https://bz.apache.org/bugzilla/show_bug.cgi?id=64488
Bug ID: 64488
Summary: EL API: AccessControlException -- Import Handler
Product: Tomcat 10
Version: 10.0.0-M5
Hardware: Macintosh
OS: Mac OS X 10.1
Status: NEW
Severity: normal
Priority: P2
Component: EL
Assignee: dev@tomcat.apache.org
Reporter: volosied+apa...@gmail.com
Target Milestone: ------
Created attachment 37286
--> https://bz.apache.org/bugzilla/attachment.cgi?id=37286&action=edit
Patch
Hello,
I encountered an AccessControlException when using the Tomcat 10.0.0-M5 EL API
in Open Liberty.
The stack trace is provided below, but the exception is thrown starting on this
line: jakarta.el.ImportHandler.findClass(ImportHandler.java:455)
I would appreciate if someone look whether a security check should be added in
the code. It appears to be a valid scenario. I've added a patch for reference
(based off code from ExpressionFactory.java).
We also used the same Tomcat 10.0.0-M5 Jasper EL Implementation.
The application was run on the following JDK:
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (build 1.8.0_222-b10)
Eclipse OpenJ9 VM (build openj9-0.15.1, JRE 1.8.0 Mac OS X amd64-64-Bit
Compressed References 20190717_298 (JIT enabled, AOT enabled)
OpenJ9 - 0f66c6431
OMR - ec782f26
JCL - f147086df1 based on jdk8u222-b10)
Please let me know if you have any questions. Thank you.
_________________________________________
Permission:
("java.io.FilePermission"
"/Library/Java/JavaVirtualMachines/adoptopenjdk-8-openj9.jdk/Contents/Home/jre/lib/rt.jar"
"read")
Stack:
java.security.AccessControlException: Access denied ("java.io.FilePermission"
"/Library/Java/JavaVirtualMachines/adoptopenjdk-8-openj9.jdk/Contents/Home/jre/lib/rt.jar"
"read")java.security.AccessController.throwACE(AccessController.java:176)
java.security.AccessController.checkPermissionHelper(AccessController.java:238)
java.security.AccessController.checkPermission(AccessController.java:385)
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
com.ibm.oti.vm.AbstractClassLoader.findResource(AbstractClassLoader.java:194)
java.lang.ClassLoader.getResource(ClassLoader.java:584)
java.lang.ClassLoader.getResource(ClassLoader.java:586)
java.lang.ClassLoader.getResource(ClassLoader.java:586)
com.ibm.ws.kernel.internal.classloader.BootstrapChildFirstJarClassloader.getResource(BootstrapChildFirstJarClassloader.java:110)
org.eclipse.osgi.internal.loader.BundleLoader.findResource(BundleLoader.java:621)
org.eclipse.osgi.internal.loader.ModuleClassLoader.getResource(ModuleClassLoader.java:216)
com.ibm.ws.classloading.internal.GatewayClassLoader.findResource(GatewayClassLoader.java:134)
com.ibm.ws.classloading.internal.GatewayClassLoader.getResource(GatewayClassLoader.java:116)
java.lang.ClassLoader.getResource(ClassLoader.java:586)
jakarta.el.ImportHandler.findClass(ImportHandler.java:455)
jakarta.el.ImportHandler.resolveClass(ImportHandler.java:417)
jakarta.servlet.jsp.el.ScopedAttributeELResolver.getValue(ScopedAttributeELResolver.java:93)
org.apache.jasper.el.JasperELResolver.getValue(JasperELResolver.java:110)
org.apache.el.parser.AstIdentifier.getValue(AstIdentifier.java:94)
org.apache.el.parser.AstValue.getValue(AstValue.java:137)
org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:190)
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:794)
com.ibm._jsp._EL30StaticFieldsAndMethodsTests._jspService(_EL30StaticFieldsAndMethodsTests.java:109)
com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:100)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
