https://bz.apache.org/bugzilla/show_bug.cgi?id=64488
Bug ID: 64488 Summary: EL API: AccessControlException -- Import Handler Product: Tomcat 10 Version: 10.0.0-M5 Hardware: Macintosh OS: Mac OS X 10.1 Status: NEW Severity: normal Priority: P2 Component: EL Assignee: dev@tomcat.apache.org Reporter: volosied+apa...@gmail.com Target Milestone: ------ Created attachment 37286 --> https://bz.apache.org/bugzilla/attachment.cgi?id=37286&action=edit Patch Hello, I encountered an AccessControlException when using the Tomcat 10.0.0-M5 EL API in Open Liberty. The stack trace is provided below, but the exception is thrown starting on this line: jakarta.el.ImportHandler.findClass(ImportHandler.java:455) I would appreciate if someone look whether a security check should be added in the code. It appears to be a valid scenario. I've added a patch for reference (based off code from ExpressionFactory.java). We also used the same Tomcat 10.0.0-M5 Jasper EL Implementation. The application was run on the following JDK: openjdk version "1.8.0_222" OpenJDK Runtime Environment (build 1.8.0_222-b10) Eclipse OpenJ9 VM (build openj9-0.15.1, JRE 1.8.0 Mac OS X amd64-64-Bit Compressed References 20190717_298 (JIT enabled, AOT enabled) OpenJ9 - 0f66c6431 OMR - ec782f26 JCL - f147086df1 based on jdk8u222-b10) Please let me know if you have any questions. Thank you. _________________________________________ Permission: ("java.io.FilePermission" "/Library/Java/JavaVirtualMachines/adoptopenjdk-8-openj9.jdk/Contents/Home/jre/lib/rt.jar" "read") Stack: java.security.AccessControlException: Access denied ("java.io.FilePermission" "/Library/Java/JavaVirtualMachines/adoptopenjdk-8-openj9.jdk/Contents/Home/jre/lib/rt.jar" "read")java.security.AccessController.throwACE(AccessController.java:176) java.security.AccessController.checkPermissionHelper(AccessController.java:238) java.security.AccessController.checkPermission(AccessController.java:385) java.lang.SecurityManager.checkPermission(SecurityManager.java:549) com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45) com.ibm.oti.vm.AbstractClassLoader.findResource(AbstractClassLoader.java:194) java.lang.ClassLoader.getResource(ClassLoader.java:584) java.lang.ClassLoader.getResource(ClassLoader.java:586) java.lang.ClassLoader.getResource(ClassLoader.java:586) com.ibm.ws.kernel.internal.classloader.BootstrapChildFirstJarClassloader.getResource(BootstrapChildFirstJarClassloader.java:110) org.eclipse.osgi.internal.loader.BundleLoader.findResource(BundleLoader.java:621) org.eclipse.osgi.internal.loader.ModuleClassLoader.getResource(ModuleClassLoader.java:216) com.ibm.ws.classloading.internal.GatewayClassLoader.findResource(GatewayClassLoader.java:134) com.ibm.ws.classloading.internal.GatewayClassLoader.getResource(GatewayClassLoader.java:116) java.lang.ClassLoader.getResource(ClassLoader.java:586) jakarta.el.ImportHandler.findClass(ImportHandler.java:455) jakarta.el.ImportHandler.resolveClass(ImportHandler.java:417) jakarta.servlet.jsp.el.ScopedAttributeELResolver.getValue(ScopedAttributeELResolver.java:93) org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:110) org.apache.el.parser.AstIdentifier.getValue(AstIdentifier.java:94) org.apache.el.parser.AstValue.getValue(AstValue.java:137) org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:190) org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:794) com.ibm._jsp._EL30StaticFieldsAndMethodsTests._jspService(_EL30StaticFieldsAndMethodsTests.java:109) com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:100) -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org