Cassandra steps not drawn when the custom security manager is enabled

[HiromuHota]

How to reproduce: enable the custom security manager
This does not happen on Laptop/Mac OS X (10.12.6)/Oracle JDK (1.8.0_151) or on VM/Ubuntu (16.04.3)/Open JDK8 JRE (1.8.0_151).

logs/catalina.out shows

2018/01/19 01:38:43 - GUIResource - ERROR (version 8.0.0.0-28-13, build 8.0.0.0-28-13 from 2018-01-18 09.58.14 by jenkins) : Error occurred loading image [Cassandrain.svg] for plugin CassandraInput/Cassandra Input{class org.pentaho.di.core.plugins.StepPluginType}
2018/01/19 01:38:43 - GUIResource - ERROR (version 8.0.0.0-28-13, build 8.0.0.0-28-13 from 2018-01-18 09.58.14 by jenkins) : java.lang.ExceptionInInitializerError
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.UserAgentAdapter.getFontFamilyResolver(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.BridgeContext.getFontFamilyResolver(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.SVGTextElementBridge.getFontList(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.SVGTextElementBridge.getAttributeMap(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.SVGTextElementBridge.fillAttributedStringBuffer(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.SVGTextElementBridge.buildAttributedString(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.SVGTextElementBridge.computeLaidoutText(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.SVGTextElementBridge.buildGraphicsNode(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.GVTBuilder.buildGraphicsNode(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.GVTBuilder.buildComposite(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.GVTBuilder.build(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.core.SwtUniversalImageSvg.<init>(SwtUniversalImageSvg.java:56)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.util.SwtSvgImageUtil.loadImage(SwtSvgImageUtil.java:301)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.util.SwtSvgImageUtil.loadFromClassLoader(SwtSvgImageUtil.java:210)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.util.SwtSvgImageUtil.getUniversalImageInternal(SwtSvgImageUtil.java:148)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.util.SwtSvgImageUtil.getUniversalImage(SwtSvgImageUtil.java:173)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.core.gui.GUIResource.loadStepImages(GUIResource.java:750)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.core.gui.GUIResource.getResources(GUIResource.java:518)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.core.gui.GUIResource.initialize(GUIResource.java:415)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.core.gui.GUIResource.<init>(GUIResource.java:405)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.core.gui.GUIResource.getInstance(GUIResource.java:464)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.core.PropsUI.init(PropsUI.java:130)
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.ui.spoon.WebSpoonEntryPoint.createContents(WebSpoonEntryPoint.java:63)
2018/01/19 01:38:43 - GUIResource - 	at org.eclipse.rap.rwt.application.AbstractEntryPoint.createUI(AbstractEntryPoint.java:60)
2018/01/19 01:38:43 - GUIResource - 	at org.eclipse.rap.rwt.internal.lifecycle.RWTLifeCycle.createUI(RWTLifeCycle.java:177)
2018/01/19 01:38:43 - GUIResource - 	at org.eclipse.rap.rwt.internal.lifecycle.RWTLifeCycle$UIThreadController.run(RWTLifeCycle.java:290)
2018/01/19 01:38:43 - GUIResource - 	at java.lang.Thread.run(Thread.java:748)
2018/01/19 01:38:43 - GUIResource - 	at org.eclipse.rap.rwt.internal.lifecycle.UIThread.run(UIThread.java:107)
2018/01/19 01:38:43 - GUIResource - Caused by: java.lang.SecurityException: access denied ("java.io.FilePermission" "/root/.java/fonts/1.8.0_151/fcinfo-1-54cb43256958-Linux-4.9.60-linuxkit-aufs-en.properties" "read")
2018/01/19 01:38:43 - GUIResource - 	at org.pentaho.di.security.WebSpoonSecurityManager.checkPermission(WebSpoonSecurityManager.java:75)
2018/01/19 01:38:43 - GUIResource - 	at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
2018/01/19 01:38:43 - GUIResource - 	at java.io.File.exists(File.java:814)
2018/01/19 01:38:43 - GUIResource - 	at sun.font.FcFontConfiguration.readFcInfo(FcFontConfiguration.java:426)
2018/01/19 01:38:43 - GUIResource - 	at sun.font.FcFontConfiguration.init(FcFontConfiguration.java:94)
2018/01/19 01:38:43 - GUIResource - 	at sun.font.FcFontConfiguration.<init>(FcFontConfiguration.java:76)
2018/01/19 01:38:43 - GUIResource - 	at sun.awt.X11FontManager.createFontConfiguration(X11FontManager.java:768)
2018/01/19 01:38:43 - GUIResource - 	at sun.font.SunFontManager$2.run(SunFontManager.java:431)
2018/01/19 01:38:43 - GUIResource - 	at java.security.AccessController.doPrivileged(Native Method)
2018/01/19 01:38:43 - GUIResource - 	at sun.font.SunFontManager.<init>(SunFontManager.java:376)
2018/01/19 01:38:43 - GUIResource - 	at sun.awt.FcFontManager.<init>(FcFontManager.java:35)
2018/01/19 01:38:43 - GUIResource - 	at sun.awt.X11FontManager.<init>(X11FontManager.java:57)
2018/01/19 01:38:43 - GUIResource - 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
2018/01/19 01:38:43 - GUIResource - 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
2018/01/19 01:38:43 - GUIResource - 	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
2018/01/19 01:38:43 - GUIResource - 	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
2018/01/19 01:38:43 - GUIResource - 	at java.lang.Class.newInstance(Class.java:442)
2018/01/19 01:38:43 - GUIResource - 	at sun.font.FontManagerFactory$1.run(FontManagerFactory.java:83)
2018/01/19 01:38:43 - GUIResource - 	at java.security.AccessController.doPrivileged(Native Method)
2018/01/19 01:38:43 - GUIResource - 	at sun.font.FontManagerFactory.getInstance(FontManagerFactory.java:74)
2018/01/19 01:38:43 - GUIResource - 	at sun.java2d.SunGraphicsEnvironment.getFontManagerForSGE(SunGraphicsEnvironment.java:190)
2018/01/19 01:38:43 - GUIResource - 	at sun.java2d.SunGraphicsEnvironment.getAvailableFontFamilyNames(SunGraphicsEnvironment.java:224)
2018/01/19 01:38:43 - GUIResource - 	at sun.java2d.SunGraphicsEnvironment.getAvailableFontFamilyNames(SunGraphicsEnvironment.java:252)
2018/01/19 01:38:43 - GUIResource - 	at sun.java2d.HeadlessGraphicsEnvironment.getAvailableFontFamilyNames(HeadlessGraphicsEnvironment.java:94)
2018/01/19 01:38:43 - GUIResource - 	at org.apache.batik.bridge.DefaultFontFamilyResolver.<clinit>(Unknown Source)
2018/01/19 01:38:43 - GUIResource - 	... 28 more
2018/01/19 01:38:43 - GUIResource - ERROR (version 8.0.0.0-28-13, build 8.0.0.0-28-13 from 2018-01-18 09.58.14 by jenkins) : Unable to load image file [Cassandrain.svg] for plugin CassandraInput/Cassandra Input{class org.pentaho.di.core.plugins.StepPluginType}

[HiromuHota]

Adding permission java.io.FilePermission "${user.home}/.java/fonts/-", "read"; to the policy file gives another access denied error for different path.
I ended up adding the following permissions to catalina.policy, but still have not resolved.

  permission java.io.FilePermission "/usr/share/fonts/-", "read";
  permission java.io.FilePermission "/var/cache/fontconfig", "read";
  permission java.io.FilePermission "${user.home}/.cache/fontconfig", "read";
  permission java.io.FilePermission "${user.home}/.fontconfig", "read";
  permission java.io.FilePermission "/usr/X11R6/lib/X11/fonts/TrueType", "read";
  permission java.io.FilePermission "/usr/X11R6/lib/X11/fonts/truetype", "read";
  permission java.io.FilePermission "/usr/X11R6/lib/X11/fonts/tt", "read";

Adding more and more permissions might resolve it eventually, but the policy file will become very cumbersome.

[HiromuHota]

The dependency chain of Docker image is hiromuhota/webspoon:nightly-full <- tomcat:jre8 <- openjdk:8-jre <- buildpack-deps:stretch-curl <- debian:stretch.

[HiromuHota]

I thought this has something to do with the openjdk package for debian/stretch, but this does not happen on VM/Debian Stretch(9.3)/Open JDK8 JRE (1.8.0_151).

[HiromuHota]

I created a -full image based on tomcat:jre8-alpine.
I needed to install ttf-dejavu since NPE happened as reported here.
Even with ttf-dejavu installed, I'm having the original access denied error.
Changing the base image to alpine does not help.

[HiromuHota]

The root cause of this problem is that Cassandrain.svg and Cassandraout.svg use a custom font unlike Cassandra.svg.