https://bz.apache.org/bugzilla/show_bug.cgi?id=66317
Bug ID: 66317
Summary: AccessControlException on EL 5.0
Product: Tomcat 10
Version: 10.1.1
Hardware: PC
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: EL
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ------
Hey there!
This issue is technically for EE10 Expression Language 5.0 but couldn't find it
in the list. Working on testing lambda expression coercion in EL 5.0 introduced
in https://github.com/jakartaee/expression-language/issues/45 I've hit an
AccessControlException with Java 2 Security enabled as follows
AccessControlException: Access denied ("java.lang.RuntimePermission"
"getClassLoader") at
java.base/java.security.AccessController.throwACE(AccessController.java:176)
at
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at java.base/java.lang.reflect.Proxy.checkProxyAccess(Proxy.java:457)
at java.base/java.lang.reflect.Proxy.getProxyConstructor(Proxy.java:411)
at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1006)
at
org.apache.el.lang.ELSupport.coerceToFunctionalInterface(ELSupport.java:630)...
I've tested that the cause of the issue is due to this line
https://github.com/apache/tomcat/blob/0827d1ce4200ad030a9c3496349b240fefeb53a7/java/org/apache/el/lang/ELSupport.java#L630
while calling type.getClassLoader(). I've seen a couple of PrivilegedAction in
the Tomcat source code so I'm wondering if this was just an oversight or done
on purpose.
It's a relatively simple fix and am working on a PR for this. Wanted to bring
it up to discussion.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
