Hey there! This issue is technically for EE10 Expression Language 5.0 but couldn't find it in the list. Working on testing lambda expression coercion in EL 5.0 introduced in https://github.com/jakartaee/expression-language/issues/45 I've hit an AccessControlException with Java 2 Security enabled as follows AccessControlException: Access denied ("java.lang.RuntimePermission" "getClassLoader") at java.base/java.security.AccessController.throwACE(AccessController.java:176) at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238) at java.base/java.security.AccessController.checkPermission(AccessController.java:385) at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322) at java.base/java.lang.reflect.Proxy.checkProxyAccess(Proxy.java:457) at java.base/java.lang.reflect.Proxy.getProxyConstructor(Proxy.java:411) at java.base/java.lang.reflect.Proxy.newProxyInstance(Proxy.java:1006) at org.apache.el.lang.ELSupport.coerceToFunctionalInterface(ELSupport.java:630)... I've tested that the cause of the issue is due to this line https://github.com/apache/tomcat/blob/0827d1ce4200ad030a9c3496349b240fefeb53a7/java/org/apache/el/lang/ELSupport.java#L630 while calling type.getClassLoader(). I've seen a couple of PrivilegedAction in the Tomcat source code so I'm wondering if this was just an oversight or done on purpose. It's a relatively simple fix and am working on a PR for this. Wanted to bring it up to discussion.
For now (until the security manager removal becomes real), needed priv actions will be added.
Proposed fix for this https://github.com/apache/tomcat/pull/557
Thanks for the PR. Fixed in: 11.0.x for 11.0.0-M1 onwoards 10.1.x for 10.1.2 onwards