This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
DynamicJava requires to construct its own class loader, what is not allowed by the Netbeans security environment. Executing the following `DynamicJava' script in the scripting console results in a security exception. public class C { } C c = new C(); The relevant `DynamicJava' code is: package koala.dynamicjava.interpreter; ... public class TreeCompiler { ... public TreeCompiler(Interpreter i) { ... /* the following line creates a new ClassLoader, what is not allowed */ classInfoLoader = new ClassInfoLoader(); } ... protected class ClassInfoLoader extends ClassLoader { ... } ... } The exception thrown is: java.security.AccessControlException: access denied (java.lang.RuntimePermission createClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:542) at org.netbeans.core.execution.TopSecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:607) at java.lang.ClassLoader.<init>(ClassLoader.java:243) at koala.dynamicjava.interpreter.TreeCompiler$ClassInfoLoader.<init>(TreeCompiler.java:315) at koala.dynamicjava.interpreter.TreeCompiler.<init>(TreeCompiler.java:77) at koala.dynamicjava.interpreter.TreeInterpreter.loadClass(TreeInterpreter.java:466) at koala.dynamicjava.interpreter.TreeClassLoader.findClass(TreeClassLoader.java:167) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at java.lang.ClassLoader.loadClass(ClassLoader.java:262) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:322) at D.<init>(Unknown Source) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:274) at koala.dynamicjava.interpreter.context.GlobalContext.invokeConstructor(GlobalContext.java:577) at koala.dynamicjava.interpreter.EvaluationVisitor.visit(EvaluationVisitor.java:686) at koala.dynamicjava.tree.SimpleAllocation.acceptVisitor(SimpleAllocation.java:99) at koala.dynamicjava.interpreter.EvaluationVisitor.visit(EvaluationVisitor.java:427) at koala.dynamicjava.tree.VariableDeclaration.acceptVisitor(VariableDeclaration.java:193) at koala.dynamicjava.interpreter.TreeInterpreter.interpret(TreeInterpreter.java:148) at org.netbeans.modules.scripting.DynamicJavaScriptType.eval(Unknown Source) at org.netbeans.modules.scripting.AbstractScriptType.exec(Unknown Source) at org.openide.execution.ScriptType.exec(Unknown Source) at org.netbeans.modules.scripting.ScriptUtils$3.run(Unknown Source) [catch] at org.netbeans.core.execution.RunClassThread.run(Unknown Source)
hmm.. what version of netbeans are you using? it works for me in the dev build 200206030100. I think I've done some fixes that deal with the issue in the 3.4 codebase. please try to modify the Netbeans/bin/ide.policy file grant all permissions to everyone grant codeBase "file:/-" { permission java.security.AllPermission; };
I'm sorry, I've tried the example with Beanshell, rather than dynamic java.. it doesn't work for me either.. I've searched the history of bugs and I think your problme is a duplicate of #19133. please add the switch -J-Dnetbeans.security.nocheck=true to your ide.cfg file and it should work, however there's more to the problem of DynamicJava, for details and how to workaround the problme see #19133 *** This issue has been marked as a duplicate of 19133 ***
Thanks for your answer and the hint to issue 19133. Your analysis given there of the exception appearing after -J-Dnetbeans.security.nocheck=true has been added to ide.cfg is clear and corresponds to my own thoughts. But the first exception reported in issue 19133 seems strange to me. It appears when -J-Dnetbeans.security.nocheck=true is not added to ide.cfg. It is identical to the exception I reported in this issue. This exception is thrown because access is denied to create a new class loader. Why is access denied to create a new class loader ? The ide.policy explicitely provides all permissions to all local files and also the TopSecurityManager does not disallow class loader creation. So why this problem ? The answer seems to be that an entry like grant codeBase "file:/-" { permission java.security.AllPermission; }; seems not to be sufficient. If I try: grant { permissions java.lang.RuntimePermission "createClassLoader"; }; grant codeBase "file:/-" { permission whatever-appropriate; }; the first exception does not appear and I get the second one. Hence it is not necessary to add -J-Dnetbeans.security.nocheck=true to ide.cfg. It suffices to add grant { permissions java.lang.RuntimePermission "createClassLoader"; }; to the policy file. This allows all classes, not only those retrieved from a local file but also dynamically generated ones to create a class loader. Unfortunately this permission is quite heavy and one would like to add it only to the classes created by the DynamicJava interpreter. Is it possible to add the `createClassLoader' permission only to DynamicJava generated classes ?
Thanks for the analysis, Holger. I must admit I don't have deep knowledge of security managers, I've CCed people that could answer your questions. Jesse I wonder if that's worth the fix in ide.cfg..
I think this is a clear duplicate of #19133, right? where the details are covered nicely. Adding general permission to create new classloaders to ide.cfg is unacceptable for security reasons, and should not be necessary if #19133 is fixed properly.
Hi Jesse, yes it is a duplicate of #19133. I added a DynamicJava patch to #19133 which, if applied to DynamicJava, would solve the problems without compromising security at all. Holger
Resolved for 3.4.x or earlier, no new info since then -> closing.