You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While working on enabling EE10 on FAT buckets, two AccessControlExceptions were discovered (thanks for discovering and notifying @jhanders34!). This is due to the tomcat changes here. Need to start discussion with the tomcat community on adding a security check for the change here and start a discussion on the new property org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED and how it affects the security manager check here
Exception 1
java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED" "read")
at java.base/java.security.AccessController.throwACE(AccessController.java:176)
at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
at java.base/java.lang.System.getProperty(System.java:581)
at java.base/java.lang.System.getProperty(System.java:564)
at java.base/java.lang.Boolean.getBoolean(Boolean.java:265)
at jakarta.el.Util.(Util.java:47)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
at org.apache.jasper.runtime.JspApplicationContextImpl.(JspApplicationContextImpl.java:59)
at org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
at com.ibm._jsp._login._jspInit(_login.java:66)
at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)
Exception 2
java.security.AccessControlException: Access denied ("java.lang.RuntimePermission" "getClassLoader")
at java.base/java.security.AccessController.throwACE(AccessController.java:176)
at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
at java.base/java.lang.Thread.getContextClassLoader(Thread.java:578)
at jakarta.el.Util.getContextClassLoader(Util.java:665)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:92)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:79)
at org.apache.jasper.runtime.JspApplicationContextImpl.(JspApplicationContextImpl.java:59)
at org.apache.jasper.runtime.JspFactoryImpl.getJspApplicationContext(JspFactoryImpl.java:265)
at com.ibm._jsp._login._jspInit(_login.java:72)
at com.ibm.ws.jsp.runtime.HttpJspBase.init(HttpJspBase.java:77)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:299)
The text was updated successfully, but these errors were encountered:
After discussions in the tomcat issue, it was decided to return to the default behavior with a default of true for the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property and to wrap the call to get the system property in a privilege block. This fixes both access control exceptions that were discovered. The changes are expected to be in by release 10.1.5. Need to work on getting the changes up as an overlay and when the changes are released in the new version, update the libraries used by OL which will be done in #23817
While working on enabling EE10 on FAT buckets, two AccessControlExceptions were discovered (thanks for discovering and notifying @jhanders34!). This is due to the tomcat changes here. Need to start discussion with the tomcat community on adding a security check for the change here and start a discussion on the new property org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED and how it affects the security manager check here
Exception 1
Exception 2
The text was updated successfully, but these errors were encountered: