The javax.el.Util class can lead to an AccessControlException in the getExpressionFactory() method is security is enabled. I believe the call to get the classloader: ClassLoader tccl = Thread.currentThread().getContextClassLoader(); should be wrapped in a doPrivileged block: ClassLoader tccl; if (System.getSecurityManager() != null) { tccl = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { @Override public ClassLoader run() { return Thread.currentThread().getContextClassLoader(); } }); } else { tccl = Thread.currentThread().getContextClassLoader(); }
Can you provide a simple test case that demonstrates the problem?
I've spent a little time looking a this. It isn't going to occur in normal Tomcat usage. It may occur if el-api.jar and jasper-el.jar are used independently. I'm working on a fix.
My local testing found that the class loader structure would need to be fairly unusual to trigger this issue. I therefore opted to wrap all the requests for the TCCL in a privileged action to ensure that all use cases were covered. Fixed in: - trunk for 9.0.9 onwards - 8.5.x for 8.5.32 onwards - 8.0.x for 8.0.53 onwards - 7.0.x for 7.0.89 onwards