We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

SecurityException "Illegal access to method read()" on java.util.zip.InflaterInputStream in server-s

PavanV
Tera Contributor
 
Hi all,
 
I'm trying to unzip a ZIP file attachment on a case record from server-side script
(Business Rule on sys_attachment, after insert), and I'm hitting a hard
SecurityException that I can't find a documented workaround for. Hoping someone
here has hit this before.
 
WHAT I'M TRYING TO DO
Extract each file inside a ZIP attachment and re-attach it individually to the
same case record (via GlideSysAttachment), while leaving the original ZIP
attachment in place. Classic "unzip email attachment onto case" requirement.
 
WHAT I'VE TRIED
Running this in a Script Include, called from a Business Rule (after insert on
sys_attachment), in Global scope:
 
var inputStream = new GlideSysAttachment().getContentStream(zipAttachmentSysId);
var zis = new Packages.java.util.zip.ZipInputStream(inputStream);
var entry;
while ((entry = zis.getNextEntry()) !== null) {
var buffer = Packages.java.lang.reflect.Array.newInstance(Packages.java.lang.Byte.TYPE, 8192);
var len;
while ((len = zis.read(buffer)) !== -1) {
// ... accumulate bytes
}
}
 
This throws:
java.lang.SecurityException: Illegal access to method read([B) in class java.io.FilterInputStream
 
I then tried the no-argument read() overload instead of the buffered version:
while ((singleByte = zis.read()) !== -1) { ... }
 
This throws a similar, but distinct, error:
java.lang.SecurityException: Illegal access to method read() in class java.util.zip.InflaterInputStream
 
So it looks like it's not about which overload I use — reads on this stream
class hierarchy appear to be blocked entirely by the script sandbox / security
manager, in Global scope, as an admin user.
 
WHAT I'M ASKING
1. Is this a hard, non-configurable platform restriction (i.e. no customer-side
fix exists), or is there a Java Access Control / security exception an admin
can grant for specific classes/methods?
2. Has anyone gotten java.util.zip.ZipInputStream (or java.util.zip.Inflater
directly) working from server-side script on a recent release? If so, what
release/version, and did you need any special configuration?
3. I've seen GlideZipUtil referenced in some older threads as an internal zip
utility — is that fully deprecated/blocked now, or does it still work for
anyone?
4. I don't have IntegrationHub Professional Pack or a MID Server available, so
the native Flow Designer Zip/Unzip step and the MID Server FileManager
approach aren't options for us right now. Is there any other supported,
license-free way to decompress a ZIP from server-side script?
 
Any pointers — even "this is permanently blocked, don't waste more time on it" —
would be genuinely useful. Thanks!
 
 
Release: zurich
Scope: Global
Plugins active: Customer Service Management
 
5 REPLIES 5

Bhargavi Patel
Kilo Guru

Hi @PavanV 

This is a platform security restriction. ServiceNow blocks direct use of Java classes like java.util.zip.ZipInputStream from server-side scripts, so methods such as read() are not allowed. There is no customer-configurable setting or Java permission to bypass this.

GlideZipUtil is an internal/unsupported API and should not be relied on.

Without IntegrationHub, a MID Server, or an external service to unzip the file, there is no supported, license-free way to extract ZIP attachments entirely in server-side script.


In short: don't spend more time trying to make ZipInputStream work—it isn't supported in server-side scripting.

Please Accept the solution if it assisted you with your question & Mark this response as Helpful.