Thanks both Andy and Tim!
As Tim pointed out we don't control the weaving, it happens during the app
startup.
I could look into what Tim mentions here, to just use compile time weaving
but I need to do some research.
My original thought was to create an alternate factory and allow it to use
it's getClass().getClassloader(). I mean that could be a fix. I didn't
check the source it but how is the classloader handled at this line
(ReflectionBasedReferenceTypeDelegateFactory.java:40)
>at java.base/java.lang.Class.forName(Class.java:398)
>at
org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate
(ReflectionBasedReferenceTypeDelegateFactory.java:40)
Talking about sources, where is the repo ? I could create my own variant to
see if I can bypass the issue.
On Wed, 9 Jun 2021 at 15:05, <n61...@gmail.com> wrote:
> I doubt you have any options here for runtime weaving. The classloader in
> this case is controlled by Spring, and the security managers likely have a
> tight multi-tenant designed security policy.
>
> The best bet, even with Spring is to change to compile-time weaving; this
> was the answer for an app I developed in the same situation.
>
> Also, note that Java 11, and later versions of Spring all are getting
> better at access control and fixing holes. Earlier versions of Spring used
> to take advantage of the security holes in the JVM to work, many of these
> security holes are getting closed off.
>
> You will also see more of these issues in the next LTS release (15 I think
> is the number).
>
>
>
>
>
> Tim
>
>
>
> *From:* aspectj-users <aspectj-users-boun...@eclipse.org> *On Behalf Of *Andy
> Clement
> *Sent:* Wednesday, June 9, 2021 3:59 PM
> *To:* aspectj-users@eclipse.org
> *Subject:* Re: [aspectj-users] Openjdk11 and Security Manager
>
>
>
> Hey,
>
>
>
> I'm not an expert on Java Security unfortunately (you might find a few of
> those folks if you ask this on Stack overflow?).
>
>
>
> With your reference to it working for one classloader and not another, how
> feasible is it to set the context classloader to the one you find that
> works? Or will that break something else?
> (Thread.currentThread().setContextClassLoader(..))
>
>
>
> It is possible some doPrivileged blocks are missing in the reflection area
> but then I see the doPrivileged call deeper in the checkPackageAccess call,
> so maybe raising up the privileged check will just make it fail sooner.
>
>
>
> cheers,
>
> Andy
>
>
>
> On Wed, 9 Jun 2021 at 10:00, Constantin Moisei <
> constantin.moi...@gmail.com> wrote:
>
> Hello,
>
>
> I am running into a weird exception on an open jdk 11 vm with a tight
> security manager policy.
>
> What kind of control do I have to
> ReflectionBasedReferenceTypeDelegateFactory ?
>
> In the past I had issues with how I get/handle the classloader but found a
> way to bypass it. However it was my own code so I could deal with it. Now I
> am facing a similar issue via the latest aspectj 1.9.6
>
> //ClassLoader loader = Thread.currentThread().getContextClassLoader();
> //doesn't work
>
> ClassLoader loader = this.getClass().getClassLoader(); //<---- this works
>
> Note that granting the permission is not a viable solution. It will be
> almost impossible to convince the vm owners to modify the policy. Has to be
> a different way.
>
> Here's the full exception
>
> Caused by: java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.loader")
> at
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.base/java.security.AccessController.checkPermission(AccessController.java:897)
> at
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
> at
> java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238)
> at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:691)
> at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:689)
> at
> java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:689)
> at java.base/java.lang.Class.forName0(Native Method)
> at java.base/java.lang.Class.forName(Class.java:398)
> at
> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40)
> at
> org.aspectj.weaver.reflect.ReflectionWorld.resolveDelegate(ReflectionWorld.java:111)
> at
> org.aspectj.weaver.World.resolveToReferenceType(World.java:363)
> at org.aspectj.weaver.World.resolve(World.java:258)
> at org.aspectj.weaver.World.resolve(World.java:180)
> at org.aspectj.weaver.World.resolve(World.java:326)
> at
> org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:103)
> at
> org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:93)
> at
> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.toResolvedTypeArray(ReflectionBasedReferenceTypeDelegateFactory.java:214)
> at
> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMethod(ReflectionBasedReferenceTypeDelegateFactory.java:107)
> at
> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMember(ReflectionBasedReferenceTypeDelegateFactory.java:98)
> at
> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(ReflectionBasedReferenceTypeDelegate.java:290)
> at
> org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:571)
> at
> org.aspectj.weaver.ResolvedType.addAndRecurse(ResolvedType.java:271)
> at
> org.aspectj.weaver.ResolvedType.getMethodsWithoutIterator(ResolvedType.java:265)
> at
> org.aspectj.weaver.ResolvedType.lookupResolvedMember(ResolvedType.java:420)
> at
> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:178)
> at
> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
> at
> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
> at
> org.aspectj.weaver.JoinPointSignatureIterator.hasNext(JoinPointSignatureIterator.java:69)
> at
> org.aspectj.weaver.patterns.SignaturePattern.matches(SignaturePattern.java:298)
> at
> org.aspectj.weaver.patterns.KindedPointcut.matchInternal(KindedPointcut.java:106)
> at
> org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
> at
> org.aspectj.weaver.patterns.OrPointcut.matchInternal(OrPointcut.java:51)
> at
> org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
> at
> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.getShadowMatch(PointcutExpressionImpl.java:235)
> at
> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesExecution(PointcutExpressionImpl.java:101)
> at
> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesMethodExecution(PointcutExpressionImpl.java:92)
> at
> org.springframework.aop.aspectj.AspectJExpressionPointcut.getShadowMatch(AspectJExpressionPointcut.java:408)
> at
> org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExpressionPointcut.java:266)
> at
> org.springframework.aop.support.AopUtils.canApply(AopUtils.java:223)
> at
> org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262)
> at
> org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:294)
> at
> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118)
> at
> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88)
> at
> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69)
> at
> org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:361)
> at
> org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:324)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:409)
> at
> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:1657)
> at
> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:112)
> ... 42 more
>
>
>
>
>
>
>
> _______________________________________________
> aspectj-users mailing list
> aspectj-users@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/aspectj-users
>
>
> ------------------------------
>
>
> <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
> Scanned by McAfee
> <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> and confirmed virus-free.
>
>
> _______________________________________________
> aspectj-users mailing list
> aspectj-users@eclipse.org
> To unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/aspectj-users
>
_______________________________________________
aspectj-users mailing list
aspectj-users@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/aspectj-users
