permission grant can be added to the local security policy, to resolve the issue.”

Here an example entry to allow derby to use it’s port again:

grant {
   permission "localhost:1527", "listen,resolve";

Leave a Comment