Question

Cloud security when using retrieveURL

10

I'm trying to perform a POST request to an URL to retrieve some XML, using the CommunityCommons "retrieveURL" java action. When I have "emulate cloud security" set to off everything works fine, however with this option set to on I'm getting the following error: java.security.AccessControlException: access denied (java.net.SocketPermission xxxxx.xxx.com:443 connect,resolve) Subsequently, when commiting to the cloud environment the function doesn't work. How should I go about to prevent this from happening and get everything working?

asked 2012-06-11

Erdal Yalcin

1 answers

Achiel · Accepted Answer · 2012-06-11

A little background information on cloud security and how the "emulate cloud security" option work shed a little light. By default, sockets and file access in the standard cloud are blocked. This means that you have to request them on a per case basis. The way we block these IO requests is through a java policy file. When you deploy your app, we check to see if your app has any exceptions and if we find them, we add them to your policy file on the fly.

The "emulate cloud security" option mimics this behavior by generating a minimal java policy file that matches the situation in the cloud if you haven't requested any custom permissions. This is to help you gauge whether it will run out of the box or if you need some custom permissions. So, you will be able to use the httpclient your referring to (I'm assuming you simply want to do some http calls to some servers) but, by default, only in the cloud and only if you ask us to open the permissions.

That being said, if you want to be completely sure about whether this is the case you can in fact edit the policy file that you have on your PC. I don't know the exact address (if you can't find it let me know and I'll look it up), but it's somewhere under c:\Program Files\Mendix\xxxversion\runtime.policy if I'm not mistaken. There you can add lines such as the following to the final grant block in the file (between the accolades):

permission java.net.SocketPermission "xxxx.xxx:443", "connect";

This should result in a file that looks something like this:

grant codeBase "file:${{java.ext.dirs}}/sunjce_provider.jar" {
        permission java.security.AllPermission;
};

grant codeBase "file:${{java.ext.dirs}}/sunmscapi.jar" {
        permission java.security.AllPermission;
};

grant codeBase "file:/%MENDIX_INSTALL_DIR%/-" {
  permission java.security.AllPermission;
};

grant {
  permission java.io.FilePermission "%PROJECT_DEPLOYMENT_DIR%/data/tmp/-", "read, write, delete, execute";
  permission java.io.FilePermission "%PROJECT_DEPLOYMENT_DIR%/model/resources/-", "read";
  permission java.io.FilePermission "%PROJECT_DEPLOYMENT_DIR%/model/lib/-", "read";
  permission java.net.SocketPermission "xxxxx.xxx:443", "connect";
}

When you redeploy this policy file will be picked up and you should be able to perform HTTP calls to the server you've specified. At the moment this is somewhat cumbersome, there's already a ticket in place which will make this easier in a future version of Mendix.