[
https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher Schultz updated VELOCITY-968:
-----------------------------------------
Description:
When running under Java 17 or later, introspection often picks an inaccessible
method on a runtime object, which then fails when invoked.
For example, running the example below under Java 8, the output is simple:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 11 or later, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.velocity.runtime.parser.node.PropertyExecutor
(file:.../velocity-engine-core-2.3.jar) to method
sun.security.x509.X509CertImpl.getNotAfter()
WARNING: Please consider reporting this to the maintainers of
org.apache.velocity.runtime.parser.node.PropertyExecutor
WARNING: Use --illegal-access=warn to enable warnings of further illegal
reflective access operations
WARNING: All illegal access operations will be denied in a future release
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 17, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Exception in thread "main" org.apache.velocity.exception.VelocityException:
ASTIdentifier() : exception invoking method for identifier 'notAfter' in class
sun.security.x509.X509CertImpl
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
at
org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
at
org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
at
org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
at org.apache.velocity.Template.merge(Template.java:358)
at org.apache.velocity.Template.merge(Template.java:262)
at CertTest.main(CertTest.java:52)
Caused by: java.lang.IllegalAccessException: class
org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
sun.security.x509.X509CertImpl (in module java.base) because module java.base
does not export sun.security.x509 to unnamed module @45ad6cad
at
java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
at
java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
at java.base/java.lang.reflect.Method.invoke(Method.java:560)
at
org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
at
org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
... 6 more
{noformat}
It looks like Velocity is picking an inconvenient class on which to base its
method invocation.
Here is the test source.
{noformat}
import java.io.OutputStreamWriter;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.RuntimeSingleton;
public class CertTest {
private static final String certText = "-----BEGIN CERTIFICATE-----\n"
+ "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
+ "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
+ "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
+ "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
+ "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
+ "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
+ "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
+ "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n"
+ "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n"
+ "dzOrCDAKBggqhkjOPQQDAwNnADBkAjBx+sqV2gzUusdOvwltH7f7sp5UtZMRFKF4\n"
+ "mRcGA7buAZN/YPUGgkiUZ6ZEJmw8Dn8CMEEgm8c2WTYdO/CQ5DRBbfIt1TcpiDxk\n"
+ "0vM+YZrSctwCJhK+3h3i4X990XvjJQ3Hmw==\n"
+ "-----END CERTIFICATE-----\n"
;
private static final String templateText = "Test: $cert.notAfter\n";
public static void main(String[] args) throws Exception {
X509Certificate cert =
(X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(new
java.io.ByteArrayInputStream(certText.getBytes(StandardCharsets.US_ASCII)));
System.out.println("Cert notAfter=" + cert.getNotAfter()); VelocityContext
ctx = new VelocityContext();
ctx.put("cert", cert); VelocityEngine ve = new VelocityEngine();
ve.init(); RuntimeServices runtimeServices =
RuntimeSingleton.getRuntimeServices();
Template template = new Template();
template.setRuntimeServices(runtimeServices);
/// For Velocity 1.7:
//template.setData(runtimeServices.parse(new StringReader(templateText),
"Note Template")); // For Velocity 2.x
template.setData(runtimeServices.parse(new StringReader(templateText),
template)); template.initDocument(); OutputStreamWriter out = new
OutputStreamWriter(System.out);
template.merge(ctx, out);
out.flush();
}
}
{noformat}
This fails in the same way running under both Velocity 2.3 and Velocity 1.7
(with a small required source change).
was:
When running under Java 17 or later, introspection often picks an inaccessible
method on a runtime object, which then fails when invoked.
For example, running the example below under Java 8, the output is simple:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 11 or later, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.velocity.runtime.parser.node.PropertyExecutor
(file:/Users/christopherschultz/Documents/Eclipse/chadis-web/velocity-engine-core-2.3.jar)
to method sun.security.x509.X509CertImpl.getNotAfter()
WARNING: Please consider reporting this to the maintainers of
org.apache.velocity.runtime.parser.node.PropertyExecutor
WARNING: Use --illegal-access=warn to enable warnings of further illegal
reflective access operations
WARNING: All illegal access operations will be denied in a future release
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 17, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Exception in thread "main" org.apache.velocity.exception.VelocityException:
ASTIdentifier() : exception invoking method for identifier 'notAfter' in class
sun.security.x509.X509CertImpl
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
at
org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
at
org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
at
org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
at org.apache.velocity.Template.merge(Template.java:358)
at org.apache.velocity.Template.merge(Template.java:262)
at CertTest.main(CertTest.java:52)
Caused by: java.lang.IllegalAccessException: class
org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
sun.security.x509.X509CertImpl (in module java.base) because module java.base
does not export sun.security.x509 to unnamed module @45ad6cad
at
java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
at
java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
at java.base/java.lang.reflect.Method.invoke(Method.java:560)
at
org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
at
org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
... 6 more
{noformat}
It looks like Velocity is picking an inconvenient class on which to base its
method invocation.
Here is the test source.
{noformat}
import java.io.OutputStreamWriter;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.RuntimeSingleton;
public class CertTest {
private static final String certText = "-----BEGIN CERTIFICATE-----\n"
+ "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
+ "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
+ "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
+ "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
+ "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
+ "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
+ "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
+ "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n"
+ "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n"
+ "dzOrCDAKBggqhkjOPQQDAwNnADBkAjBx+sqV2gzUusdOvwltH7f7sp5UtZMRFKF4\n"
+ "mRcGA7buAZN/YPUGgkiUZ6ZEJmw8Dn8CMEEgm8c2WTYdO/CQ5DRBbfIt1TcpiDxk\n"
+ "0vM+YZrSctwCJhK+3h3i4X990XvjJQ3Hmw==\n"
+ "-----END CERTIFICATE-----\n"
;
private static final String templateText = "Test: $cert.notAfter\n";
public static void main(String[] args) throws Exception {
X509Certificate cert =
(X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(new
java.io.ByteArrayInputStream(certText.getBytes(StandardCharsets.US_ASCII)));
System.out.println("Cert notAfter=" + cert.getNotAfter()); VelocityContext
ctx = new VelocityContext();
ctx.put("cert", cert); VelocityEngine ve = new VelocityEngine();
ve.init(); RuntimeServices runtimeServices =
RuntimeSingleton.getRuntimeServices();
Template template = new Template();
template.setRuntimeServices(runtimeServices);
/// For Velocity 1.7:
//template.setData(runtimeServices.parse(new StringReader(templateText),
"Note Template")); // For Velocity 2.x
template.setData(runtimeServices.parse(new StringReader(templateText),
template)); template.initDocument(); OutputStreamWriter out = new
OutputStreamWriter(System.out);
template.merge(ctx, out);
out.flush();
}
}
{noformat}
This fails in the same way running under both Velocity 2.3 and Velocity 1.7
(with a small required source change).
> In Java 17+, introspection fails in many cases due to permissions
> -----------------------------------------------------------------
>
> Key: VELOCITY-968
> URL: https://issues.apache.org/jira/browse/VELOCITY-968
> Project: Velocity
> Issue Type: Bug
> Components: Engine
> Affects Versions: 1.7.x, 2.3
> Environment: Java 17
> Reporter: Christopher Schultz
> Priority: Major
>
> When running under Java 17 or later, introspection often picks an
> inaccessible method on a runtime object, which then fails when invoked.
> For example, running the example below under Java 8, the output is simple:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 11 or later, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> (file:.../velocity-engine-core-2.3.jar) to method
> sun.security.x509.X509CertImpl.getNotAfter()
> WARNING: Please consider reporting this to the maintainers of
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 17, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Exception in thread "main" org.apache.velocity.exception.VelocityException:
> ASTIdentifier() : exception invoking method for identifier 'notAfter' in
> class sun.security.x509.X509CertImpl
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
> at
> org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
> at org.apache.velocity.Template.merge(Template.java:358)
> at org.apache.velocity.Template.merge(Template.java:262)
> at CertTest.main(CertTest.java:52)
> Caused by: java.lang.IllegalAccessException: class
> org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
> sun.security.x509.X509CertImpl (in module java.base) because module java.base
> does not export sun.security.x509 to unnamed module @45ad6cad
> at
> java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
> at
> java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
> at java.base/java.lang.reflect.Method.invoke(Method.java:560)
> at
> org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
> ... 6 more
> {noformat}
> It looks like Velocity is picking an inconvenient class on which to base its
> method invocation.
>
> Here is the test source.
> {noformat}
> import java.io.OutputStreamWriter;
> import java.io.StringReader;
> import java.nio.charset.StandardCharsets;
> import java.security.cert.Certificate;
> import java.security.cert.X509Certificate;
> import java.security.cert.CertificateFactory;
> import org.apache.velocity.Template;
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.VelocityEngine;
> import org.apache.velocity.runtime.RuntimeServices;
> import org.apache.velocity.runtime.RuntimeSingleton;
> public class CertTest {
> private static final String certText = "-----BEGIN CERTIFICATE-----\n"
> + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
> + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
> + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
> + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
> + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
> + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
> + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
> + "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n"
> + "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n"
> + "dzOrCDAKBggqhkjOPQQDAwNnADBkAjBx+sqV2gzUusdOvwltH7f7sp5UtZMRFKF4\n"
> + "mRcGA7buAZN/YPUGgkiUZ6ZEJmw8Dn8CMEEgm8c2WTYdO/CQ5DRBbfIt1TcpiDxk\n"
> + "0vM+YZrSctwCJhK+3h3i4X990XvjJQ3Hmw==\n"
> + "-----END CERTIFICATE-----\n"
> ;
> private static final String templateText = "Test: $cert.notAfter\n";
> public static void main(String[] args) throws Exception {
> X509Certificate cert =
> (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(new
> java.io.ByteArrayInputStream(certText.getBytes(StandardCharsets.US_ASCII)));
> System.out.println("Cert notAfter=" + cert.getNotAfter());
> VelocityContext ctx = new VelocityContext();
> ctx.put("cert", cert); VelocityEngine ve = new VelocityEngine();
> ve.init(); RuntimeServices runtimeServices =
> RuntimeSingleton.getRuntimeServices();
> Template template = new Template();
> template.setRuntimeServices(runtimeServices);
> /// For Velocity 1.7:
> //template.setData(runtimeServices.parse(new StringReader(templateText),
> "Note Template")); // For Velocity 2.x
> template.setData(runtimeServices.parse(new StringReader(templateText),
> template)); template.initDocument(); OutputStreamWriter out = new
> OutputStreamWriter(System.out);
> template.merge(ctx, out);
> out.flush();
> }
> }
> {noformat}
> This fails in the same way running under both Velocity 2.3 and Velocity 1.7
> (with a small required source change).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
