I doubt you have any options here for runtime weaving. The classloader in this case is controlled by Spring, and the security managers likely have a tight multi-tenant designed security policy.
The best bet, even with Spring is to change to compile-time weaving; this was the answer for an app I developed in the same situation. Also, note that Java 11, and later versions of Spring all are getting better at access control and fixing holes. Earlier versions of Spring used to take advantage of the security holes in the JVM to work, many of these security holes are getting closed off. You will also see more of these issues in the next LTS release (15 I think is the number). Tim From: aspectj-users <aspectj-users-boun...@eclipse.org> On Behalf Of Andy Clement Sent: Wednesday, June 9, 2021 3:59 PM To: aspectj-users@eclipse.org Subject: Re: [aspectj-users] Openjdk11 and Security Manager Hey, I'm not an expert on Java Security unfortunately (you might find a few of those folks if you ask this on Stack overflow?). With your reference to it working for one classloader and not another, how feasible is it to set the context classloader to the one you find that works? Or will that break something else? (Thread.currentThread().setContextClassLoader(..)) It is possible some doPrivileged blocks are missing in the reflection area but then I see the doPrivileged call deeper in the checkPackageAccess call, so maybe raising up the privileged check will just make it fail sooner. cheers, Andy On Wed, 9 Jun 2021 at 10:00, Constantin Moisei <constantin.moi...@gmail.com <mailto:constantin.moi...@gmail.com> > wrote: Hello, I am running into a weird exception on an open jdk 11 vm with a tight security manager policy. What kind of control do I have to ReflectionBasedReferenceTypeDelegateFactory ? In the past I had issues with how I get/handle the classloader but found a way to bypass it. However it was my own code so I could deal with it. Now I am facing a similar issue via the latest aspectj 1.9.6 //ClassLoader loader = Thread.currentThread().getContextClassLoader(); //doesn't work ClassLoader loader = this.getClass().getClassLoader(); //<---- this works Note that granting the permission is not a viable solution. It will be almost impossible to convince the vm owners to modify the policy. Has to be a different way. Here's the full exception Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.loader") at java.base/java.security.AccessControlContext.checkPermission(AccessControlCo ntext.java:472) at java.base/java.security.AccessController.checkPermission(AccessController.ja va:897) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322 ) at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java: 1238) at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:691) at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:689) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:689) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:398) at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.creat eDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40) at org.aspectj.weaver.reflect.ReflectionWorld.resolveDelegate(ReflectionWorld.j ava:111) at org.aspectj.weaver.World.resolveToReferenceType(World.java:363) at org.aspectj.weaver.World.resolve(World.java:258) at org.aspectj.weaver.World.resolve(World.java:180) at org.aspectj.weaver.World.resolve(World.java:326) at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:103) at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:93) at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.toRes olvedTypeArray(ReflectionBasedReferenceTypeDelegateFactory.java:214) at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.creat eResolvedMethod(ReflectionBasedReferenceTypeDelegateFactory.java:107) at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.creat eResolvedMember(ReflectionBasedReferenceTypeDelegateFactory.java:98) at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegate.getDeclaredM ethods(ReflectionBasedReferenceTypeDelegate.java:290) at org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:571) at org.aspectj.weaver.ResolvedType.addAndRecurse(ResolvedType.java:271) at org.aspectj.weaver.ResolvedType.getMethodsWithoutIterator(ResolvedType.java: 265) at org.aspectj.weaver.ResolvedType.lookupResolvedMember(ResolvedType.java:420) at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(J oinPointSignatureIterator.java:178) at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(J oinPointSignatureIterator.java:202) at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(J oinPointSignatureIterator.java:202) at org.aspectj.weaver.JoinPointSignatureIterator.hasNext(JoinPointSignatureIter ator.java:69) at org.aspectj.weaver.patterns.SignaturePattern.matches(SignaturePattern.java:2 98) at org.aspectj.weaver.patterns.KindedPointcut.matchInternal(KindedPointcut.java :106) at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146) at org.aspectj.weaver.patterns.OrPointcut.matchInternal(OrPointcut.java:51) at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146) at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.getShadowMatch(Poin tcutExpressionImpl.java:235) at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesExecution(Po intcutExpressionImpl.java:101) at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesMethodExecut ion(PointcutExpressionImpl.java:92) at org.springframework.aop.aspectj.AspectJExpressionPointcut.getShadowMatch(Asp ectJExpressionPointcut.java:408) at org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExp ressionPointcut.java:266) at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:223) at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262) at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.j ava:294) at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator. findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118) at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator. findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88) at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator. getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69) at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfN ecessary(AbstractAutoProxyCreator.java:361) at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postPro cessAfterInitialization(AbstractAutoProxyCreator.java:324) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory .applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFacto ry.java:409) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory .postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:16 57) at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObje ctFromFactoryBean(FactoryBeanRegistrySupport.java:112) ... 42 more _______________________________________________ aspectj-users mailing list aspectj-users@eclipse.org <mailto:aspectj-users@eclipse.org> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users _____ <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-e mail&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=s ig-email&utm_content=emailclient> Scanned by McAfee <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-e mail&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=s ig-email&utm_content=emailclient> and confirmed virus-free.
_______________________________________________ aspectj-users mailing list aspectj-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users
