[jira] [Commented] (VELOCITY-952) Velocity is calling the "wrong" method
[
https://issues.apache.org/jira/browse/VELOCITY-952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772341#comment-17772341
]
Christopher Schultz commented on VELOCITY-952:
--
I reported this as VELOCITY-968 and offered the following as a suggestion. I
don't know how the introspector works, so I'm just waving my hands, here:
"
Maybe
org.apache.velocity.util.introspection.MethodMap.getBestMatch(List,
Class[]) can choose a superclass method over a subclass method if they are
otherwise equivalent?
"
I've read the documentation for MethodOverrideUberspector.java and I think if
you just always use the most-superclass-or-superinterface method available,
many of these issues can be avoided without any additional overhead of
remembering the return-type of certain "get" invocations. This will also help
when Velocity wasn't responsible for performing the original access, for
example when the object is just dropped into the context by Java code and has a
runtime type different from the declared type in the code.
> Velocity is calling the "wrong" method
> --
>
> Key: VELOCITY-952
> URL: https://issues.apache.org/jira/browse/VELOCITY-952
> Project: Velocity
> Issue Type: Bug
> Components: Engine
>Affects Versions: 2.3
>Reporter: Thomas Mortagne
>Priority: Major
>
> OK, the title is maybe a bit harsh, but it catches the eyes :)
> At XWiki we recently started testing on Java 17 to see if there is any
> problem which leaded us to add things like {{--add-opens
> java.base/java.util=ALL-UNNAMED}} but Velocity happen to be the source of
> another problem related to the new module world.
> When doing something like {{$datetool.timeZone.getOffset(0)}} ($datetool
> being the org.apache.velocity.tools.generic.DateTool) we get the following
> error:
> {noformat}
> ...
> Caused by: java.lang.IllegalAccessException: class
> org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl cannot
> access class sun.util.calendar.ZoneInfo (in module java.base) because module
> java.base does not export sun.util.calendar to unnamed module @7ca16adc
> at
> java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
> at
> java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
> at java.base/java.lang.reflect.Method.invoke(Method.java:560)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554)
> at
> org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221)
> ... 199 more
> {noformat}
> The reason is that while the developer intent/expectation was to call
> "java.util.TimeZone#getOffset(0)" what Velocity really called from JVM point
> of view is "sun.util.calendar.ZoneInfo.getOffset(0)" directly.
> That's because Velocity is doing (I assume, since I did not check the exact
> code) the equivalent of:
> {noformat}
> java.util.TimeZone.getDefault().getClass().getMethod("getOffset",
> long.class).invoke(TimeZone.getDefault(), 0);
> {noformat}
> which is itself the equivalent of:
> {noformat}
> sun.util.calendar.ZoneInfo.class.getMethod("getOffset",
> long.class).invoke(TimeZone.getDefault(), 0);
> {noformat}
> I guess the only way to fix this would be to track down the lowest overridden
> Method (I agree, it might not always be easy to choose between two interfaces
> declaring a method with the same signature, but choosing the first one we
> find from the same hierarchy level is still better than nothing) and call
> that one instead. With the use case used as example in this issue, that would
> mean ending up doing the equivalent of:
> {noformat}
> java.util.TimeZone.class.getMethod("getOffset",
> long.class).invoke(TimeZone.getDefault(), 0);
> {noformat}
> which, from JVM point of view, is covered by the {{--add-opens
> java.base/java.util=ALL-UNNAMED}}.
> It would be a big change, but at least can't think of any retro-compatibility
> problem it might cause.
> One might be tempted to answer "just add {{--add-opens
> java.base/sun.util.calendar=ALL-UNNAMED}}" but it does not seem fair as this
> is not what the API that the script uses was exposing at all, you might need
> to document a different one for each JVM implementation (even if it's
> probably unlikely for this specific example) but more importantly you will
> potentially need quite a lot of those and will only discover it at runtime
> since it's not so easy to guess from an API in which you only know the public
> JVM classes since that's what you manipulate.
> I would be happy to work on this, but I wanted first ask what others think
> about this problem in general and the possible solutions
[jira] [Resolved] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[
https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher Schultz resolved VELOCITY-968.
--
Resolution: Duplicate
Duplicate of VELOCITY-952
> In Java 17+, introspection fails in many cases due to permissions
> -
>
> Key: VELOCITY-968
> URL: https://issues.apache.org/jira/browse/VELOCITY-968
> Project: Velocity
> Issue Type: Bug
> Components: Engine
>Affects Versions: 1.7.x, 2.3
> Environment: Java 17
>Reporter: Christopher Schultz
>Priority: Major
>
> When running under Java 17 or later, introspection often picks an
> inaccessible method on a runtime object, which then fails when invoked.
> For example, running the example below under Java 8, the output is simple:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 11 or later, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> (file:.../velocity-engine-core-2.3.jar) to method
> sun.security.x509.X509CertImpl.getNotAfter()
> WARNING: Please consider reporting this to the maintainers of
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 17, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Exception in thread "main" org.apache.velocity.exception.VelocityException:
> ASTIdentifier() : exception invoking method for identifier 'notAfter' in
> class sun.security.x509.X509CertImpl
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
> at
> org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
> at org.apache.velocity.Template.merge(Template.java:358)
> at org.apache.velocity.Template.merge(Template.java:262)
> at CertTest.main(CertTest.java:52)
> Caused by: java.lang.IllegalAccessException: class
> org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
> sun.security.x509.X509CertImpl (in module java.base) because module java.base
> does not export sun.security.x509 to unnamed module @45ad6cad
> at
> java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
> at
> java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
> at java.base/java.lang.reflect.Method.invoke(Method.java:560)
> at
> org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
> ... 6 more
> {noformat}
> It looks like Velocity is picking an inconvenient class on which to base its
> method invocation.
>
> Here is the test source.
> {noformat}
> import java.io.OutputStreamWriter;
> import java.io.StringReader;
> import java.nio.charset.StandardCharsets;
> import java.security.cert.Certificate;
> import java.security.cert.X509Certificate;
> import java.security.cert.CertificateFactory;
> import org.apache.velocity.Template;
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.VelocityEngine;
> import org.apache.velocity.runtime.RuntimeServices;
> import org.apache.velocity.runtime.RuntimeSingleton;
> public class CertTest {
> private static final String certText = "-BEGIN CERTIFICATE-\n"
> + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
> + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
> + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
> + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
> + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
> + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
> + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
> + "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n"
> + "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n"
> +
[jira] [Commented] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[
https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772338#comment-17772338
]
Christopher Schultz commented on VELOCITY-968:
--
Yes, it does indeed look like a duplicate. Apologies. I did search, but the
description of VELOCITY-952 didn't seem to match and I didn't read the details.
> In Java 17+, introspection fails in many cases due to permissions
> -
>
> Key: VELOCITY-968
> URL: https://issues.apache.org/jira/browse/VELOCITY-968
> Project: Velocity
> Issue Type: Bug
> Components: Engine
>Affects Versions: 1.7.x, 2.3
> Environment: Java 17
>Reporter: Christopher Schultz
>Priority: Major
>
> When running under Java 17 or later, introspection often picks an
> inaccessible method on a runtime object, which then fails when invoked.
> For example, running the example below under Java 8, the output is simple:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 11 or later, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> (file:.../velocity-engine-core-2.3.jar) to method
> sun.security.x509.X509CertImpl.getNotAfter()
> WARNING: Please consider reporting this to the maintainers of
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 17, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Exception in thread "main" org.apache.velocity.exception.VelocityException:
> ASTIdentifier() : exception invoking method for identifier 'notAfter' in
> class sun.security.x509.X509CertImpl
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
> at
> org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
> at org.apache.velocity.Template.merge(Template.java:358)
> at org.apache.velocity.Template.merge(Template.java:262)
> at CertTest.main(CertTest.java:52)
> Caused by: java.lang.IllegalAccessException: class
> org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
> sun.security.x509.X509CertImpl (in module java.base) because module java.base
> does not export sun.security.x509 to unnamed module @45ad6cad
> at
> java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
> at
> java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
> at java.base/java.lang.reflect.Method.invoke(Method.java:560)
> at
> org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
> ... 6 more
> {noformat}
> It looks like Velocity is picking an inconvenient class on which to base its
> method invocation.
>
> Here is the test source.
> {noformat}
> import java.io.OutputStreamWriter;
> import java.io.StringReader;
> import java.nio.charset.StandardCharsets;
> import java.security.cert.Certificate;
> import java.security.cert.X509Certificate;
> import java.security.cert.CertificateFactory;
> import org.apache.velocity.Template;
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.VelocityEngine;
> import org.apache.velocity.runtime.RuntimeServices;
> import org.apache.velocity.runtime.RuntimeSingleton;
> public class CertTest {
> private static final String certText = "-BEGIN CERTIFICATE-\n"
> + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
> + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
> + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
> + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
> + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
> + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
> + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
> +
[jira] [Comment Edited] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[
https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772335#comment-17772335
]
Christopher Schultz edited comment on VELOCITY-968 at 10/5/23 6:28 PM:
---
Maybe
org.apache.velocity.util.introspection.MethodMap.getBestMatch(List,
Class[]) can choose a superclass method over a subclass method if they are
otherwise equivalent?
was (Author: ch...@christopherschultz.net):
Maybe
`org.apache.velocity.util.introspection.MethodMap.getBestMatch(List,
Class[])` can choose a superclass method over a subclass method if they are
otherwise equivalent?
> In Java 17+, introspection fails in many cases due to permissions
> -
>
> Key: VELOCITY-968
> URL: https://issues.apache.org/jira/browse/VELOCITY-968
> Project: Velocity
> Issue Type: Bug
> Components: Engine
>Affects Versions: 1.7.x, 2.3
> Environment: Java 17
>Reporter: Christopher Schultz
>Priority: Major
>
> When running under Java 17 or later, introspection often picks an
> inaccessible method on a runtime object, which then fails when invoked.
> For example, running the example below under Java 8, the output is simple:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 11 or later, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> (file:.../velocity-engine-core-2.3.jar) to method
> sun.security.x509.X509CertImpl.getNotAfter()
> WARNING: Please consider reporting this to the maintainers of
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 17, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Exception in thread "main" org.apache.velocity.exception.VelocityException:
> ASTIdentifier() : exception invoking method for identifier 'notAfter' in
> class sun.security.x509.X509CertImpl
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
> at
> org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
> at org.apache.velocity.Template.merge(Template.java:358)
> at org.apache.velocity.Template.merge(Template.java:262)
> at CertTest.main(CertTest.java:52)
> Caused by: java.lang.IllegalAccessException: class
> org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
> sun.security.x509.X509CertImpl (in module java.base) because module java.base
> does not export sun.security.x509 to unnamed module @45ad6cad
> at
> java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
> at
> java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
> at java.base/java.lang.reflect.Method.invoke(Method.java:560)
> at
> org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
> ... 6 more
> {noformat}
> It looks like Velocity is picking an inconvenient class on which to base its
> method invocation.
>
> Here is the test source.
> {noformat}
> import java.io.OutputStreamWriter;
> import java.io.StringReader;
> import java.nio.charset.StandardCharsets;
> import java.security.cert.Certificate;
> import java.security.cert.X509Certificate;
> import java.security.cert.CertificateFactory;
> import org.apache.velocity.Template;
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.VelocityEngine;
> import org.apache.velocity.runtime.RuntimeServices;
> import org.apache.velocity.runtime.RuntimeSingleton;
> public class CertTest {
> private static final String certText = "-BEGIN CERTIFICATE-\n"
> + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
> + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
> + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
> + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
>
[jira] [Commented] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[
https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772335#comment-17772335
]
Christopher Schultz commented on VELOCITY-968:
--
Maybe
`org.apache.velocity.util.introspection.MethodMap.getBestMatch(List,
Class[])` can choose a superclass method over a subclass method if they are
otherwise equivalent?
> In Java 17+, introspection fails in many cases due to permissions
> -
>
> Key: VELOCITY-968
> URL: https://issues.apache.org/jira/browse/VELOCITY-968
> Project: Velocity
> Issue Type: Bug
> Components: Engine
>Affects Versions: 1.7.x, 2.3
> Environment: Java 17
>Reporter: Christopher Schultz
>Priority: Major
>
> When running under Java 17 or later, introspection often picks an
> inaccessible method on a runtime object, which then fails when invoked.
> For example, running the example below under Java 8, the output is simple:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 11 or later, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> (file:.../velocity-engine-core-2.3.jar) to method
> sun.security.x509.X509CertImpl.getNotAfter()
> WARNING: Please consider reporting this to the maintainers of
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 17, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Exception in thread "main" org.apache.velocity.exception.VelocityException:
> ASTIdentifier() : exception invoking method for identifier 'notAfter' in
> class sun.security.x509.X509CertImpl
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
> at
> org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
> at org.apache.velocity.Template.merge(Template.java:358)
> at org.apache.velocity.Template.merge(Template.java:262)
> at CertTest.main(CertTest.java:52)
> Caused by: java.lang.IllegalAccessException: class
> org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
> sun.security.x509.X509CertImpl (in module java.base) because module java.base
> does not export sun.security.x509 to unnamed module @45ad6cad
> at
> java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
> at
> java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
> at java.base/java.lang.reflect.Method.invoke(Method.java:560)
> at
> org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
> ... 6 more
> {noformat}
> It looks like Velocity is picking an inconvenient class on which to base its
> method invocation.
>
> Here is the test source.
> {noformat}
> import java.io.OutputStreamWriter;
> import java.io.StringReader;
> import java.nio.charset.StandardCharsets;
> import java.security.cert.Certificate;
> import java.security.cert.X509Certificate;
> import java.security.cert.CertificateFactory;
> import org.apache.velocity.Template;
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.VelocityEngine;
> import org.apache.velocity.runtime.RuntimeServices;
> import org.apache.velocity.runtime.RuntimeSingleton;
> public class CertTest {
> private static final String certText = "-BEGIN CERTIFICATE-\n"
> + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
> + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
> + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
> + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
> + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
> + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
> + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
> +
[jira] [Commented] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[
https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772334#comment-17772334
]
Thomas Mortagne commented on VELOCITY-968:
--
Looks like a dupicate of VELOCITY-952.
> In Java 17+, introspection fails in many cases due to permissions
> -
>
> Key: VELOCITY-968
> URL: https://issues.apache.org/jira/browse/VELOCITY-968
> Project: Velocity
> Issue Type: Bug
> Components: Engine
>Affects Versions: 1.7.x, 2.3
> Environment: Java 17
>Reporter: Christopher Schultz
>Priority: Major
>
> When running under Java 17 or later, introspection often picks an
> inaccessible method on a runtime object, which then fails when invoked.
> For example, running the example below under Java 8, the output is simple:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 11 or later, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> (file:.../velocity-engine-core-2.3.jar) to method
> sun.security.x509.X509CertImpl.getNotAfter()
> WARNING: Please consider reporting this to the maintainers of
> org.apache.velocity.runtime.parser.node.PropertyExecutor
> WARNING: Use --illegal-access=warn to enable warnings of further illegal
> reflective access operations
> WARNING: All illegal access operations will be denied in a future release
> Test: Wed Jan 03 12:42:32 EST 2024
> {noformat}
> When running on Java 17, we get:
> {noformat}
> Cert notAfter=Wed Jan 03 12:42:32 EST 2024
> Exception in thread "main" org.apache.velocity.exception.VelocityException:
> ASTIdentifier() : exception invoking method for identifier 'notAfter' in
> class sun.security.x509.X509CertImpl
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
> at
> org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
> at
> org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
> at org.apache.velocity.Template.merge(Template.java:358)
> at org.apache.velocity.Template.merge(Template.java:262)
> at CertTest.main(CertTest.java:52)
> Caused by: java.lang.IllegalAccessException: class
> org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
> sun.security.x509.X509CertImpl (in module java.base) because module java.base
> does not export sun.security.x509 to unnamed module @45ad6cad
> at
> java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
> at
> java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
> at java.base/java.lang.reflect.Method.invoke(Method.java:560)
> at
> org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
> at
> org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
> at
> org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
> ... 6 more
> {noformat}
> It looks like Velocity is picking an inconvenient class on which to base its
> method invocation.
>
> Here is the test source.
> {noformat}
> import java.io.OutputStreamWriter;
> import java.io.StringReader;
> import java.nio.charset.StandardCharsets;
> import java.security.cert.Certificate;
> import java.security.cert.X509Certificate;
> import java.security.cert.CertificateFactory;
> import org.apache.velocity.Template;
> import org.apache.velocity.VelocityContext;
> import org.apache.velocity.app.VelocityEngine;
> import org.apache.velocity.runtime.RuntimeServices;
> import org.apache.velocity.runtime.RuntimeSingleton;
> public class CertTest {
> private static final String certText = "-BEGIN CERTIFICATE-\n"
> + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
> + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
> + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
> + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
> + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
> + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
> + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
> + "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n"
> + "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n"
> +
[jira] [Updated] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[
https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Christopher Schultz updated VELOCITY-968:
-
Description:
When running under Java 17 or later, introspection often picks an inaccessible
method on a runtime object, which then fails when invoked.
For example, running the example below under Java 8, the output is simple:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 11 or later, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.velocity.runtime.parser.node.PropertyExecutor
(file:.../velocity-engine-core-2.3.jar) to method
sun.security.x509.X509CertImpl.getNotAfter()
WARNING: Please consider reporting this to the maintainers of
org.apache.velocity.runtime.parser.node.PropertyExecutor
WARNING: Use --illegal-access=warn to enable warnings of further illegal
reflective access operations
WARNING: All illegal access operations will be denied in a future release
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 17, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Exception in thread "main" org.apache.velocity.exception.VelocityException:
ASTIdentifier() : exception invoking method for identifier 'notAfter' in class
sun.security.x509.X509CertImpl
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
at
org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
at
org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
at
org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
at org.apache.velocity.Template.merge(Template.java:358)
at org.apache.velocity.Template.merge(Template.java:262)
at CertTest.main(CertTest.java:52)
Caused by: java.lang.IllegalAccessException: class
org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
sun.security.x509.X509CertImpl (in module java.base) because module java.base
does not export sun.security.x509 to unnamed module @45ad6cad
at
java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
at
java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
at java.base/java.lang.reflect.Method.invoke(Method.java:560)
at
org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
at
org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
... 6 more
{noformat}
It looks like Velocity is picking an inconvenient class on which to base its
method invocation.
Here is the test source.
{noformat}
import java.io.OutputStreamWriter;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.RuntimeSingleton;
public class CertTest {
private static final String certText = "-BEGIN CERTIFICATE-\n"
+ "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
+ "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
+ "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
+ "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
+ "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
+ "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
+ "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
+ "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n"
+ "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n"
+ "dzOrCDAKBggqhkjOPQQDAwNnADBkAjBx+sqV2gzUusdOvwltH7f7sp5UtZMRFKF4\n"
+ "mRcGA7buAZN/YPUGgkiUZ6ZEJmw8Dn8CMEEgm8c2WTYdO/CQ5DRBbfIt1TcpiDxk\n"
+ "0vM+YZrSctwCJhK+3h3i4X990XvjJQ3Hmw==\n"
+ "-END CERTIFICATE-\n"
;
private static final String templateText = "Test: $cert.notAfter\n";
public static void main(String[] args) throws Exception {
X509Certificate cert =
(X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(new
java.io.ByteArrayInputStream(certText.getBytes(StandardCharsets.US_ASCII)));
System.out.println("Cert notAfter=" + cert.getNotAfter()); VelocityContext
ctx = new VelocityContext();
ctx.put("cert", cert); VelocityEngine ve = new
[jira] [Created] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
Christopher Schultz created VELOCITY-968:
Summary: In Java 17+, introspection fails in many cases due to
permissions
Key: VELOCITY-968
URL: https://issues.apache.org/jira/browse/VELOCITY-968
Project: Velocity
Issue Type: Bug
Components: Engine
Affects Versions: 2.3, 1.7.x
Environment: Java 17
Reporter: Christopher Schultz
When running under Java 17 or later, introspection often picks an inaccessible
method on a runtime object, which then fails when invoked.
For example, running the example below under Java 8, the output is simple:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 11 or later, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.velocity.runtime.parser.node.PropertyExecutor
(file:/Users/christopherschultz/Documents/Eclipse/chadis-web/velocity-engine-core-2.3.jar)
to method sun.security.x509.X509CertImpl.getNotAfter()
WARNING: Please consider reporting this to the maintainers of
org.apache.velocity.runtime.parser.node.PropertyExecutor
WARNING: Use --illegal-access=warn to enable warnings of further illegal
reflective access operations
WARNING: All illegal access operations will be denied in a future release
Test: Wed Jan 03 12:42:32 EST 2024
{noformat}
When running on Java 17, we get:
{noformat}
Cert notAfter=Wed Jan 03 12:42:32 EST 2024
Exception in thread "main" org.apache.velocity.exception.VelocityException:
ASTIdentifier() : exception invoking method for identifier 'notAfter' in class
sun.security.x509.X509CertImpl
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282)
at
org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368)
at
org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492)
at
org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439)
at org.apache.velocity.Template.merge(Template.java:358)
at org.apache.velocity.Template.merge(Template.java:262)
at CertTest.main(CertTest.java:52)
Caused by: java.lang.IllegalAccessException: class
org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class
sun.security.x509.X509CertImpl (in module java.base) because module java.base
does not export sun.security.x509 to unnamed module @45ad6cad
at
java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
at
java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
at java.base/java.lang.reflect.Method.invoke(Method.java:560)
at
org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149)
at
org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722)
at
org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217)
... 6 more
{noformat}
It looks like Velocity is picking an inconvenient class on which to base its
method invocation.
Here is the test source.
{noformat}
import java.io.OutputStreamWriter;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateFactory;
import org.apache.velocity.Template;
import org.apache.velocity.VelocityContext;
import org.apache.velocity.app.VelocityEngine;
import org.apache.velocity.runtime.RuntimeServices;
import org.apache.velocity.runtime.RuntimeSingleton;
public class CertTest {
private static final String certText = "-BEGIN CERTIFICATE-\n"
+ "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n"
+ "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n"
+ "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n"
+ "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n"
+ "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n"
+ "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n"
+ "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n"
+ "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n"
+ "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n"
+ "dzOrCDAKBggqhkjOPQQDAwNnADBkAjBx+sqV2gzUusdOvwltH7f7sp5UtZMRFKF4\n"
+ "mRcGA7buAZN/YPUGgkiUZ6ZEJmw8Dn8CMEEgm8c2WTYdO/CQ5DRBbfIt1TcpiDxk\n"
+ "0vM+YZrSctwCJhK+3h3i4X990XvjJQ3Hmw==\n"
+ "-END CERTIFICATE-\n"
;
private static final String templateText = "Test: $cert.notAfter\n";
public static void main(String[] args) throws Exception {
X509Certificate cert =
