tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 64488] EL API: AccessControlException -- Import Handler
Date Tue, 02 Jun 2020 21:40:40 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=64488

volosied+apache@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEEDINFO                    |RESOLVED

--- Comment #4 from volosied+apache@gmail.com ---
Hello,

Thank you so much for the quick replies. I looked more into my issue, and I
have a better idea of what’s occurring.  I do not believe anything is wrong
with the ImportHandler after all. 

In my  Open Liberty build, I had a development security property enabled, 
unknown to me,  that logs AccessControl exceptions and allows the application
to continue.  When I removed that property, I encountered a different error:
jakarta.el.ELException: Function [:Boolean] not found. This may relate to the
the fact that rt.jar contains the Boolean class (which EL doesn't have access
to?).

I tested the same JSP on Tomcat (with security enabled), and encountered the
very same exception. 

This is the troublesome EL Expression: “${Boolean(true)}” 

I tested it in Tomcat 7 and 9, and the same exception is thrown. The behavior
is consistent everywhere.  However, can anyone explain it is that way (or point
me to any resources)? My current understanding is that, when security is
enabled, EL(or Tomcat?) doesn’t have access, by default, to the java runtime
jar, rt.jar? (Which may explain why the original error asked me add the
java.io.FilePermission to the rt.jar)  Although I tried modifying the
permissions in Tomcat but was unsuccessful in getting the EL code to run with
security enabled.  

However, I tested further, and the following code does work?  I’m assuming
because it’s not going through EL? 

    <%
        Boolean b = new Boolean("true");
        System.out.println("Boolean Result: " + b);
    %>

    <%= b %>

I’m not very familiar with java security and, this is beyond what I originally
started looking into, but, once again, thank you for your help. And I'll mark
this issue as resolved/invalid. 

Full Exception: 

javax.el.ELException: Function [:Boolean] not found
    org.apache.el.parser.AstFunction.getValue(AstFunction.java:148)
    org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:190)
   
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextImpl.java:701)
    org.apache.jsp.el_jsp._jspService(el_jsp.java:163)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
   
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:477)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source)
   
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    java.lang.reflect.Method.invoke(Method.java:498)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    java.security.AccessController.doPrivileged(AccessController.java:770)
    javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
   
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
    java.security.AccessController.doPrivileged(AccessController.java:734)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source)
   
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    java.lang.reflect.Method.invoke(Method.java:498)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    java.security.AccessController.doPrivileged(AccessController.java:770)
    javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
   
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message