From dev-return-209393-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org  Tue Jun  2 21:40:44 2020
Return-Path: <dev-return-209393-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 4FE4718064C
	for <archive-asf-public@cust-asf.ponee.io>; Tue,  2 Jun 2020 23:40:44 +0200 (CEST)
Received: (qmail 93040 invoked by uid 500); 2 Jun 2020 21:40:43 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 93030 invoked by uid 99); 2 Jun 2020 21:40:43 -0000
Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 02 Jun 2020 21:40:43 +0000
Received: from bz-he-de.apache.org (bz-he-de.apache.org [148.251.237.210])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTPS id 59661E0158
	for <dev@tomcat.apache.org>; Tue,  2 Jun 2020 21:40:42 +0000 (UTC)
Received: by bz-he-de.apache.org (ASF Mail Server at bz-he-de.apache.org, from userid 33)
	id 1867B6A006A; Tue,  2 Jun 2020 21:40:41 +0000 (UTC)
From: bugzilla@apache.org
To: dev@tomcat.apache.org
Subject: [Bug 64488] EL API: AccessControlException -- Import Handler
Date: Tue, 02 Jun 2020 21:40:40 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Tomcat 10
X-Bugzilla-Component: EL
X-Bugzilla-Version: 10.0.0-M5
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: volosied+apache@gmail.com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: dev@tomcat.apache.org
X-Bugzilla-Target-Milestone: ------
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: resolution bug_status
Message-ID: <bug-64488-78-AMedYHxg8N@https.bz.apache.org/bugzilla/>
In-Reply-To: <bug-64488-78@https.bz.apache.org/bugzilla/>
References: <bug-64488-78@https.bz.apache.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bz.apache.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0

https://bz.apache.org/bugzilla/show_bug.cgi?id=3D64488

volosied+apache@gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEEDINFO                    |RESOLVED

--- Comment #4 from volosied+apache@gmail.com ---
Hello,

Thank you so much for the quick replies. I looked more into my issue, and I
have a better idea of what=E2=80=99s occurring.  I do not believe anything =
is wrong
with the ImportHandler after all.=20

In my  Open Liberty build, I had a development security property enabled,=20
unknown to me,  that logs AccessControl exceptions and allows the applicati=
on
to continue.  When I removed that property, I encountered a different error:
jakarta.el.ELException: Function [:Boolean] not found. This may relate to t=
he
the fact that rt.jar contains the Boolean class (which EL doesn't have acce=
ss
to?).

I tested the same JSP on Tomcat (with security enabled), and encountered the
very same exception.=20

This is the troublesome EL Expression: =E2=80=9C${Boolean(true)}=E2=80=9D=20

I tested it in Tomcat 7 and 9, and the same exception is thrown. The behavi=
or
is consistent everywhere.  However, can anyone explain it is that way (or p=
oint
me to any resources)? My current understanding is that, when security is
enabled, EL(or Tomcat?) doesn=E2=80=99t have access, by default, to the jav=
a runtime
jar, rt.jar? (Which may explain why the original error asked me add the
java.io.FilePermission to the rt.jar)  Although I tried modifying the
permissions in Tomcat but was unsuccessful in getting the EL code to run wi=
th
security enabled.=20=20

However, I tested further, and the following code does work?  I=E2=80=99m a=
ssuming
because it=E2=80=99s not going through EL?=20

    <%
        Boolean b =3D new Boolean("true");
        System.out.println("Boolean Result: " + b);
    %>

    <%=3D b %>

I=E2=80=99m not very familiar with java security and, this is beyond what I=
 originally
started looking into, but, once again, thank you for your help. And I'll ma=
rk
this issue as resolved/invalid.=20

Full Exception:=20

javax.el.ELException: Function [:Boolean] not found
    org.apache.el.parser.AstFunction.getValue(AstFunction.java:148)
    org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:190)
=20=20=20
org.apache.jasper.runtime.PageContextImpl.proprietaryEvaluate(PageContextIm=
pl.java:701)
    org.apache.jsp.el_jsp._jspService(el_jsp.java:163)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:71)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
=20=20=20
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:=
477)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
    sun.reflect.GeneratedMethodAccessor58.invoke(Unknown Source)
=20=20=20
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp=
l.java:43)
    java.lang.reflect.Method.invoke(Method.java:498)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    java.security.AccessController.doPrivileged(AccessController.java:770)
    javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
=20=20=20
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:1=
70)
    java.security.AccessController.doPrivileged(AccessController.java:734)
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
    sun.reflect.GeneratedMethodAccessor57.invoke(Unknown Source)
=20=20=20
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImp=
l.java:43)
    java.lang.reflect.Method.invoke(Method.java:498)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
    org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
    java.security.AccessController.doPrivileged(AccessController.java:770)
    javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
=20=20=20
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:2=
53)

--=20
You are receiving this mail because:
You are the assignee for the bug.=

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org