https://bz.apache.org/bugzilla/show_bug.cgi?id=66370
--- Comment #5 from Paul Nicolucci <pnicolu...@gmail.com> --- Hi, We use the Tomcat ExpressionLanguage within Open Liberty. We hit this issue after updating to the 10.1.2 (from 10.1.1) version of the Expression Language. I've read through the following thread: https://lists.apache.org/thread/7w4x90zwp3qhn9qopbhmg5wponcc468n Although the SecurityManager is deprecated and may go away in Jakarta EE11 it is still used heavily in Jakarta EE10. The problem is two fold: 1) When a SecurityManager is being used the following Exception occurs when looking up the value of the new system property: java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED" "read") at java.base/java.security.AccessController.throwACE(AccessController.java:176) at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238) at java.base/java.security.AccessController.checkPermission(AccessController.java:385) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45) at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066) at java.base/java.lang.System.getProperty(System.java:581) at java.base/java.lang.System.getProperty(System.java:564) at java.base/java.lang.Boolean.getBoolean(Boolean.java:265) at jakarta.el.Util.<clinit>(Util.java:47) see: https://docs.oracle.com/javase/8/docs/api/java/lang/Boolean.html#getBoolean-java.lang.String- 2) Anyone who is using a SecurityManager and wants the protection offered by it will now need to enable the new system property as well. As stated in the thread I referenced earlier this is a backward incompatible change going from 10.1.1 to 10.1.2. Even the thread referenced says this was likely a theoretical issue. Given the above I would argue a few things: A) The default should be opt out so by default using the Security Manager gives you the expected behavior without having to set a system property. B) If in Jakarta EE11 the use of the SecurityManager is removed or made optional then this property could then potentially be removed or opt-int. C) At the very least when using Boolean.getBoolean the AccessControlException needs to be avoided. If changing the default of the property isn't a possibility and won't be accepted by the community, can we agree to at least fix C? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
