I'd be nervous about that kind of change but interested to hear what you learn.
Repository is here: https://github.com/eclipse/org.aspectj Andy On Wed, 9 Jun 2021 at 13:16, Constantin Moisei <[email protected]> wrote: > Thanks both Andy and Tim! > > As Tim pointed out we don't control the weaving, it happens during the app > startup. > > I could look into what Tim mentions here, to just use compile time weaving > but I need to do some research. > > My original thought was to create an alternate factory and allow it to use > it's getClass().getClassloader(). I mean that could be a fix. I didn't > check the source it but how is the classloader handled at this line > (ReflectionBasedReferenceTypeDelegateFactory.java:40) > > >at java.base/java.lang.Class.forName(Class.java:398) > >at > org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate > (ReflectionBasedReferenceTypeDelegateFactory.java:40) > > Talking about sources, where is the repo ? I could create my own variant > to see if I can bypass the issue. > > > On Wed, 9 Jun 2021 at 15:05, <[email protected]> wrote: > >> I doubt you have any options here for runtime weaving. The classloader in >> this case is controlled by Spring, and the security managers likely have a >> tight multi-tenant designed security policy. >> >> The best bet, even with Spring is to change to compile-time weaving; this >> was the answer for an app I developed in the same situation. >> >> Also, note that Java 11, and later versions of Spring all are getting >> better at access control and fixing holes. Earlier versions of Spring used >> to take advantage of the security holes in the JVM to work, many of these >> security holes are getting closed off. >> >> You will also see more of these issues in the next LTS release (15 I >> think is the number). >> >> >> >> >> >> Tim >> >> >> >> *From:* aspectj-users <[email protected]> *On Behalf Of *Andy >> Clement >> *Sent:* Wednesday, June 9, 2021 3:59 PM >> *To:* [email protected] >> *Subject:* Re: [aspectj-users] Openjdk11 and Security Manager >> >> >> >> Hey, >> >> >> >> I'm not an expert on Java Security unfortunately (you might find a few of >> those folks if you ask this on Stack overflow?). >> >> >> >> With your reference to it working for one classloader and not another, >> how feasible is it to set the context classloader to the one you find that >> works? Or will that break something else? >> (Thread.currentThread().setContextClassLoader(..)) >> >> >> >> It is possible some doPrivileged blocks are missing in the reflection >> area but then I see the doPrivileged call deeper in the checkPackageAccess >> call, so maybe raising up the privileged check will just make it fail >> sooner. >> >> >> >> cheers, >> >> Andy >> >> >> >> On Wed, 9 Jun 2021 at 10:00, Constantin Moisei < >> [email protected]> wrote: >> >> Hello, >> >> >> I am running into a weird exception on an open jdk 11 vm with a tight >> security manager policy. >> >> What kind of control do I have to >> ReflectionBasedReferenceTypeDelegateFactory ? >> >> In the past I had issues with how I get/handle the classloader but found >> a way to bypass it. However it was my own code so I could deal with it. Now >> I am facing a similar issue via the latest aspectj 1.9.6 >> >> //ClassLoader loader = Thread.currentThread().getContextClassLoader(); >> //doesn't work >> >> ClassLoader loader = this.getClass().getClassLoader(); //<---- this works >> >> Note that granting the permission is not a viable solution. It will be >> almost impossible to convince the vm owners to modify the policy. Has to be >> a different way. >> >> Here's the full exception >> >> Caused by: java.security.AccessControlException: access denied >> ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.loader") >> at >> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) >> at >> java.base/java.security.AccessController.checkPermission(AccessController.java:897) >> at >> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) >> at >> java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238) >> at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:691) >> at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:689) >> at >> java.base/java.security.AccessController.doPrivileged(Native Method) >> at >> java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:689) >> at java.base/java.lang.Class.forName0(Native Method) >> at java.base/java.lang.Class.forName(Class.java:398) >> at >> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40) >> at >> org.aspectj.weaver.reflect.ReflectionWorld.resolveDelegate(ReflectionWorld.java:111) >> at >> org.aspectj.weaver.World.resolveToReferenceType(World.java:363) >> at org.aspectj.weaver.World.resolve(World.java:258) >> at org.aspectj.weaver.World.resolve(World.java:180) >> at org.aspectj.weaver.World.resolve(World.java:326) >> at >> org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:103) >> at >> org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:93) >> at >> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.toResolvedTypeArray(ReflectionBasedReferenceTypeDelegateFactory.java:214) >> at >> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMethod(ReflectionBasedReferenceTypeDelegateFactory.java:107) >> at >> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMember(ReflectionBasedReferenceTypeDelegateFactory.java:98) >> at >> org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(ReflectionBasedReferenceTypeDelegate.java:290) >> at >> org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:571) >> at >> org.aspectj.weaver.ResolvedType.addAndRecurse(ResolvedType.java:271) >> at >> org.aspectj.weaver.ResolvedType.getMethodsWithoutIterator(ResolvedType.java:265) >> at >> org.aspectj.weaver.ResolvedType.lookupResolvedMember(ResolvedType.java:420) >> at >> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:178) >> at >> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202) >> at >> org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202) >> at >> org.aspectj.weaver.JoinPointSignatureIterator.hasNext(JoinPointSignatureIterator.java:69) >> at >> org.aspectj.weaver.patterns.SignaturePattern.matches(SignaturePattern.java:298) >> at >> org.aspectj.weaver.patterns.KindedPointcut.matchInternal(KindedPointcut.java:106) >> at >> org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146) >> at >> org.aspectj.weaver.patterns.OrPointcut.matchInternal(OrPointcut.java:51) >> at >> org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146) >> at >> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.getShadowMatch(PointcutExpressionImpl.java:235) >> at >> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesExecution(PointcutExpressionImpl.java:101) >> at >> org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesMethodExecution(PointcutExpressionImpl.java:92) >> at >> org.springframework.aop.aspectj.AspectJExpressionPointcut.getShadowMatch(AspectJExpressionPointcut.java:408) >> at >> org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExpressionPointcut.java:266) >> at >> org.springframework.aop.support.AopUtils.canApply(AopUtils.java:223) >> at >> org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262) >> at >> org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:294) >> at >> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118) >> at >> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88) >> at >> org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69) >> at >> org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:361) >> at >> org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:324) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:409) >> at >> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:1657) >> at >> org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:112) >> ... 42 more >> >> >> >> >> >> >> >> _______________________________________________ >> aspectj-users mailing list >> [email protected] >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/aspectj-users >> >> >> ------------------------------ >> >> >> <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >> >> Scanned by McAfee >> <https://home.mcafee.com/utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> >> and confirmed virus-free. >> >> >> _______________________________________________ >> aspectj-users mailing list >> [email protected] >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/aspectj-users >> > _______________________________________________ > aspectj-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/aspectj-users >
_______________________________________________ aspectj-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users
