| License Type | SaaS & On-Premise |
| Agent Mode | Assess & Protect |
| Main Product Category | Java Agent |
| Sub Category | Troubleshooting |
Issue
The Java Agent appears not to be working correctly - you may see no vulnerabilities or in some cases the agent may cause issues with the application being instrumented - and you notice ERRORs in the agent's contrast.log file with content similar to these:
java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
java.security.AccessControlException: access denied ("java.lang.management.ManagementPermisssion" "monitor")
or the Java Agent may crash as indicated by an error in the application or application server log similar to the following:
java.security.AccessControlException: access denied ("java.lang.reflect.RuntimePermission" "getProtectionDomain")
Cause
Some users configure their systems with Java 2 Security policies. These policies allow administrators to assign permissions to Java code (jars and classes) to restrict access to sensitive APIs and system resources. See the Java 2 Security documentation for an in-depth guide to this Java SE feature.
As a result of these policies, the Contrast Java Agent may not have the access permissions it requires to be able to function correctly, leading to unexpected behaviors and the errors referenced above.
Resolution
Users must grant the java.security.AllPermission permission to the Contrast Java Agent jar file in order to allow the agent to function properly. The Java policy file syntax for doing so is, for example:
// The file URL following the codeBase keyword must be the absolute path
// to the Contrast agent jar file
grant codeBase "file:/opt/contrast/contrast.jar" {
permission java.security.AllPermission;
};
The path to the Java policy file differs across systems. Well known default locations are as follows:
| System | Path | Notes |
|---|---|---|
| Java SE | $JAVA_HOME/conf/security/java.policy | Built-in security policy that ships with Java. Some systems like Tomcat override this altogether. Not active unless a security manager is installed. See Java Security Architecture for details. |
| Apache Tomcat | $CATALINA_BASE/conf/catalina.policy | Tomcat runs with a security manager when users pass the -security argument to catalina.sh run or catalina.sh start. See Tomcat Security Manager for details. |
| IBM WebSphere | app_server_root/java/lib/security/java.policy | Java 2 Security |
| Oracle WebLogic | $WL_HOME/server/lib/weblogic.policy | Java Security |
java.security.AllPermission to the Contrast Agent, the following Java Policy change will grant permissions not only to the Contrast Agent but to the application code as well:grant {
permission java.security.AllPermission;
};
If issues persist after making this change, please submit a ticket to our online support portal.