[ https://issues.apache.org/jira/browse/JEXL-424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17855020#comment-17855020 ]
Xu Pengcheng commented on JEXL-424: ----------------------------------- got it, thank you! > Permission error after upgraded to JDK 21 > ----------------------------------------- > > Key: JEXL-424 > URL: https://issues.apache.org/jira/browse/JEXL-424 > Project: Commons JEXL > Issue Type: Bug > Affects Versions: 3.3 > Reporter: Xu Pengcheng > Priority: Major > > {code:java} > JexlSandbox sandbox = new JexlSandbox(false, true); > sandbox.permissions(Map.class.getName(), true, true, true, true); > ... > String jexlCode = "x.foo = 'bar';" > JexlEngine engine = > new Engine( > new JexlBuilder() > .sandbox(sandbox) > .safe(false) > .strict(true)); > Map<String, Object> vars = new LinkedHashMap<>(); > vars.put("x", new LinkedHashMap<>()); > engine.createScript(jexlCode).execute(new MapContext(vars)); {code} > The code is ok with JDK11, but caused an error "undefined property 'foo'" > with JDK21. > > I did some debug and found the problem is > JDK11: LinkedHashMap implements Map > JDK21: LinkedHashMap implements SequencedMap extends Map > and from > [JexlSandbox.java#L540|https://github.com/apache/commons-jexl/blob/master/src/main/java/org/apache/commons/jexl3/introspection/JexlSandbox.java#L540]] > {code:java} > for (final Class<?> inter : clazz.getInterfaces()) { > permissions = sandbox.get(inter.getName()); > if (permissions != null) { > if (permissions.isInheritable()) { > break; > } > permissions = null; > } > } {code} > sandbox only checks the direct interfaces but not check it's super interface, > but for class permission check, it looks into its parents, is it by design or > a bug? > > And also because which checking permission of class, it does not check it's > interface's permission, the result of class is not stable in case parent > class has permission from it's interface. > for example: > {code:java} > interface I{} > static class A implements I{} > static class B extends A{} > @Test > void testPermission() { > JexlSandbox sandbox = new JexlSandbox(false, true); > sandbox.permissions(I.class.getName(), true, true, true, false); > System.out.println("permission A=" + > sandbox.get(A.class.getName()).write()); > System.out.println("permission B=" + > sandbox.get(B.class.getName()).write()); > } > {code} > result is > permission > A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13 > permission > B=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@31e04b13 > but if checking B befoer A, the result is > permission B=org.apache.commons.jexl3.introspection.JexlSandbox$2@6c1832aa > permission > A=org.apache.commons.jexl3.introspection.JexlSandbox$AllowSet@47ad69f7 > > BTW, what is the release date for next version? thanks! > -- This message was sent by Atlassian Jira (v8.20.10#820010)