https://bz.apache.org/bugzilla/show_bug.cgi?id=66370
Bug ID: 66370
Summary: AccessControlException and default behavior change
with org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED
Product: Tomcat 10
Version: 10.1.2
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: EL
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ------
Hey there,
Running tomcat el 10.1.2 with java 2 security enabled, we discovered an issue
with an AccessControlException due to Boolean.getBoolean(). It seems this was
introduced in this commit
https://github.com/apache/tomcat/commit/28ea2b9b2e781d20e0651cb5e0b65bacd464150c#diff-b5962d24af20591547a4804838aa91c84b0151645b2121ac4f244a1b9c1213e8R46-R47
with the addition of the new property
org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED. See exception below
java.security.AccessControlException: Access denied
("java.util.PropertyPermission" "org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED"
"read")
at
java.base/java.security.AccessController.throwACE(AccessController.java:176)
at
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at
com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
at
java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
at java.base/java.lang.System.getProperty(System.java:581)
at java.base/java.lang.System.getProperty(System.java:564)
at java.base/java.lang.Boolean.getBoolean(Boolean.java:265)
at jakarta.el.Util.<clinit>(Util.java:47)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
at
org.apache.jasper.runtime.JspApplicationContextImpl.<clinit>(JspApplicationContextImpl.java:59)
at
org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
at com.ibm._jsp._login._jspInit(_login.java:66)
at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)
Worked locally on a fix for this and discovered that with the addition of this
new property, a behavior change was introduced which obligates us to set the
property if we don't want to hit another AccessControlException as seen below.
I understand why the change was introduced with this new property but I would
expect that it would not affect the expected behavior by default. I would
expect to see a change only if it was set by the user. Any input as to why this
was done the way it was? Any way we can change this to keep the expected
behavior by default and change it if set?
java.security.AccessControlException: Access denied
("java.lang.RuntimePermission" "getClassLoader")
at
java.base/java.security.AccessController.throwACE(AccessController.java:176)
at
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at
com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
at java.base/java.lang.Thread.getContextClassLoader(Thread.java:578)
at jakarta.el.Util.getContextClassLoader(Util.java:665)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
at
org.apache.jasper.runtime.JspApplicationContextImpl.<clinit>(JspApplicationContextImpl.java:59)
at
org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
at com.ibm._jsp._login._jspInit(_login.java:72)
at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
at
com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
