Java Security AccessControlException at rule execution time

[Benjamin Voiturier]

Hello,

 

We are using Drools 6.1.0.Final in a Java EE application running on Websphere Aplication Server V8.5.5.3.

The WAS instance runs with the Java Security Manager enabled and with a container-level policy that denies more or less everything.

We can however grant specific permissions to our application's codebase using an application level policy file.

 

The issue we have is that we sometimes (randomly) get an AccessControlException at rule execution time (cf. Stacktrace below)

 

The denied permission is:

modifyThreadGroup : Access denied ("java.lang.RuntimePermission" "modifyThreadGroup")

and the involved class (which is a Drools generated class) is:

com.acme.decisiontable.risk_score_per_rule.Rule_s_321807163820DefaultConsequenceInvokerGenerated  in  {null code URL}

The obvious solution would be to grant the "modifyThreadGroup" permission to the codebase via application level policy, but the problem here is that the codebase for the Drools generated class is null. No permission grant is therefore possible.

Any idea how we could circumvent this problem?

Thanks in advance for your support!

 

Kind regards,
Benjamin

 

================================

Here is the permission denied stacktrace with Drools generated class part in bold:

java.security.AccessControlException: Access denied ("java.lang.RuntimePermission" "modifyThreadGroup")
 at java.security.AccessController.throwACE(AccessController.java:100)
 at java.security.AccessController.checkPermission(AccessController.java:174)
 at java.lang.SecurityManager.checkPermission(SecurityManager.java:562)
 at com.ibm.ws.security.core.SecurityManager.checkPermission(SecurityManager.java:208)
 at com.ibm.ws.security.core.SecurityManager.checkAccess(SecurityManager.java:407)
 at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:226)
 at java.lang.Thread.initialize(Thread.java:369)
 at java.lang.Thread.<init>(Thread.java:293)
 at java.lang.Thread.<init>(Thread.java:156)
 at org.drools.core.concurrent.ExecutorProviderImpl$DaemonThreadFactory.newThread(ExecutorProviderImpl.java:44)
 at java.util.concurrent.ThreadPoolExecutor$Worker.<init>(ThreadPoolExecutor.java:636)
 at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:955)
 at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1412)
 at org.drools.core.rule.constraint.MvelConstraint.jitEvaluator(MvelConstraint.java:248)
 at org.drools.core.rule.constraint.MvelConstraint.evaluate(MvelConstraint.java:213)
 at org.drools.core.rule.constraint.MvelConstraint.isAllowed(MvelConstraint.java:173)
 at org.drools.core.reteoo.AlphaNode.assertObject(AlphaNode.java:134)
 at org.drools.core.reteoo.SingleObjectSinkAdapter.propagateAssertObject(SingleObjectSinkAdapter.java:60)
 at org.drools.core.reteoo.AlphaNode.assertObject(AlphaNode.java:138)
 at org.drools.core.reteoo.CompositeObjectSinkAdapter.doPropagateAssertObject(CompositeObjectSinkAdapter.java:502)
 at org.drools.core.reteoo.CompositeObjectSinkAdapter.propagateAssertObject(CompositeObjectSinkAdapter.java:387)
 at org.drools.core.reteoo.ObjectTypeNode.assertObject(ObjectTypeNode.java:288)
 at org.drools.core.reteoo.EntryPointNode.assertObject(EntryPointNode.java:251)
 at org.drools.core.common.NamedEntryPoint.insert(NamedEntryPoint.java:367)
 at org.drools.core.common.NamedEntryPoint.insert(NamedEntryPoint.java:286)
 at org.drools.core.impl.StatefulKnowledgeSessionImpl.insert(StatefulKnowledgeSessionImpl.java:1430)
 at org.drools.core.base.DefaultKnowledgeHelper.insert(DefaultKnowledgeHelper.java:222)
 at org.drools.core.base.DefaultKnowledgeHelper.insert(DefaultKnowledgeHelper.java:216)
 at com.acme.decisiontable.risk_score_per_rule.Rule_s_24435790878.defaultConsequence(Rule_s_24435790878.java:10)
 at com.acme.decisiontable.risk_score_per_rule.Rule_s_24435790878DefaultConsequenceInvokerGenerated.evaluate(Unknown Source)
 at com.acme.decisiontable.risk_score_per_rule.Rule_s_24435790878DefaultConsequenceInvoker.evaluate(Unknown Source)
 at org.drools.core.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1046)
 ... 19 more