Menu
In the past, I have started jstatd via a security policy file, as suggested here: https://stackoverflow.com/a/14930180/1294116
However, in Java 9+, they have removed the tools.jar file, which means that this solution no longer works. Does anyone know how to get around this? (Currently I am back to getting the error java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.rmi.server.ignoreSubClasses" "write") ...)
490
See Options for the jstatd Command. The jstatd command is an RMI server application that monitors for the creation and termination of instrumented Java HotSpot VMs and provides an interface to enable remote monitoring tools, jstat and jps, to attach to JVMs that are running on the local host and collect information about the JVM process.
Here are some examples of starting jstatd. Note that the jstatd scripts automatically start the server in the background. This example demonstrates starting jstatd with an internal RMI registry. This example assumes that no other server is bound to the default RMI Registry port (port 1099).
The policy file must conform to the default policy implementation’s Policy File Syntax. The policy file can be specified with the -J-Djava.security.policy=file The following policy file will allow the jstatd server to run without any security exceptions.
The jstatd server installs an instance of RMISecurityPolicy if no other security manager has been installed and therefore requires a security policy file to be specified. The policy file must conform to the default policy implementation’s Policy File Syntax. The policy file can be specified with the -J-Djava.security.policy=file
The following policy file should work for you (at least under Java 11):
grant codebase "jrt:/jdk.jstatd" {
permission java.security.AllPermission;
};
grant codebase "jrt:/jdk.internal.jvmstat" {
permission java.security.AllPermission;
};
Thanks to Sebastian S for pointing out jdk.internal.jvmstat also needed to be granted the appropriate permission and for confirming the above works. Thanks to Gili for the latter as well.
As shown below, the tools.jar file was removed and everything in it was split up into modules. The jstatd tool now resides in the jdk.jstatd module. I couldn't find documentation regarding how it was determined which tool(s) went into which module, though the Javadoc does tell you after-the-fact. Just note that some modules contain the code for a single tool while other modules contain the code for multiple tools.
From the Policy File Syntax documentation:
If you are using a modular runtime image (see the
jlinktool), you can grant permissions to the application and library modules in the image by specifying ajrtURL as thecodeBasevalue in a policy file. See JEP 220: Modular Run-Time Images for more information aboutjrtURLs.The following example grants permission to read the
fooproperty to the modulecom.greetings:grant codeBase "jrt:/com.greetings" { permission java.util.PropertyPermission "foo", "read"; };
From JEP 200: The Modular JDK:
Design principles
The modular structure of the JDK implements the following principles:
- Standard modules, whose specifications are governed by the JCP, have names starting with the string
"java.".- All other modules are merely part of the JDK, and have names starting with the string
"jdk.".[...]
From JEP 220: Modular Run-Time Images:
Summary
Restructure the JDK and JRE run-time images to accommodate modules and to improve performance, security, and maintainability. Define a new URI scheme for naming the modules, classes, and resources stored in a run-time image without revealing the internal structure or format of the image. Revise existing specifications as required to accommodate these changes.
[...]
Removed: rt.jar and tools.jar
The class and resource files previously stored in
lib/rt.jar,lib/tools.jar,lib/dt.jar, and various other internal JAR files are now stored in a more efficient format in implementation-specific files in thelibdirectory. The format of these files is not specified and is subject to change without notice.The removal of
rt.jarand similar files leads to three distinct problems:
[...]
The
java.security.CodeSourceAPI and security-policy files use URLs to name the locations of code bases that are to be granted specified permissions. Components of the run-time system that require specific permissions are currently identified in thelib/security/java.policyfile via file URLs. The elliptic-curve cryptography provider, e.g., is identified asfile:${java.home}/lib/ext/sunec.jarwhich, obviously, has no meaning in a modular image.
[...]
New URI scheme for naming stored modules, classes, and resources
To address the above three problems a new URL scheme,
jrt, can be used to name the modules, classes, and resources stored in a run-time image without revealing the internal structure or format of the image.A
jrtURL is a hierarchical URI, per RFC 3986, with the syntaxjrt:/[$MODULE[/$PATH]]where
$MODULEis an optional module name and$PATH, if present, is the path to a specific class or resource file within that module. The meaning of ajrtURL depends upon its structure:
[...]
jrt:/$MODULErefers to all of the class and resource files in the module$MODULE.[...]
These three forms of
jrtURLs address the above problems as follows:
[...]
Security-policy files and other uses of the
CodeSourceAPI can usejrtURLs to name specific modules for the purpose of granting permissions. The elliptic-curve cryptography provider, e.g., can now be identified by thejrtURLjrt:/jdk.crypto.ecOther modules that are currently granted all permissions but do not actually require them can trivially be de-privileged, i.e., given precisely the permissions they require.
[...]
Both JEP 200 and JEP 220 were part of Project Jigsaw.
50
I found one (questionable) solution to this:
grant {
permission java.security.AllPermission;
};
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With