You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/01/05 09:46:48 UTC
[tomcat] branch 10.1.x updated: Fix BZ 66370 Change default for GET_CLASSLOADER_USE_PRIVILEGED
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 5817d48bde Fix BZ 66370 Change default for GET_CLASSLOADER_USE_PRIVILEGED
5817d48bde is described below
commit 5817d48bde1ae36e05bb03ea6aacc28640603058
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Dec 15 17:17:04 2022 +0000
Fix BZ 66370 Change default for GET_CLASSLOADER_USE_PRIVILEGED
When running on Tomcat the EL library is called from within a
privileged block so the additional privileged block is unnecesary.
When not on Tomcat, use the additional privileged block
https://bz.apache.org/bugzilla/show_bug.cgi?id=66370
---
conf/catalina.properties | 4 ++++
java/jakarta/el/Util.java | 23 ++++++++++++++++++++---
webapps/docs/changelog.xml | 13 +++++++++++++
3 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/conf/catalina.properties b/conf/catalina.properties
index dd35d24c09..6c5cb3eae9 100644
--- a/conf/catalina.properties
+++ b/conf/catalina.properties
@@ -209,3 +209,7 @@ tomcat.util.buf.StringCache.byte.enabled=true
#tomcat.util.buf.StringCache.char.enabled=true
#tomcat.util.buf.StringCache.trainThreshold=500000
#tomcat.util.buf.StringCache.cacheSize=5000
+
+# Disable use of some privilege blocks Tomcat doesn't need since calls to the
+# code in question are always already inside a privilege block
+org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED=false
diff --git a/java/jakarta/el/Util.java b/java/jakarta/el/Util.java
index 71527d2429..ee5848cb2d 100644
--- a/java/jakarta/el/Util.java
+++ b/java/jakarta/el/Util.java
@@ -43,8 +43,25 @@ class Util {
private static final Class<?>[] EMPTY_CLASS_ARRAY = new Class<?>[0];
private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
- private static final boolean GET_CLASSLOADER_USE_PRIVILEGED =
- Boolean.getBoolean("org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED");
+ private static final boolean IS_SECURITY_ENABLED = (System.getSecurityManager() != null);
+
+ private static final boolean GET_CLASSLOADER_USE_PRIVILEGED;
+
+ static {
+ if (IS_SECURITY_ENABLED) {
+ // Defaults to using a privileged block
+ // When running on Tomcat this will be set to false in
+ // $CATALINA_BASE/conf/catalina.properties
+ String value = AccessController.doPrivileged(
+ (PrivilegedAction<String>) () -> System.getProperty(
+ "org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED", "true"));
+ GET_CLASSLOADER_USE_PRIVILEGED = Boolean.parseBoolean(value);
+ } else {
+ // No security manager - no need to use a privileged block.
+ GET_CLASSLOADER_USE_PRIVILEGED = false;
+ }
+ }
+
/**
* Checks whether the supplied Throwable is one that needs to be
@@ -658,7 +675,7 @@ class Util {
static ClassLoader getContextClassLoader() {
ClassLoader tccl;
- if (System.getSecurityManager() != null && GET_CLASSLOADER_USE_PRIVILEGED) {
+ if (IS_SECURITY_ENABLED && GET_CLASSLOADER_USE_PRIVILEGED) {
PrivilegedAction<ClassLoader> pa = new PrivilegedGetTccl();
tccl = AccessController.doPrivileged(pa);
} else {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e7d0a871f3..7d47555e0b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -138,6 +138,19 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Jasper">
+ <changelog>
+ <fix>
+ <bug>66370</bug>: Change the default of the
+ <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
+ property to <code>true</code> unless the EL library is running on
+ Tomcat in which case the default remains <code>false</code> as the
+ EL library is already called from within a privileged block and
+ skipping the unnecessary privileged block improves performance.
+ (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Other">
<changelog>
<update>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org