Bug 66317 - AccessControlException on EL 5.0
Summary: AccessControlException on EL 5.0
Alias: None
Product: Tomcat 10
Classification: Unclassified
Component: EL (show other bugs)
Version: 10.1.1
Hardware: PC Mac OS X 10.1
: P2 normal (vote)
Target Milestone: ------
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2022-10-19 20:30 UTC by Isaac Rivera Rivas
Modified: 2022-10-20 14:06 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Isaac Rivera Rivas 2022-10-19 20:30:26 UTC
Hey there!

This issue is technically for EE10 Expression Language 5.0 but couldn't find it in the list. Working on testing lambda expression coercion in EL 5.0 introduced in https://github.com/jakartaee/expression-language/issues/45 I've hit an AccessControlException with Java 2 Security enabled as follows

AccessControlException: Access denied ("java.lang.RuntimePermission" "getClassLoader") at java.base/java.security.AccessController.throwACE(AccessController.java:176) 
at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238) 
at java.base/java.security.AccessController.checkPermission(AccessController.java:385) 
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) 
at java.base/java.lang.reflect.Proxy.checkProxyAccess(Proxy.java:457) 
at java.base/java.lang.reflect.Proxy.getProxyConstructor(Proxy.java:411) 
at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1006) 
at org.apache.el.lang.ELSupport.coerceToFunctionalInterface(ELSupport.java:630)... 

I've tested that the cause of the issue is due to this line https://github.com/apache/tomcat/blob/0827d1ce4200ad030a9c3496349b240fefeb53a7/java/org/apache/el/lang/ELSupport.java#L630 while calling type.getClassLoader(). I've seen a couple of PrivilegedAction in the Tomcat source code so I'm wondering if this was just an oversight or done on purpose.

It's a relatively simple fix and am working on a PR for this. Wanted to bring it up to discussion.
Comment 1 Remy Maucherat 2022-10-19 20:43:47 UTC
For now (until the security manager removal becomes real), needed priv actions will be added.
Comment 2 Isaac Rivera Rivas 2022-10-20 12:41:08 UTC
Proposed fix for this https://github.com/apache/tomcat/pull/557
Comment 3 Han Li 2022-10-20 14:06:46 UTC
Thanks for the PR.

Fixed in:
11.0.x for 11.0.0-M1 onwoards
10.1.x for 10.1.2 onwards