Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate Access Control Exception in EL-5.0 #23543

Closed
isaacrivriv opened this issue Nov 30, 2022 · 1 comment · Fixed by #23619
Closed

Investigate Access Control Exception in EL-5.0 #23543

isaacrivriv opened this issue Nov 30, 2022 · 1 comment · Fixed by #23619
Assignees
@isaacrivriv
Labels
in:Transport in:Web Components jakartaEE10 team:Sirius
Projects
Web Tier Team
Milestone
[Iteration 23.1] ...

Comments

@isaacrivriv
Copy link
Member

isaacrivriv commented Nov 30, 2022
edited

While working on enabling EE10 on FAT buckets, two AccessControlExceptions were discovered (thanks for discovering and notifying @jhanders34!). This is due to the tomcat changes here. Need to start discussion with the tomcat community on adding a security check for the change here and start a discussion on the new property org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED and how it affects the security manager check here

Exception 1

java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED" "read")
at java.base/java.security.AccessController.throwACE(AccessController.java:176)
at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
at java.base/java.lang.System.getProperty(System.java:581)
at java.base/java.lang.System.getProperty(System.java:564)
at java.base/java.lang.Boolean.getBoolean(Boolean.java:265)
at jakarta.el.Util.(Util.java:47)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
at org.apache.jasper.runtime.JspApplicationContextImpl.(JspApplicationContextImpl.java:59)
at org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
at com.ibm._jsp._login._jspInit(_login.java:66)
at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)

Exception 2

java.security.AccessControlException: Access denied ("java.lang.RuntimePermission" "getClassLoader")
at java.base/java.security.AccessController.throwACE(AccessController.java:176)
at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
at java.base/java.lang.Thread.getContextClassLoader(Thread.java:578)
at jakarta.el.Util.getContextClassLoader(Util.java:665)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
at org.apache.jasper.runtime.JspApplicationContextImpl.(JspApplicationContextImpl.java:59)
at org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
at com.ibm._jsp._login._jspInit(_login.java:72)
at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)
@isaacrivriv isaacrivriv self-assigned this Nov 30, 2022
@isaacrivriv isaacrivriv mentioned this issue Dec 7, 2022
Merged
@pnicolucci pnicolucci added this to General Issues in Web Tier Team via automation Dec 7, 2022
@pnicolucci pnicolucci moved this from General Issues to Jakarta 10 - Open Work in Web Tier Team Dec 7, 2022
@isaacrivriv
Copy link
Member Author

After discussions in the tomcat issue, it was decided to return to the default behavior with a default of true for the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property and to wrap the call to get the system property in a privilege block. This fixes both access control exceptions that were discovered. The changes are expected to be in by release 10.1.5. Need to work on getting the changes up as an overlay and when the changes are released in the new version, update the libraries used by OL which will be done in #23817

Web Tier Team automation moved this from Jakarta 10 - Open Work to Completed Tasks Jan 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@isaacrivriv isaacrivriv

Labels
in:Transport in:Web Components jakartaEE10 team:Sirius
Projects
Web Tier Team
  
Completed Tasks
Milestone
[Iteration 23.1] Jan 2 - Jan 13
Development

Successfully merging a pull request may close this issue.

Overlay el j2sec property issue isaacrivriv/open-liberty
2 participants
@pnicolucci @isaacrivriv