Skip to content

Possibly misleading error "ALPN is not configured properly" when Java security manager is enabled #4163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jmesterh opened this issue Mar 2, 2018 · 5 comments
Closed

Possibly misleading error "ALPN is not configured properly" when Java security manager is enabled #4163

jmesterh opened this issue Mar 2, 2018 · 5 comments
Assignees
@ejona86
Milestone
1.12

Comments

@jmesterh
Copy link

jmesterh commented Mar 2, 2018
edited
Loading

I just spent a day on a wild goose chase trying to figure out what was causing this error:

ALPN is not configured properly. See https://github.com/grpc/grpc-java/blob/master/SECURITY.md#troubleshooting for more information.

Reading that page, and looking at my Maven dependency tree, I thought I had some kind of version conflict. I spent a day uselessly swapping out different library versions to try and fix this. In frustration I created a completely new project, with the same dependencies, and it worked. I turns out my app is using the Java Security Manager, and it was silently blocking tcnative from being loaded by netty-tcnative-boringssl-static.

Adding these three permissions fixed it:

permissions.add(new NetPermission("getProxySelector", "read"));
permissions.add(new FilePermission(System.getProperty("java.io.tmpdir")+"/-", "read,write"));
permissions.add(new RuntimePermission("loadLibrary.*"));

I couldn't figure out how to whitelist only the tcnative library, as the Netty Native Library Loader appends a random number to the library name every time (ironically, probably for security reasons).
@carl-mastrangelo
Copy link
Contributor

Can you describe how it was silently being blocked? Was there an exception that got swallowed somewhere?

@jmesterh
Copy link
Author

jmesterh commented Mar 2, 2018

I couldn't find an exception being thrown, presumably there was one, somewhere. There is no mention of security manager in the stacktrace:

Caused by: java.lang.IllegalArgumentException: ALPN is not configured properly. See https://github.com/grpc/grpc-java/blob/master/SECURITY.md#troubleshooting for more information.
	at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.selectApplicationProtocolConfig(GrpcSslContexts.java:163)
	at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.configure(GrpcSslContexts.java:136)
	at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.configure(GrpcSslContexts.java:124)
	at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.forClient(GrpcSslContexts.java:94)
	at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder$NettyTransportFactory$DefaultNettyTransportCreationParamsFilterFactory.<init>(NettyChannelBuilder.java:546)
	at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder$NettyTransportFactory$DefaultNettyTransportCreationParamsFilterFactory.<init>(NettyChannelBuilder.java:539)
	at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder$NettyTransportFactory.<init>(NettyChannelBuilder.java:477)
	at io.grpc.netty.shaded.io.grpc.netty.NettyChannelBuilder.buildTransportFactory(NettyChannelBuilder.java:325)
	at io.grpc.internal.AbstractManagedChannelImplBuilder.build(AbstractManagedChannelImplBuilder.java:342)
	at com.google.api.gax.grpc.InstantiatingGrpcChannelProvider.createSingleChannel(InstantiatingGrpcChannelProvider.java:185)
	at com.google.api.gax.grpc.InstantiatingGrpcChannelProvider.createChannel(InstantiatingGrpcChannelProvider.java:142)
	at com.google.api.gax.grpc.InstantiatingGrpcChannelProvider.getTransportChannel(InstantiatingGrpcChannelProvider.java:134)
	at com.google.cloud.pubsub.v1.Subscriber.doStart(Subscriber.java:280)
	at com.google.api.core.AbstractApiService$InnerService.doStart(AbstractApiService.java:148)
	at com.google.common.util.concurrent.AbstractService.startAsync(AbstractService.java:225)
	at com.google.api.core.AbstractApiService.startAsync(AbstractApiService.java:120)
	at com.google.cloud.pubsub.v1.Subscriber.startAsync(Subscriber.java:270)
	... 3 more
Caused by: java.lang.ClassNotFoundException: org/eclipse/jetty/alpn/ALPN
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:348)
	at io.grpc.netty.shaded.io.grpc.netty.JettyTlsUtil.isJettyAlpnConfigured(JettyTlsUtil.java:34)
	at io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts.selectApplicationProtocolConfig(GrpcSslContexts.java:153)
	... 19 more
Exiting with error code 1

@saturnism
Copy link
Contributor

We should add this to the troubleshooting section.

@saturnism saturnism mentioned this issue Mar 2, 2018
Closed
@ejona86
Copy link
Member

ejona86 commented Mar 6, 2018

This is a code problem. We don't expose the tcnative error naturally (although a user could find it if they wanted). I try to address this at https://github.com/grpc/grpc-java/pull/3401/files#diff-5f981c27dfe25e42ae666269a48b0488R229 .

@ejona86 ejona86 added this to the Next milestone Mar 11, 2018
@ejona86 ejona86 self-assigned this Mar 11, 2018
@ejona86
Copy link
Member

ejona86 commented Aug 9, 2018

Fixed by #3401

@ejona86 ejona86 closed this as completed Aug 9, 2018
@ejona86 ejona86 modified the milestones: Next, 1.12 Aug 9, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Nov 7, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ejona86 ejona86

Labels
None yet
Projects
None yet
Milestone
1.12
Development

No branches or pull requests
4 participants
@jmesterh @saturnism @ejona86 @carl-mastrangelo