Aws-sdk-java: AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader") on EC2 Amazon Web Services
I have a Java WebApp that uses some JVM Sandboxing and it works on my local machine.
Also I can generate fat jar and run like java -jar my-app.jar also it works.
I have the policy file:
grant {
permission java.security.AllPermission;
};
And I gave FullEC2Access(from Policies) to my EC2 instance, no luck.
I use Elastic Beanstalk.
When I deploy to Amazon EC2(t2.medium) instance, I get the following error:
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[na:1.8.0_131]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[na:1.8.0_131]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[na:1.8.0_131]
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611) ~[na:1.8.0_131]
at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274) ~[na:1.8.0_131]
at java.lang.ClassLoader.<init>(ClassLoader.java:316) ~[na:1.8.0_131]
at java.security.SecureClassLoader.<init>(SecureClassLoader.java:76) ~[na:1.8.0_131]
at java.net.URLClassLoader.<init>(URLClassLoader.java:100) ~[na:1.8.0_131]
at clojure.lang.DynamicClassLoader.<init>(DynamicClassLoader.java:41) ~[na:na]
at clojure.lang.RT$7.run(RT.java:2126) ~[na:na]
at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_131]
ertugrulcetin
All 10 comments
Hello ertugrulcetin. Any luck getting a fat jar deployed yet using EB? I am having a similar issue.
tmancini
on 28 Aug 2017
@tmancini yeah it turned out I wasn't providing policy file in the first place.So I ended up creating Dockerfile and zip my files (Dockerfile, fat.jar, policy file, other external needed files).zip then uploaded the zip amazon beanstalk(using their docker deployment)
ertugrulcetin
on 28 Aug 2017
I definitely have my policy file packaged within the JAR, but maybe I will give Docker a shot. Thank you.
tmancini
on 28 Aug 2017
It should not packed within jar file that's the problem.Basically you need to start java like thisjava -Djava.security.policy=/path-to/example.policy -jar my-app.jar this means policy file and .jar have to be in the same top level path so it can't be packed into jar
ertugrulcetin
on 28 Aug 2017
That makes perfect sense. Would you mind sharing your Dockerfile?
tmancini
on 28 Aug 2017
Here(also you need your external files such as .jar, policy file and zip them at the same level and deploy to aws):
FROM ubuntu:15.04
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y software-properties-common && \
add-apt-repository ppa:webupd8team/java -y && \
apt-get update && \
echo oracle-java8-installer shared/accepted-oracle-license-v1-1 select true | /usr/bin/debconf-set-selections && \
apt-get install -y oracle-java8-installer && \
apt-get clean
ADD my-app.jar /root/.my-app/my-app.jar
ADD example.policy /root/.my-app/example.policy
ADD your other needed files......
# Define commonly used JAVA_HOME variable
ENV JAVA_HOME /usr/lib/jvm/java-8-oracle
ENV AWS_ACCESS_KEY_ID YOUR-ID
ENV AWS_SECRET_ACCESS_KEY YOUR-KEY
EXPOSE 3000
# Define default command.
CMD exec java -server \
-Djava.security.policy=/root/.my-app/example.policy \
-XX:+UseConcMarkSweepGC \
-XX:+CMSParallelRemarkEnabled \
-XX:+UseCMSInitiatingOccupancyOnly \
-XX:CMSInitiatingOccupancyFraction=70 \
-XX:+ScavengeBeforeFullGC \
-XX:+CMSScavengeBeforeRemark \
-jar /root/.my-app/my-app.jar
Thank you!
tmancini
on 28 Aug 2017
Is there any outstanding issue here @tmancini or @ertugrulcetin?
spfink
on 12 Sep 2017
@spfink nope it's our fault
ertugrulcetin
on 13 Sep 2017
Glad you guys were able to work it out!
spfink
on 13 Sep 2017
Related issues
bagovino
路
4Comments
lsarni
路
4Comments
tomlee
路
3Comments
dalbani
路
5Comments
DaichiUeura
路
3Comments