[jira] [Commented] (VELOCITY-952) Velocity is calling the "wrong" method
[ https://issues.apache.org/jira/browse/VELOCITY-952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772341#comment-17772341 ] Christopher Schultz commented on VELOCITY-952: -- I reported this as VELOCITY-968 and offered the following as a suggestion. I don't know how the introspector works, so I'm just waving my hands, here: " Maybe org.apache.velocity.util.introspection.MethodMap.getBestMatch(List, Class[]) can choose a superclass method over a subclass method if they are otherwise equivalent? " I've read the documentation for MethodOverrideUberspector.java and I think if you just always use the most-superclass-or-superinterface method available, many of these issues can be avoided without any additional overhead of remembering the return-type of certain "get" invocations. This will also help when Velocity wasn't responsible for performing the original access, for example when the object is just dropped into the context by Java code and has a runtime type different from the declared type in the code. > Velocity is calling the "wrong" method > -- > > Key: VELOCITY-952 > URL: https://issues.apache.org/jira/browse/VELOCITY-952 > Project: Velocity > Issue Type: Bug > Components: Engine >Affects Versions: 2.3 >Reporter: Thomas Mortagne >Priority: Major > > OK, the title is maybe a bit harsh, but it catches the eyes :) > At XWiki we recently started testing on Java 17 to see if there is any > problem which leaded us to add things like {{--add-opens > java.base/java.util=ALL-UNNAMED}} but Velocity happen to be the source of > another problem related to the new module world. > When doing something like {{$datetool.timeZone.getOffset(0)}} ($datetool > being the org.apache.velocity.tools.generic.DateTool) we get the following > error: > {noformat} > ... > Caused by: java.lang.IllegalAccessException: class > org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl cannot > access class sun.util.calendar.ZoneInfo (in module java.base) because module > java.base does not export sun.util.calendar to unnamed module @7ca16adc > at > java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) > at > java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) > at java.base/java.lang.reflect.Method.invoke(Method.java:560) > at > org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:571) > at > org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:554) > at > org.apache.velocity.runtime.parser.node.ASTMethod.execute(ASTMethod.java:221) > ... 199 more > {noformat} > The reason is that while the developer intent/expectation was to call > "java.util.TimeZone#getOffset(0)" what Velocity really called from JVM point > of view is "sun.util.calendar.ZoneInfo.getOffset(0)" directly. > That's because Velocity is doing (I assume, since I did not check the exact > code) the equivalent of: > {noformat} > java.util.TimeZone.getDefault().getClass().getMethod("getOffset", > long.class).invoke(TimeZone.getDefault(), 0); > {noformat} > which is itself the equivalent of: > {noformat} > sun.util.calendar.ZoneInfo.class.getMethod("getOffset", > long.class).invoke(TimeZone.getDefault(), 0); > {noformat} > I guess the only way to fix this would be to track down the lowest overridden > Method (I agree, it might not always be easy to choose between two interfaces > declaring a method with the same signature, but choosing the first one we > find from the same hierarchy level is still better than nothing) and call > that one instead. With the use case used as example in this issue, that would > mean ending up doing the equivalent of: > {noformat} > java.util.TimeZone.class.getMethod("getOffset", > long.class).invoke(TimeZone.getDefault(), 0); > {noformat} > which, from JVM point of view, is covered by the {{--add-opens > java.base/java.util=ALL-UNNAMED}}. > It would be a big change, but at least can't think of any retro-compatibility > problem it might cause. > One might be tempted to answer "just add {{--add-opens > java.base/sun.util.calendar=ALL-UNNAMED}}" but it does not seem fair as this > is not what the API that the script uses was exposing at all, you might need > to document a different one for each JVM implementation (even if it's > probably unlikely for this specific example) but more importantly you will > potentially need quite a lot of those and will only discover it at runtime > since it's not so easy to guess from an API in which you only know the public > JVM classes since that's what you manipulate. > I would be happy to work on this, but I wanted first ask what others think > about this problem in general and the possible solutions
[jira] [Resolved] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[ https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christopher Schultz resolved VELOCITY-968. -- Resolution: Duplicate Duplicate of VELOCITY-952 > In Java 17+, introspection fails in many cases due to permissions > - > > Key: VELOCITY-968 > URL: https://issues.apache.org/jira/browse/VELOCITY-968 > Project: Velocity > Issue Type: Bug > Components: Engine >Affects Versions: 1.7.x, 2.3 > Environment: Java 17 >Reporter: Christopher Schultz >Priority: Major > > When running under Java 17 or later, introspection often picks an > inaccessible method on a runtime object, which then fails when invoked. > For example, running the example below under Java 8, the output is simple: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 11 or later, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > WARNING: An illegal reflective access operation has occurred > WARNING: Illegal reflective access by > org.apache.velocity.runtime.parser.node.PropertyExecutor > (file:.../velocity-engine-core-2.3.jar) to method > sun.security.x509.X509CertImpl.getNotAfter() > WARNING: Please consider reporting this to the maintainers of > org.apache.velocity.runtime.parser.node.PropertyExecutor > WARNING: Use --illegal-access=warn to enable warnings of further illegal > reflective access operations > WARNING: All illegal access operations will be denied in a future release > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 17, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Exception in thread "main" org.apache.velocity.exception.VelocityException: > ASTIdentifier() : exception invoking method for identifier 'notAfter' in > class sun.security.x509.X509CertImpl > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282) > at > org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) > at > org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) > at > org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) > at org.apache.velocity.Template.merge(Template.java:358) > at org.apache.velocity.Template.merge(Template.java:262) > at CertTest.main(CertTest.java:52) > Caused by: java.lang.IllegalAccessException: class > org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class > sun.security.x509.X509CertImpl (in module java.base) because module java.base > does not export sun.security.x509 to unnamed module @45ad6cad > at > java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) > at > java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) > at java.base/java.lang.reflect.Method.invoke(Method.java:560) > at > org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149) > at > org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722) > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217) > ... 6 more > {noformat} > It looks like Velocity is picking an inconvenient class on which to base its > method invocation. > > Here is the test source. > {noformat} > import java.io.OutputStreamWriter; > import java.io.StringReader; > import java.nio.charset.StandardCharsets; > import java.security.cert.Certificate; > import java.security.cert.X509Certificate; > import java.security.cert.CertificateFactory; > import org.apache.velocity.Template; > import org.apache.velocity.VelocityContext; > import org.apache.velocity.app.VelocityEngine; > import org.apache.velocity.runtime.RuntimeServices; > import org.apache.velocity.runtime.RuntimeSingleton; > public class CertTest { > private static final String certText = "-BEGIN CERTIFICATE-\n" > + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n" > + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n" > + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n" > + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n" > + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n" > + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n" > + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n" > + "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n" > + "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n" > +
[jira] [Commented] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[ https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772338#comment-17772338 ] Christopher Schultz commented on VELOCITY-968: -- Yes, it does indeed look like a duplicate. Apologies. I did search, but the description of VELOCITY-952 didn't seem to match and I didn't read the details. > In Java 17+, introspection fails in many cases due to permissions > - > > Key: VELOCITY-968 > URL: https://issues.apache.org/jira/browse/VELOCITY-968 > Project: Velocity > Issue Type: Bug > Components: Engine >Affects Versions: 1.7.x, 2.3 > Environment: Java 17 >Reporter: Christopher Schultz >Priority: Major > > When running under Java 17 or later, introspection often picks an > inaccessible method on a runtime object, which then fails when invoked. > For example, running the example below under Java 8, the output is simple: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 11 or later, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > WARNING: An illegal reflective access operation has occurred > WARNING: Illegal reflective access by > org.apache.velocity.runtime.parser.node.PropertyExecutor > (file:.../velocity-engine-core-2.3.jar) to method > sun.security.x509.X509CertImpl.getNotAfter() > WARNING: Please consider reporting this to the maintainers of > org.apache.velocity.runtime.parser.node.PropertyExecutor > WARNING: Use --illegal-access=warn to enable warnings of further illegal > reflective access operations > WARNING: All illegal access operations will be denied in a future release > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 17, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Exception in thread "main" org.apache.velocity.exception.VelocityException: > ASTIdentifier() : exception invoking method for identifier 'notAfter' in > class sun.security.x509.X509CertImpl > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282) > at > org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) > at > org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) > at > org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) > at org.apache.velocity.Template.merge(Template.java:358) > at org.apache.velocity.Template.merge(Template.java:262) > at CertTest.main(CertTest.java:52) > Caused by: java.lang.IllegalAccessException: class > org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class > sun.security.x509.X509CertImpl (in module java.base) because module java.base > does not export sun.security.x509 to unnamed module @45ad6cad > at > java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) > at > java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) > at java.base/java.lang.reflect.Method.invoke(Method.java:560) > at > org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149) > at > org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722) > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217) > ... 6 more > {noformat} > It looks like Velocity is picking an inconvenient class on which to base its > method invocation. > > Here is the test source. > {noformat} > import java.io.OutputStreamWriter; > import java.io.StringReader; > import java.nio.charset.StandardCharsets; > import java.security.cert.Certificate; > import java.security.cert.X509Certificate; > import java.security.cert.CertificateFactory; > import org.apache.velocity.Template; > import org.apache.velocity.VelocityContext; > import org.apache.velocity.app.VelocityEngine; > import org.apache.velocity.runtime.RuntimeServices; > import org.apache.velocity.runtime.RuntimeSingleton; > public class CertTest { > private static final String certText = "-BEGIN CERTIFICATE-\n" > + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n" > + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n" > + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n" > + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n" > + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n" > + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n" > + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n" > +
[jira] [Comment Edited] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[ https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772335#comment-17772335 ] Christopher Schultz edited comment on VELOCITY-968 at 10/5/23 6:28 PM: --- Maybe org.apache.velocity.util.introspection.MethodMap.getBestMatch(List, Class[]) can choose a superclass method over a subclass method if they are otherwise equivalent? was (Author: ch...@christopherschultz.net): Maybe `org.apache.velocity.util.introspection.MethodMap.getBestMatch(List, Class[])` can choose a superclass method over a subclass method if they are otherwise equivalent? > In Java 17+, introspection fails in many cases due to permissions > - > > Key: VELOCITY-968 > URL: https://issues.apache.org/jira/browse/VELOCITY-968 > Project: Velocity > Issue Type: Bug > Components: Engine >Affects Versions: 1.7.x, 2.3 > Environment: Java 17 >Reporter: Christopher Schultz >Priority: Major > > When running under Java 17 or later, introspection often picks an > inaccessible method on a runtime object, which then fails when invoked. > For example, running the example below under Java 8, the output is simple: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 11 or later, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > WARNING: An illegal reflective access operation has occurred > WARNING: Illegal reflective access by > org.apache.velocity.runtime.parser.node.PropertyExecutor > (file:.../velocity-engine-core-2.3.jar) to method > sun.security.x509.X509CertImpl.getNotAfter() > WARNING: Please consider reporting this to the maintainers of > org.apache.velocity.runtime.parser.node.PropertyExecutor > WARNING: Use --illegal-access=warn to enable warnings of further illegal > reflective access operations > WARNING: All illegal access operations will be denied in a future release > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 17, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Exception in thread "main" org.apache.velocity.exception.VelocityException: > ASTIdentifier() : exception invoking method for identifier 'notAfter' in > class sun.security.x509.X509CertImpl > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282) > at > org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) > at > org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) > at > org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) > at org.apache.velocity.Template.merge(Template.java:358) > at org.apache.velocity.Template.merge(Template.java:262) > at CertTest.main(CertTest.java:52) > Caused by: java.lang.IllegalAccessException: class > org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class > sun.security.x509.X509CertImpl (in module java.base) because module java.base > does not export sun.security.x509 to unnamed module @45ad6cad > at > java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) > at > java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) > at java.base/java.lang.reflect.Method.invoke(Method.java:560) > at > org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149) > at > org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722) > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217) > ... 6 more > {noformat} > It looks like Velocity is picking an inconvenient class on which to base its > method invocation. > > Here is the test source. > {noformat} > import java.io.OutputStreamWriter; > import java.io.StringReader; > import java.nio.charset.StandardCharsets; > import java.security.cert.Certificate; > import java.security.cert.X509Certificate; > import java.security.cert.CertificateFactory; > import org.apache.velocity.Template; > import org.apache.velocity.VelocityContext; > import org.apache.velocity.app.VelocityEngine; > import org.apache.velocity.runtime.RuntimeServices; > import org.apache.velocity.runtime.RuntimeSingleton; > public class CertTest { > private static final String certText = "-BEGIN CERTIFICATE-\n" > + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n" > + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n" > + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n" > + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n" >
[jira] [Commented] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[ https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772335#comment-17772335 ] Christopher Schultz commented on VELOCITY-968: -- Maybe `org.apache.velocity.util.introspection.MethodMap.getBestMatch(List, Class[])` can choose a superclass method over a subclass method if they are otherwise equivalent? > In Java 17+, introspection fails in many cases due to permissions > - > > Key: VELOCITY-968 > URL: https://issues.apache.org/jira/browse/VELOCITY-968 > Project: Velocity > Issue Type: Bug > Components: Engine >Affects Versions: 1.7.x, 2.3 > Environment: Java 17 >Reporter: Christopher Schultz >Priority: Major > > When running under Java 17 or later, introspection often picks an > inaccessible method on a runtime object, which then fails when invoked. > For example, running the example below under Java 8, the output is simple: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 11 or later, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > WARNING: An illegal reflective access operation has occurred > WARNING: Illegal reflective access by > org.apache.velocity.runtime.parser.node.PropertyExecutor > (file:.../velocity-engine-core-2.3.jar) to method > sun.security.x509.X509CertImpl.getNotAfter() > WARNING: Please consider reporting this to the maintainers of > org.apache.velocity.runtime.parser.node.PropertyExecutor > WARNING: Use --illegal-access=warn to enable warnings of further illegal > reflective access operations > WARNING: All illegal access operations will be denied in a future release > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 17, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Exception in thread "main" org.apache.velocity.exception.VelocityException: > ASTIdentifier() : exception invoking method for identifier 'notAfter' in > class sun.security.x509.X509CertImpl > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282) > at > org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) > at > org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) > at > org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) > at org.apache.velocity.Template.merge(Template.java:358) > at org.apache.velocity.Template.merge(Template.java:262) > at CertTest.main(CertTest.java:52) > Caused by: java.lang.IllegalAccessException: class > org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class > sun.security.x509.X509CertImpl (in module java.base) because module java.base > does not export sun.security.x509 to unnamed module @45ad6cad > at > java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) > at > java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) > at java.base/java.lang.reflect.Method.invoke(Method.java:560) > at > org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149) > at > org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722) > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217) > ... 6 more > {noformat} > It looks like Velocity is picking an inconvenient class on which to base its > method invocation. > > Here is the test source. > {noformat} > import java.io.OutputStreamWriter; > import java.io.StringReader; > import java.nio.charset.StandardCharsets; > import java.security.cert.Certificate; > import java.security.cert.X509Certificate; > import java.security.cert.CertificateFactory; > import org.apache.velocity.Template; > import org.apache.velocity.VelocityContext; > import org.apache.velocity.app.VelocityEngine; > import org.apache.velocity.runtime.RuntimeServices; > import org.apache.velocity.runtime.RuntimeSingleton; > public class CertTest { > private static final String certText = "-BEGIN CERTIFICATE-\n" > + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n" > + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n" > + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n" > + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n" > + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n" > + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n" > + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n" > +
[jira] [Commented] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[ https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772334#comment-17772334 ] Thomas Mortagne commented on VELOCITY-968: -- Looks like a dupicate of VELOCITY-952. > In Java 17+, introspection fails in many cases due to permissions > - > > Key: VELOCITY-968 > URL: https://issues.apache.org/jira/browse/VELOCITY-968 > Project: Velocity > Issue Type: Bug > Components: Engine >Affects Versions: 1.7.x, 2.3 > Environment: Java 17 >Reporter: Christopher Schultz >Priority: Major > > When running under Java 17 or later, introspection often picks an > inaccessible method on a runtime object, which then fails when invoked. > For example, running the example below under Java 8, the output is simple: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 11 or later, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > WARNING: An illegal reflective access operation has occurred > WARNING: Illegal reflective access by > org.apache.velocity.runtime.parser.node.PropertyExecutor > (file:.../velocity-engine-core-2.3.jar) to method > sun.security.x509.X509CertImpl.getNotAfter() > WARNING: Please consider reporting this to the maintainers of > org.apache.velocity.runtime.parser.node.PropertyExecutor > WARNING: Use --illegal-access=warn to enable warnings of further illegal > reflective access operations > WARNING: All illegal access operations will be denied in a future release > Test: Wed Jan 03 12:42:32 EST 2024 > {noformat} > When running on Java 17, we get: > {noformat} > Cert notAfter=Wed Jan 03 12:42:32 EST 2024 > Exception in thread "main" org.apache.velocity.exception.VelocityException: > ASTIdentifier() : exception invoking method for identifier 'notAfter' in > class sun.security.x509.X509CertImpl > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282) > at > org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) > at > org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) > at > org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) > at org.apache.velocity.Template.merge(Template.java:358) > at org.apache.velocity.Template.merge(Template.java:262) > at CertTest.main(CertTest.java:52) > Caused by: java.lang.IllegalAccessException: class > org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class > sun.security.x509.X509CertImpl (in module java.base) because module java.base > does not export sun.security.x509 to unnamed module @45ad6cad > at > java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) > at > java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) > at java.base/java.lang.reflect.Method.invoke(Method.java:560) > at > org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149) > at > org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722) > at > org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217) > ... 6 more > {noformat} > It looks like Velocity is picking an inconvenient class on which to base its > method invocation. > > Here is the test source. > {noformat} > import java.io.OutputStreamWriter; > import java.io.StringReader; > import java.nio.charset.StandardCharsets; > import java.security.cert.Certificate; > import java.security.cert.X509Certificate; > import java.security.cert.CertificateFactory; > import org.apache.velocity.Template; > import org.apache.velocity.VelocityContext; > import org.apache.velocity.app.VelocityEngine; > import org.apache.velocity.runtime.RuntimeServices; > import org.apache.velocity.runtime.RuntimeSingleton; > public class CertTest { > private static final String certText = "-BEGIN CERTIFICATE-\n" > + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n" > + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n" > + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n" > + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n" > + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n" > + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n" > + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n" > + "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n" > + "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n" > +
[jira] [Updated] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
[ https://issues.apache.org/jira/browse/VELOCITY-968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christopher Schultz updated VELOCITY-968: - Description: When running under Java 17 or later, introspection often picks an inaccessible method on a runtime object, which then fails when invoked. For example, running the example below under Java 8, the output is simple: {noformat} Cert notAfter=Wed Jan 03 12:42:32 EST 2024 Test: Wed Jan 03 12:42:32 EST 2024 {noformat} When running on Java 11 or later, we get: {noformat} Cert notAfter=Wed Jan 03 12:42:32 EST 2024 WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.velocity.runtime.parser.node.PropertyExecutor (file:.../velocity-engine-core-2.3.jar) to method sun.security.x509.X509CertImpl.getNotAfter() WARNING: Please consider reporting this to the maintainers of org.apache.velocity.runtime.parser.node.PropertyExecutor WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Test: Wed Jan 03 12:42:32 EST 2024 {noformat} When running on Java 17, we get: {noformat} Cert notAfter=Wed Jan 03 12:42:32 EST 2024 Exception in thread "main" org.apache.velocity.exception.VelocityException: ASTIdentifier() : exception invoking method for identifier 'notAfter' in class sun.security.x509.X509CertImpl at org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282) at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) at org.apache.velocity.Template.merge(Template.java:358) at org.apache.velocity.Template.merge(Template.java:262) at CertTest.main(CertTest.java:52) Caused by: java.lang.IllegalAccessException: class org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class sun.security.x509.X509CertImpl (in module java.base) because module java.base does not export sun.security.x509 to unnamed module @45ad6cad at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) at java.base/java.lang.reflect.Method.invoke(Method.java:560) at org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149) at org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722) at org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217) ... 6 more {noformat} It looks like Velocity is picking an inconvenient class on which to base its method invocation. Here is the test source. {noformat} import java.io.OutputStreamWriter; import java.io.StringReader; import java.nio.charset.StandardCharsets; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.security.cert.CertificateFactory; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.runtime.RuntimeServices; import org.apache.velocity.runtime.RuntimeSingleton; public class CertTest { private static final String certText = "-BEGIN CERTIFICATE-\n" + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n" + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n" + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n" + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n" + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n" + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n" + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n" + "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n" + "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n" + "dzOrCDAKBggqhkjOPQQDAwNnADBkAjBx+sqV2gzUusdOvwltH7f7sp5UtZMRFKF4\n" + "mRcGA7buAZN/YPUGgkiUZ6ZEJmw8Dn8CMEEgm8c2WTYdO/CQ5DRBbfIt1TcpiDxk\n" + "0vM+YZrSctwCJhK+3h3i4X990XvjJQ3Hmw==\n" + "-END CERTIFICATE-\n" ; private static final String templateText = "Test: $cert.notAfter\n"; public static void main(String[] args) throws Exception { X509Certificate cert = (X509Certificate)CertificateFactory.getInstance("X.509").generateCertificate(new java.io.ByteArrayInputStream(certText.getBytes(StandardCharsets.US_ASCII))); System.out.println("Cert notAfter=" + cert.getNotAfter()); VelocityContext ctx = new VelocityContext(); ctx.put("cert", cert); VelocityEngine ve = new
[jira] [Created] (VELOCITY-968) In Java 17+, introspection fails in many cases due to permissions
Christopher Schultz created VELOCITY-968: Summary: In Java 17+, introspection fails in many cases due to permissions Key: VELOCITY-968 URL: https://issues.apache.org/jira/browse/VELOCITY-968 Project: Velocity Issue Type: Bug Components: Engine Affects Versions: 2.3, 1.7.x Environment: Java 17 Reporter: Christopher Schultz When running under Java 17 or later, introspection often picks an inaccessible method on a runtime object, which then fails when invoked. For example, running the example below under Java 8, the output is simple: {noformat} Cert notAfter=Wed Jan 03 12:42:32 EST 2024 Test: Wed Jan 03 12:42:32 EST 2024 {noformat} When running on Java 11 or later, we get: {noformat} Cert notAfter=Wed Jan 03 12:42:32 EST 2024 WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.apache.velocity.runtime.parser.node.PropertyExecutor (file:/Users/christopherschultz/Documents/Eclipse/chadis-web/velocity-engine-core-2.3.jar) to method sun.security.x509.X509CertImpl.getNotAfter() WARNING: Please consider reporting this to the maintainers of org.apache.velocity.runtime.parser.node.PropertyExecutor WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release Test: Wed Jan 03 12:42:32 EST 2024 {noformat} When running on Java 17, we get: {noformat} Cert notAfter=Wed Jan 03 12:42:32 EST 2024 Exception in thread "main" org.apache.velocity.exception.VelocityException: ASTIdentifier() : exception invoking method for identifier 'notAfter' in class sun.security.x509.X509CertImpl at org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:282) at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:368) at org.apache.velocity.runtime.parser.node.ASTReference.render(ASTReference.java:492) at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:439) at org.apache.velocity.Template.merge(Template.java:358) at org.apache.velocity.Template.merge(Template.java:262) at CertTest.main(CertTest.java:52) Caused by: java.lang.IllegalAccessException: class org.apache.velocity.runtime.parser.node.PropertyExecutor cannot access class sun.security.x509.X509CertImpl (in module java.base) because module java.base does not export sun.security.x509 to unnamed module @45ad6cad at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392) at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674) at java.base/java.lang.reflect.Method.invoke(Method.java:560) at org.apache.velocity.runtime.parser.node.PropertyExecutor.execute(PropertyExecutor.java:149) at org.apache.velocity.util.introspection.UberspectImpl$VelGetterImpl.invoke(UberspectImpl.java:722) at org.apache.velocity.runtime.parser.node.ASTIdentifier.execute(ASTIdentifier.java:217) ... 6 more {noformat} It looks like Velocity is picking an inconvenient class on which to base its method invocation. Here is the test source. {noformat} import java.io.OutputStreamWriter; import java.io.StringReader; import java.nio.charset.StandardCharsets; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.security.cert.CertificateFactory; import org.apache.velocity.Template; import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.apache.velocity.runtime.RuntimeServices; import org.apache.velocity.runtime.RuntimeSingleton; public class CertTest { private static final String certText = "-BEGIN CERTIFICATE-\n" + "MIICJTCCAaygAwIBAgIIXjahgh5+v08wCgYIKoZIzj0EAwMwaTEQMA4GA1UEBhMH\n" + "VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjEQMA4G\n" + "A1UEChMHVW5rbm93bjEQMA4GA1UECxMHVW5rbm93bjENMAsGA1UEAxMEdGVzdDAe\n" + "Fw0yMzEwMDUxNzQyMzJaFw0yNDAxMDMxNzQyMzJaMGkxEDAOBgNVBAYTB1Vua25v\n" + "d24xEDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoT\n" + "B1Vua25vd24xEDAOBgNVBAsTB1Vua25vd24xDTALBgNVBAMTBHRlc3QwdjAQBgcq\n" + "hkjOPQIBBgUrgQQAIgNiAARluamNquFohhtrjhN6Sq+QXVlb+/1GVHg0h10iDehm\n" + "msRkfPkugLIwRbLIaggzFkx66QcT4oIjhvM0Q1jM7a/9BhNUWJvZMa54M3Nh+K6P\n" + "fzp8tOGHe2EAHibDP1KSGHCjITAfMB0GA1UdDgQWBBSLy96Os2mUo7TiKAwRlEmq\n" + "dzOrCDAKBggqhkjOPQQDAwNnADBkAjBx+sqV2gzUusdOvwltH7f7sp5UtZMRFKF4\n" + "mRcGA7buAZN/YPUGgkiUZ6ZEJmw8Dn8CMEEgm8c2WTYdO/CQ5DRBbfIt1TcpiDxk\n" + "0vM+YZrSctwCJhK+3h3i4X990XvjJQ3Hmw==\n" + "-END CERTIFICATE-\n" ; private static final String templateText = "Test: $cert.notAfter\n"; public static void main(String[] args) throws Exception { X509Certificate cert =