HPE Community
Operating System - OpenVMS
1819847 Members
2637 Online
109607 Solutions
New Discussion юеВ

Re: Java calls not recognizing rights ID and ACL's

 
Nancy J. Wick
Occasional Contributor

тАО11-18-2005 08:37 AM

тАО11-18-2005 08:37 AM

Java calls not recognizing rights ID and ACL's

Java calls for .canWrite and .canRead seem to only be recognizing the UIC and DCL protection mask and not looking at the rights identifier ownership and ACL associated with files. This is causing application to fail. Is there anything within JAVA configuration where this can be addressed? Running OpenVMS 7.3-2 JRE - 1.4-2.
0 Kudos
Reply
2 REPLIES 2
Jan van den Ende
Honored Contributor

тАО11-18-2005 08:59 PM

тАО11-18-2005 08:59 PM

Re: Java calls not recognizing rights ID and ACL's

Nancy,

This calls back memories from UCX 4.1 or 4.2.
(I DO remember it was fixed in one of the last UCX versions, before the migration to TCP/IP Services.)

Although that was about ftp access, I am guessing that the same mechanism applies.

Way back then it also was clear that ftp access check ignored ACLs.

The workaround for us was:

-Make your ACL giving access exactly as is needed.
-Make sure the last ACE in the ACL is
IDENT=*,ACCESS=NONE
-Make a UIC-based protection, at least so widely open that based upon that alone, anybody needing access is allowed. (applies for all upper directories as well)

Now the access checks within ftp, and presumably in JAVA, permits the access.
Then, when the actual access is executed, RMS applies the full access checking, and if applicable, will block access based upon the ACCESS=NONE.
Bear in mind though, that cf the Security Manual, access via the SYSTEM mask (by SYSPRV or GRPPRV) can NOT be blocked in this way. However I ever never been able to construct any example of such a situation, so it is unlikely that that will become an issue.

The downsides:
- It can become rather tedious to sort out the exact settings
- It involves extra work
- If you ever get a Security Survey, it can become VERY hard to explain, especially if all the surveyor knows is: check protection masks! (I 've been there!)

hth,

(and let me/us know if it REALLY does apply, or that my analogy guess was not applicable, please?)

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
John Gillings
Honored Contributor

тАО11-20-2005 07:35 AM

тАО11-20-2005 07:35 AM

Re: Java calls not recognizing rights ID and ACL's

Nancy,

Could you please create a reproducer for this? Ideally a self contained command procedure that will create a file with appropriate protection and ACL, then a Java program that demonstrates the problem you're seeing. Document the behaviour that you have on your system, and the behaviour you're expecting.

Log a case with your local customer support centre so they can diagnose the problem and/or elevate it to engineering.
A crucible of informative mistakes
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.