You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2022/10/19 20:30:26 UTC
[Bug 66317] New: AccessControlException on EL 5.0
https://bz.apache.org/bugzilla/show_bug.cgi?id=66317
Bug ID: 66317
Summary: AccessControlException on EL 5.0
Product: Tomcat 10
Version: 10.1.1
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: EL
Assignee: dev@tomcat.apache.org
Reporter: isaacrivriv@gmail.com
Target Milestone: ------
Hey there!
This issue is technically for EE10 Expression Language 5.0 but couldn't find it
in the list. Working on testing lambda expression coercion in EL 5.0 introduced
in https://github.com/jakartaee/expression-language/issues/45 I've hit an
AccessControlException with Java 2 Security enabled as follows
AccessControlException: Access denied ("java.lang.RuntimePermission"
"getClassLoader") at
java.base/java.security.AccessController.throwACE(AccessController.java:176)
at
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at java.base/java.lang.reflect.Proxy.checkProxyAccess(Proxy.java:457)
at java.base/java.lang.reflect.Proxy.getProxyConstructor(Proxy.java:411)
at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1006)
at
org.apache.el.lang.ELSupport.coerceToFunctionalInterface(ELSupport.java:630)...
I've tested that the cause of the issue is due to this line
https://github.com/apache/tomcat/blob/0827d1ce4200ad030a9c3496349b240fefeb53a7/java/org/apache/el/lang/ELSupport.java#L630
while calling type.getClassLoader(). I've seen a couple of PrivilegedAction in
the Tomcat source code so I'm wondering if this was just an oversight or done
on purpose.
It's a relatively simple fix and am working on a PR for this. Wanted to bring
it up to discussion.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66317] AccessControlException on EL 5.0
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66317
Han Li <li...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Han Li <li...@apache.org> ---
Thanks for the PR.
Fixed in:
11.0.x for 11.0.0-M1 onwoards
10.1.x for 10.1.2 onwards
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66317] AccessControlException on EL 5.0
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66317
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
For now (until the security manager removal becomes real), needed priv actions
will be added.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 66317] AccessControlException on EL 5.0
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=66317
--- Comment #2 from Isaac Rivera Rivas <is...@gmail.com> ---
Proposed fix for this https://github.com/apache/tomcat/pull/557
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org