Known Participant

Question

odd behavior with xmlParse and CF 2016

Forum|Forum|6 years ago
January 24, 2020
4 replies
1538 views

We recently upgraded from CF 11 to CF 2016. Occasionally we are getting this error access denied ("java.io.FilePermission"... when trying to parse an in memory xml string. We have our application sandboxed, so we don't get this error when sandboxing is turned off but we do get when sandboxing is turned on. We are using jre1.8.0_221. Any ideas on what could be causing this and how we can fix it?

This topic has been closed for replies.

BKBK

Community Expert

Hi justinh94069848,

Could you share with us the error in full, that is, the stacktrace?

justinh94069848Author

Known Participant

java.security.AccessControlException: access denied ("java.io.FilePermission" "z:\file_path_scrubbed\models\<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse> " "read") at java.security.AccessControlContext.checkPermission(Unknown Source) at java.security.AccessController.checkPermission(Unknown Source) at java.lang.SecurityManager.checkPermission(Unknown Source) at java.lang.SecurityManager.checkRead(Unknown Source) at java.io.File.exists(Unknown Source) at coldfusion.xml.XmlProcessor.getSourceURL(XmlProcessor.java:444) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:254) at coldfusion.xml.XmlProcessor.parse(XmlProcessor.java:246) at coldfusion.runtime.CFPage.XmlParse(CFPage.java:265) at cfCAS2ecfc850593689$funcSERVICETICKETVALIDATE.runFunction(z:\file_path_scrubbed\models\CAS.cfc:58) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfCAS2ecfc2135509330$funcVALIDATE.runFunction(z:\file_path_scrubbed\services\CAS.cfc:74) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:539) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:659) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:468) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3169) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3144) at cfAuthenticatorCAS2ecfc1315165634$funcCHECKLOGINSTATUS.runFunction(z:\file_path_scrubbed\models\AuthenticatorCAS.cfc:29) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3247) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcSETUPREQUEST.runFunction(z:\file_path_scrubbed\Application.cfc:1050) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcSETUPREQUESTWRAPPER.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:1728) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at cfframework2ecfc1873529245$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\org\corfield\framework.cfc:769) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3697) at coldfusion.runtime.CfJspPage._invokeUDF(CfJspPage.java:3677) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3267) at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:3224) at cfApplication2ecfc1662216193$funcONREQUESTSTART.runFunction(z:\file_path_scrubbed\Application.cfc:960) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:493) at coldfusion.runtime.UDFMethod$ReturnTypeFilter.invoke(UDFMethod.java:426) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:389) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:95) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:340) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:235) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:654) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:443) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:413) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:114) at coldfusion.runtime.AppEventInvoker.onRequestStart(AppEventInvoker.java:285) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:473) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:153) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:94) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:62) at coldfusion.CfmServlet.service(CfmServlet.java:223) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at sun.reflect.GeneratedMethodAccessor76.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor68.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Unknown Source) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:356) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:507) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Unknown Source)

justinh94069848Author

Known Participant

Here is the error message

access denied ("java.io.FilePermission" "z:\file_path_scrubbed\models\<cas:serviceResponse xmlns:cas='http:\www.urlscrubbed.com'> <cas:authenticationSuccess> <cas:user>scrub.user<\cas:user> <\cas:authenticationSuccess> <\cas:serviceResponse> " "read")

BKBK

Community Expert

It is a surprising error, given that the XML is a string in memory. Report this as a bug.

In the meantime, verify that the isn't caused elsewhere. For example, where a file is read, whose string content is later parsed to XML.

justinh94069848Author

Known Participant

We are reading XML files in just fine, and writting xml files just fine where sandboxing allows (outside our application directory). We have our sever severely locked down, no files are allowed to be written to same directory as the application code. What is odd is that with sandboxing turned off we don't get the error, so ColdFusion isn't really writting anything to directory, it doesn't have permissions. However, we only get the error with sandboxing turned on. Also an odd twist, if I restart the server the error goes away.

The same error also occurs with deserializeXML as well. We've run into issue with xml2struct not acting as expected as well.

Dave Watts

Community Expert

Like I said earlier, it would not surprise me if CF is writing these to temp files even though you're not specifying you want it to do so. This is kind of a standard "interface vs implementation" kind of thing. XML files can be big.

If you can't find where these temp files are being written, you could open a ticket as suggested and find out that way (or perhaps find out that this isn't the cause of the problem at all - I could very well be wrong). In the meantime, you can do things like monitor your filesystem using Process Monitor:

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

You could also make guesses about where you think the temp files would be located, and add those directories and their subdirectories to your sandbox.

Dave Watts, Eidolon LLC

Dave Watts

Community Expert

I gave a vague answer about this kind of problem recently. I'm sorry I don't have more information to help. But sandboxing has all kinds of behind-the-scenes stuff to enable or disable various things, and it's just not documented very well anywhere as far as I've seen. There was a guy a while back named Russ Michaels, and he had a pretty good list of these undocumented items that he'd run into. You might search for those messages ("russ michaels sandbox coldfusion" might be a good query). I honestly haven't worked with sandboxes well enough to learn this stuff myself.

My guess here is that the XML document is being written to the filesystem, even though it appears to be in memory. So, wherever it's being written down, you'd need to include that folder. If the error message doesn't explicitly list this location per Charlie's suggestion, I'd look for the temp folders that CF uses, and include those explicitly.

Dave Watts, Eidolon LLC

Charlie Arehart

Community Expert

The error should show the file whose permission was not sufficient. It may be something inside of CF. Have you tried adding that folder to your sandbox, allowing it to be accessed?

/Charlie (troubleshooter, carehart. org)

justinh94069848Author

Known Participant

Hi Charlie,

There is no file. We are recieveing the XML back in the response from another server. The XML is always in string "memory" format it never exists in file format. We have our sever severely locked down, no files are allowed to be written to same directory as the application code. What is odd is that with sandboxing turned off we don't get the error, so ColdFusion isn't really writting anything to directory, it doesn't have permissions. However, we only get the error with sandboxing turned on. Also an odd twist, if I restart the server the error goes away.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded