I'd love to hear what you think. The way i see this permission is that accessing the jdk internal class loader is frown upon but accessing the factory classloader might be allowed.
Compile time weaving is going to be hard. Still using XML configurations... On Wed, Jun 9, 2021, 6:29 PM Andy Clement <andrew.clem...@gmail.com> wrote: > I'd be nervous about that kind of change but interested to hear what you > learn. > > Repository is here: https://github.com/eclipse/org.aspectj > > > Andy > > On Wed, 9 Jun 2021 at 13:16, Constantin Moisei < > constantin.moi...@gmail.com> wrote: > >> Thanks both Andy and Tim! >> >> As Tim pointed out we don't control the weaving, it happens during the >> app startup. >> >> I could look into what Tim mentions here, to just use compile time >> weaving but I need to do some research. >> >> My original thought was to create an alternate factory and allow it to >> use it's getClass().getClassloader(). I mean that could be a fix. I didn't >> check the source it but how is the classloader handled at this line >> (ReflectionBasedReferenceTypeDelegateFactory.java:40) >> >> >at java.base/java.lang.Class.forName(Class.java:398) >> >at >> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate >> (ReflectionBasedReferenceTypeDelegateFactory.java:40) >> >> Talking about sources, where is the repo ? I could create my own variant >> to see if I can bypass the issue. >> >> >> On Wed, 9 Jun 2021 at 15:05, <n61...@gmail.com> wrote: >> >>> I doubt you have any options here for runtime weaving. The classloader >>> in this case is controlled by Spring, and the security managers likely have >>> a tight multi-tenant designed security policy. >>> >>> The best bet, even with Spring is to change to compile-time weaving; >>> this was the answer for an app I developed in the same situation. >>> >>> Also, note that Java 11, and later versions of Spring all are getting >>> better at access control and fixing holes. Earlier versions of Spring used >>> to take advantage of the security holes in the JVM to work, many of these >>> security holes are getting closed off. >>> >>> You will also see more of these issues in the next LTS release (15 I >>> think is the number). >>> >>> >>> >>> >>> >>> Tim >>> >>> >>> >>> *From:* aspectj-users <aspectj-users-boun...@eclipse.org> *On Behalf Of >>> *Andy Clement >>> *Sent:* Wednesday, June 9, 2021 3:59 PM >>> *To:* aspectj-users@eclipse.org >>> *Subject:* Re: [aspectj-users] Openjdk11 and Security Manager >>> >>> >>> >>> Hey, >>> >>> >>> >>> I'm not an expert on Java Security unfortunately (you might find a few >>> of those folks if you ask this on Stack overflow?). >>> >>> >>> >>> With your reference to it working for one classloader and not another, >>> how feasible is it to set the context classloader to the one you find that >>> works? Or will that break something else? >>> (Thread.currentThread().setContextClassLoader(..)) >>> >>> >>> >>> It is possible some doPrivileged blocks are missing in the reflection >>> area but then I see the doPrivileged call deeper in the checkPackageAccess >>> call, so maybe raising up the privileged check will just make it fail >>> sooner. >>> >>> >>> >>> cheers, >>> >>> Andy >>> >>> >>> >>> On Wed, 9 Jun 2021 at 10:00, Constantin Moisei < >>> constantin.moi...@gmail.com> wrote: >>> >>> Hello, >>> >>> >>> I am running into a weird exception on an open jdk 11 vm with a tight >>> security manager policy. >>> >>> What kind of control do I have to >>> ReflectionBasedReferenceTypeDelegateFactory ? >>> >>> In the past I had issues with how I get/handle the classloader but found >>> a way to bypass it. However it was my own code so I could deal with it. Now >>> I am facing a similar issue via the latest aspectj 1.9.6 >>> >>> //ClassLoader loader = Thread.currentThread().getContextClassLoader(); >>> //doesn't work >>> >>> ClassLoader loader = this.getClass().getClassLoader(); //<---- this works >>> >>> Note that granting the permission is not a viable solution. It will be >>> almost impossible to convince the vm owners to modify the policy. Has to be >>> a different way. >>> >>> Here's the full exception >>> >>> Caused by: java.security.AccessControlException: access denied >>> ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.loader") >>> at >>> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) >>> at >>> java.base/java.security.AccessController.checkPermission(AccessController.java:897) >>> at >>> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) >>> at >>> java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238) >>> at >>> java.base/java.lang.ClassLoader$1.run(ClassLoader.java:691) >>> at >>> java.base/java.lang.ClassLoader$1.run(ClassLoader.java:689) >>> at >>> java.base/java.security.AccessController.doPrivileged(Native Method) >>> at >>> java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:689) >>> at java.base/java.lang.Class.forName0(Native Method) >>> at java.base/java.lang.Class.forName(Class.java:398) >>> at >>> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40) >>> at >>> org.aspectj.weaver.reflect.ReflectionWorld.resolveDelegate(ReflectionWorld.java:111) >>> at >>> org.aspectj.weaver.World.resolveToReferenceType(World.java:363) >>> at org.aspectj.weaver.World.resolve(World.java:258) >>> at org.aspectj.weaver.World.resolve(World.java:180) >>> at org.aspectj.weaver.World.resolve(World.java:326) >>> at >>> org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:103) >>> at >>> org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:93) >>> at >>> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.toResolvedTypeArray(ReflectionBasedReferenceTypeDelegateFactory.java:214) >>> at >>> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMethod(ReflectionBasedReferenceTypeDelegateFactory.java:107) >>> at >>> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMember(ReflectionBasedReferenceTypeDelegateFactory.java:98) >>> at >>> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(ReflectionBasedReferenceTypeDelegate.java:290) >>> at >>> org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:571) >>> at >>> org.aspectj.weaver.ResolvedType.addAndRecurse(ResolvedType.java:271) >>> at >>> org.aspectj.weaver.ResolvedType.getMethodsWithoutIterator(ResolvedType.java:265) >>> at >>> org.aspectj.weaver.ResolvedType.lookupResolvedMember(ResolvedType.java:420) >>> at >>> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:178) >>> at >>> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202) >>> at >>> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202) >>> at >>> org.aspectj.weaver.JoinPointSignatureIterator.hasNext(JoinPointSignatureIterator.java:69) >>> at >>> org.aspectj.weaver.patterns.SignaturePattern.matches(SignaturePattern.java:298) >>> at >>> org.aspectj.weaver.patterns.KindedPointcut.matchInternal(KindedPointcut.java:106) >>> at >>> org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146) >>> at >>> org.aspectj.weaver.patterns.OrPointcut.matchInternal(OrPointcut.java:51) >>> at >>> org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146) >>> at >>> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.getShadowMatch(PointcutExpressionImpl.java:235) >>> at >>> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesExecution(PointcutExpressionImpl.java:101) >>> at >>> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesMethodExecution(PointcutExpressionImpl.java:92) >>> at >>> org.springframework.aop.aspectj.AspectJExpressionPointcut.getShadowMatch(AspectJExpressionPointcut.java:408) >>> at >>> org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExpressionPointcut.java:266) >>> at >>> org.springframework.aop.support.AopUtils.canApply(AopUtils.java:223) >>> at >>> org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262) >>> at >>> org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:294) >>> at >>> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118) >>> at >>> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88) >>> at >>> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69) >>> at >>> org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:361) >>> at >>> org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:324) >>> at >>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:409) >>> at >>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:1657) >>> at >>> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:112) >>> ... 42 more >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> aspectj-users mailing list >>> aspectj-users@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/aspectj-users >>> >>> >>> ------------------------------ >>> >>> >>> <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >>> >>> Scanned by McAfee >>> <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >>> and confirmed virus-free. >>> >>> >>> _______________________________________________ >>> aspectj-users mailing list >>> aspectj-users@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/aspectj-users >>> >> _______________________________________________ >> aspectj-users mailing list >> aspectj-users@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/aspectj-users >> > _______________________________________________ > aspectj-users mailing list > aspectj-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/aspectj-users >
_______________________________________________ aspectj-users mailing list aspectj-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users
