[Bug 66317] New: AccessControlException on EL 5.0

Wed, 19 Oct 2022 13:30:34 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=66317

            Bug ID: 66317
           Summary: AccessControlException on EL 5.0
           Product: Tomcat 10
           Version: 10.1.1
          Hardware: PC
                OS: Mac OS X 10.1
            Status: NEW
          Severity: normal
          Priority: P2
         Component: EL
          Assignee: dev@tomcat.apache.org
          Reporter: isaacriv...@gmail.com
  Target Milestone: ------

Hey there!

This issue is technically for EE10 Expression Language 5.0 but couldn't find it
in the list. Working on testing lambda expression coercion in EL 5.0 introduced
in https://github.com/jakartaee/expression-language/issues/45 I've hit an
AccessControlException with Java 2 Security enabled as follows

AccessControlException: Access denied ("java.lang.RuntimePermission"
"getClassLoader") at
java.base/java.security.AccessController.throwACE(AccessController.java:176) 
at
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
 
at
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
 
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) 
at java.base/java.lang.reflect.Proxy.checkProxyAccess(Proxy.java:457) 
at java.base/java.lang.reflect.Proxy.getProxyConstructor(Proxy.java:411) 
at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1006) 
at
org.apache.el.lang.ELSupport.coerceToFunctionalInterface(ELSupport.java:630)... 

I've tested that the cause of the issue is due to this line
https://github.com/apache/tomcat/blob/0827d1ce4200ad030a9c3496349b240fefeb53a7/java/org/apache/el/lang/ELSupport.java#L630
while calling type.getClassLoader(). I've seen a couple of PrivilegedAction in
the Tomcat source code so I'm wondering if this was just an oversight or done
on purpose.

It's a relatively simple fix and am working on a PR for this. Wanted to bring
it up to discussion.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to