[Bug 66370] New: AccessControlException and default behavior change with org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED

bugzilla Thu, 01 Dec 2022 08:32:48 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=66370


            Bug ID: 66370
           Summary: AccessControlException and default behavior change
                    with org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED
           Product: Tomcat 10
           Version: 10.1.2
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: EL
          Assignee: dev@tomcat.apache.org
          Reporter: isaacriv...@gmail.com
  Target Milestone: ------

Hey there,

Running tomcat el 10.1.2 with java 2 security enabled, we discovered an issue
with an AccessControlException due to Boolean.getBoolean(). It seems this was
introduced in this commit
https://github.com/apache/tomcat/commit/28ea2b9b2e781d20e0651cb5e0b65bacd464150c#diff-b5962d24af20591547a4804838aa91c84b0151645b2121ac4f244a1b9c1213e8R46-R47
with the addition of the new property
org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED. See exception below

java.security.AccessControlException: Access denied
("java.util.PropertyPermission" "org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED"
"read")
        at
java.base/java.security.AccessController.throwACE(AccessController.java:176)
        at
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
        at
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
        at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        at
com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
        at
java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
        at java.base/java.lang.System.getProperty(System.java:581)
        at java.base/java.lang.System.getProperty(System.java:564)
        at java.base/java.lang.Boolean.getBoolean(Boolean.java:265)
        at jakarta.el.Util.<clinit>(Util.java:47)
        at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
        at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
        at
org.apache.jasper.runtime.JspApplicationContextImpl.<clinit>(JspApplicationContextImpl.java:59)
        at
org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
        at com.ibm._jsp._login._jspInit(_login.java:66)
        at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
        at
com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)



Worked locally on a fix for this and discovered that with the addition of this
new property, a behavior change was introduced which obligates us to set the
property if we don't want to hit another AccessControlException as seen below.
I understand why the change was introduced with this new property but I would
expect that it would not affect the expected behavior by default. I would
expect to see a change only if it was set by the user. Any input as to why this
was done the way it was? Any way we can change this to keep the expected
behavior by default and change it if set?

java.security.AccessControlException: Access denied
("java.lang.RuntimePermission" "getClassLoader")
        at
java.base/java.security.AccessController.throwACE(AccessController.java:176)
        at
java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
        at
java.base/java.security.AccessController.checkPermission(AccessController.java:385)
        at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
        at
com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
        at java.base/java.lang.Thread.getContextClassLoader(Thread.java:578)
        at jakarta.el.Util.getContextClassLoader(Util.java:665)
        at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
        at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
        at
org.apache.jasper.runtime.JspApplicationContextImpl.<clinit>(JspApplicationContextImpl.java:59)
        at
org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
        at com.ibm._jsp._login._jspInit(_login.java:72)
        at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
        at
com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66370] New: AccessControlException and default behavior change with org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED

Reply via email to