[ 
https://issues.apache.org/jira/browse/JEXL-424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17855020#comment-17855020
 ] 

Xu Pengcheng commented on JEXL-424:
-----------------------------------

got it, thank you!

> Permission error after upgraded to JDK 21
> -----------------------------------------
>
>                 Key: JEXL-424
>                 URL: https://issues.apache.org/jira/browse/JEXL-424
>             Project: Commons JEXL
>          Issue Type: Bug
>    Affects Versions: 3.3
>            Reporter: Xu Pengcheng
>            Priority: Major
>
> {code:java}
> JexlSandbox sandbox = new JexlSandbox(false, true);
> sandbox.permissions(Map.class.getName(), true, true, true, true);
> ...
> String jexlCode = "x.foo = 'bar';" 
> JexlEngine engine =
>     new Engine(
>         new JexlBuilder()
>             .sandbox(sandbox)
>             .safe(false)
>             .strict(true));
> Map<String, Object> vars = new LinkedHashMap<>();
> vars.put("x",  new LinkedHashMap<>());
> engine.createScript(jexlCode).execute(new MapContext(vars)); {code}
> The code is ok with JDK11, but caused an error "undefined property 'foo'" 
> with JDK21.
>  
> I did some debug and found the problem is
> JDK11:  LinkedHashMap implements Map
> JDK21: LinkedHashMap implements SequencedMap extends Map
> and from 
> [JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]]
> {code:java}
>                 for (final Class<?> inter : clazz.getInterfaces()) {
>                     permissions = sandbox.get(inter.getName());
>                     if (permissions != null) {
>                         if (permissions.isInheritable()) {
>                             break;
>                         }
>                         permissions = null;
>                     }
>                 } {code}
> sandbox only checks the direct interfaces but not check it's super interface, 
> but for class permission check, it looks into its parents, is it by design or 
> a bug?
>  
> And also because which checking permission of class, it does not check it's 
> interface's permission, the result of class is not stable in case parent 
> class has permission from it's interface.
> for example:
> {code:java}
> interface I{}
> static class A implements I{}
> static class B extends A{}
> @Test
> void testPermission() {
>   JexlSandbox sandbox = new JexlSandbox(false, true);
>   sandbox.permissions(I.class.getName(), true, true, true, false);
>   System.out.println("permission A=" + 
> sandbox.get(A.class.getName()).write());
>   System.out.println("permission B=" + 
> sandbox.get(B.class.getName()).write());
> }
>  {code}
> result is 
> permission 
> A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
> permission 
> B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13
> but if checking B befoer A, the result is 
> permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa
> permission 
> A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7
>  
> BTW, what is the release date for next version? thanks!
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to