18.4.6.Java Security

Java classes are hosted in one of two modes:

Restricted
Unrestricted

Java class Permissions are managed by security classes that fall into categories as follows listed with it managing class:

File - java.io.FilePermission
Socket - java.net.SocketPermission
Net - java.net.NetPermission
Security - java.security.SecurityPermission
Runtime - java.lang.RuntimePermission
Property - java.util.PropertyPermission
AWT - java.awt.AWTPermission
Reflect - java.lang.reflect.ReflectPermission
Serializable - java.io.SerializablePermission

Restricted classes are not allowed any of the above privileges. Virtuoso returns errors that are returned by the security manager if breaches in security are attempted by a hosted Java class.

By default all Java classes are imported/created/hosted in restricted mode. To create Java class based user defined types that are unrestricted you need to use create type syntax with UNRESTRICTED keyword. The import_jar() function can also be used to import classes, its third optional parameter can be used to define the security mode.

[Note] Note:

New behavior since Virtuoso 3.2 provides these two security modes defaulting to restricted. Prior to this Java classes were hosted in unrestricted mode.

Example18.1.Java Security

The class Write_file, shown below, will attempt to write to a file on the file system. This class will be used to create a user defined type first in unrestricted mode and then in restricted mode to demonstrate how security exceptions are returned.

Source of Write_file.java:

import java.io.*;

public class Write_file
{
  public String write ()
    {
      String myFile = "foo";
      File f = new File(myFile);
      DataOutputStream dos;

      try
        {
          dos = new DataOutputStream (new BufferedOutputStream(new FileOutputStream (myFile),128));
          dos.writeBytes("ABC\n");
          dos.flush();
          dos.close();
        }

      catch (IOException ioe)
        {
          System.out.println("writeFile: caught i/o exception");
        }

      return "OK";
    }
}

Create the unrestricted type:

create type "Write_file" language JAVA external name 'Write_file'
  unrestricted METHOD "write" ()
  returns nvarchar external type 'Ljava/lang/String;' external name 'write';

Test calling the method:

SQL> select new Write_file().write();
callret
NVARCHAR
_________________________________________

OK

Now we want to recreate the type in restricted mode, remembering to drop it first:

drop type DB.DBA.write_file;

create type "Write_file" language JAVA external name 'Write_file'
  METHOD "write" ()
  returns nvarchar external type 'Ljava/lang/String;' external name 'write';

Test calling the method:

SQL> select new Write_file().write();

*** Error 42000: [Virtuoso Driver][Virtuoso Server]JV001: Java exception
occurred : java.security.AccessControlException : access denied
(java.io.FilePermission foo write)
in  __udt_method_call:(BIF),
<Top Level>
at line 1 of Top-Level:
select new Write_file().write()

Another way to import the above class is by use the import_jar() such as:

import_jar (NULL, 'Write_file', 1) - will import java classes in unrestricted mode.
import_jar (NULL, 'Write_file') - will import java classes in restricted mode.