On 08/11/2022 13:25, Rémy Maucherat wrote:
On Tue, Nov 8, 2022 at 2:16 PM <ma...@apache.org> wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 28ea2b9b2e Fix BZ 66294. Make use of privileged block optional.
Performance hotspot
28ea2b9b2e is described below
commit 28ea2b9b2e781d20e0651cb5e0b65bacd464150c
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Nov 8 13:16:32 2022 +0000
Fix BZ 66294. Make use of privileged block optional. Performance hotspot
https://bz.apache.org/bugzilla/show_bug.cgi?id=66294
That was the best option IMO. Too bad, another system property though ;)
Indeed. You know how much I dislike configuration via system property.
The good news is that if Jakarta EE 11 drops support for the
SecurityManager we can remove this and a whole bunch of other code as well.
Mark
Rémy
---
java/jakarta/el/Util.java | 5 ++++-
webapps/docs/changelog.xml | 7 +++++++
webapps/docs/config/systemprops.xml | 9 +++++++++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/java/jakarta/el/Util.java b/java/jakarta/el/Util.java
index b0a995c59b..71527d2429 100644
--- a/java/jakarta/el/Util.java
+++ b/java/jakarta/el/Util.java
@@ -43,6 +43,9 @@ class Util {
private static final Class<?>[] EMPTY_CLASS_ARRAY = new Class<?>[0];
private static final Object[] EMPTY_OBJECT_ARRAY = new Object[0];
+ private static final boolean GET_CLASSLOADER_USE_PRIVILEGED =
+ Boolean.getBoolean("org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED");
+
/**
* Checks whether the supplied Throwable is one that needs to be
* rethrown and swallows all others.
@@ -655,7 +658,7 @@ class Util {
static ClassLoader getContextClassLoader() {
ClassLoader tccl;
- if (System.getSecurityManager() != null) {
+ if (System.getSecurityManager() != null &&
GET_CLASSLOADER_USE_PRIVILEGED) {
PrivilegedAction<ClassLoader> pa = new PrivilegedGetTccl();
tccl = AccessController.doPrivileged(pa);
} else {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 22c06cb070..33800616d7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -167,6 +167,13 @@
</subsection>
<subsection name="Jasper">
<changelog>
+ <fix>
+ <bug>66294</bug>: Make the use of a privileged block to obtain the
+ thread context class loader added to address <bug>62080</bug> optional
+ and disabled by default. This is now controlled by the
+ <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
+ property. (markt)
+ </fix>
<fix>
<bug>66317</bug>: Fix for Lambda coercion security manager missing
privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
diff --git a/webapps/docs/config/systemprops.xml
b/webapps/docs/config/systemprops.xml
index 4225fd2bec..0def5feb97 100644
--- a/webapps/docs/config/systemprops.xml
+++ b/webapps/docs/config/systemprops.xml
@@ -74,6 +74,15 @@
<section name="Expression Language">
<properties>
+ <property name="org.apache.el. GET_CLASSLOADER_USE_PRIVILEGED">
+ <p>Controls whether the EL API classes make use of a privileged block to
+ obtain the thread context class loader. When using the EL API within
+ Apache Tomcat this does not need to be set as all calls are already
+ wrapped in a privileged block further up the stack. It may be required if
+ using the EL API under a SecurityManager outside of Apache Tomcat.</p>
+ <p>If not specified, the default of <code>false</code> will be used.</p>
+ </property>
+
<property name="org.apache.el.BeanELResolver. CACHE_SIZE">
<p>The number of jakarta.el.BeanELResolver.BeanProperties objects that
will
be cached by the EL Parser.</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
