Permission Issue with Apigee-CustomPolicy-EncryptedJWT

Google Cloud Apigee
1

Hello ,

We are using the Java Custom Callout from GitHub -
DinoChiesa/Apigee-CustomPolicy-EncryptedJWT.
@dchiesa1 Thanks u :smile:

<JavaCallout continueOnError="false" enabled="true" name="Java-JWE Encrypt">
  <DisplayName>Java-JWE Encrypt</DisplayName>
  <Properties>
    <Property name="key-encryption">RSA-OAEP-256</Property>
    <Property name="content-encryption">A256GCM</Property>
    <Property name="payload">{message.content}</Property>
    <Property name="public-key">{extracted_public_key}</Property>
    <Property name="key-id">{certInfo}</Property>
    <Property name="debug">true</Property>
  </Properties>
  <ClassName>com.google.apigee.callouts.GenerateEncryptedJwt</ClassName>
  <ResourceURL>java://xxxxx.jar</ResourceURL>
</JavaCallout>

And we encountered a functional failure triggered by a permission reference error.
Specifically, The Nimbus library used in the project utilizes GSON and Java Reflection to handle JSON conversions,
which results in the following security exception:
java.lang.RuntimePermission “accessDeclaredMembers”.
ref: https://docs.apigee.com/api-platform/reference/java-permission-reference

com.nimbusds.jose.JOSEException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at com.nimbusds.jose.JWEObject.encrypt...

I would like to ask:

  • Is this specific custom policy compatible with the current Apigee X runtime environment?
  • Are there any recommended workarounds or configuration changes to bypass this reflection restriction?
  • It any recommend using a different approach that does not rely on accessDeclaredMembers?

Thank you.

2

Hi @Mikey_Lin, thanks for reaching out and welcome to the community!

We’re keeping your question on our radar to ensure it gets answered. In the meantime, feel free to check the Apigee Knowledge Hub, and we invite the community to share any insights or answers.

Thanks!

3

What are you trying to do? The builtin policies allow you to generate or validate encrypted JWT. Have you looked there?

If you specifically want a JWE (not an encrypted JWT), then … this callout policy WAS the way to do it, but recently in Apigee X there has been some additional restriction put in place for Java callout permissions, which is now preventing this callout from working, with the error you observed.

The workaround to that is:

  • contact Apigee support to see if they can do anything about it for you
  • Use an External Callout, in which case you can avoid any permissions issue

If you are using Apigee hybrid, then you can avoid this problem by modifying your security permissions. consult the documentation for an explanation for how to do this.

2 Likes