Hi all,
I have a problem regarding scheduled Java agents. I have tried searching both here and at Mikkel’s blog. While learning a lot about Java security in Domino, I found no clear answer to this one. So, here goes:
Server was just upgraded from 6.5.5 to 7.0.3.
After that, scheduled Java agents no longer work. They all get this exception:
29.11.2007 10:04:07 Agent Manager: Agent error: java.security.AccessControlException: access denied (java.lang.RuntimePermission setContextClassLoader)
29.11.2007 10:04:07 Agent Manager: Agent error: at java.security.AccessControlContext.checkPermission(AccessControlContext.java:292)
29.11.2007 10:04:08 Agent Manager: Agent error: at java.security.AccessController.checkPermission(AccessController.java:476)
29.11.2007 10:04:08 Agent Manager: Agent error: at java.lang.SecurityManager.checkPermission(SecurityManager.java:538)
29.11.2007 10:04:08 Agent Manager: Agent error: at java.lang.Thread.setContextClassLoader(Thread.java:1251)
29.11.2007 10:04:08 Agent Manager: Agent error: at lotus.domino.AgentBase$1.run(Unknown Source)
29.11.2007 10:04:08 Agent Manager: Agent error: at java.security.AccessController.doPrivileged1(Native Method)
29.11.2007 10:04:08 Agent Manager: Agent error: at java.security.AccessController.doPrivileged(AccessController.java:287)
29.11.2007 10:04:08 Agent Manager: Agent error: at lotus.domino.AgentBase.setCurrentLoader(Unknown Source)
29.11.2007 10:04:08 Agent Manager: Agent error: at lotus.domino.AgentBase.runNotes(Unknown Source)
29.11.2007 10:04:08 Agent Manager: Agent error: at lotus.domino.NotesThread.run(Unknown Source)
The same upgrade was performed first on a test server with no problems. Java agents work there perfectly.
I tried adding this line to java.policy:
permission java.lang.RuntimePermission “setContextClassLoader”;
This line is in the default grant{} block and the server was restarted after adding the line. Did not help.
The agents in question have runtime security level 2 at the moment. I tried changing that to level 3 with no effect.
The agent signer has rights to (defined in Server document):
-
run unrestricted methods
-
run restricted LS/Java agents
-
run restricted and unrestricted Java/JS/COM (however, these no longer apply, I presume)
The simplest non-working (test) agent is this:
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext = session.getAgentContext();
Database db = agentContext.getCurrentDatabase();
Document doc = db.createDocument();
doc.replaceItemValue( "Form", "Test" );
doc.replaceItemValue( "Server", db.getServer() );
doc.save( true, false );
} catch(Exception e) {
e.printStackTrace();
}
}
}
One difference I found between these two servers is that the test server has in its NOTES.INI some JavaUserClasses specified. However, these apparently are related to Sametime installation as they appeared during installation. Also, the Java agents worked on this test server before Sametime.
JavaUserClasses=d:\dominosrv\java;dsig.zip;xalan.jar;xercesImpl.jar;stcore.jar;stmtgmanagement.jar;STNotesCalendar.jar;log4j.jar;ibmjsse.jar;xml-apis.jar;mail.jar;activation.jar;e:\dominosrv\data
JavaUserClassesExt=Ext1
Ext1=postcard.jar;providerutil.jar;xalan.jar;xercesImpl.jar;log4j.jar;xml-apis.jar;
The non-working server has no JavaUserClasses entry at all.
Any ideas?
-Lauri Laanti