search

jakartaee / expression-language

Jakarta Expression Language
https://eclipse.org/ee4j/el
Other
62 stars 49 forks source link

Permission Errors in EL API when using Security Manager #131

Closed volosied closed 2 years ago

volosied commented 3 years ago

Hello,

I am working on the EL-4.0 feature in Open Liberty for EE9. However, I encountered some security issues during our testing.

Errors when Java 2 Security enabled.

The implementation we used is Tomcat Jasper EL 10.0.0-M7. Although we are mixing the API and implementation, I believe that shouldn't necessarily be an issue since both APIs are the same spec?

Please see the stack trace below. 

java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "java.home" "read")
    at java.base/java.security.AccessController.throwACE(AccessController.java:176)
    at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
    at java.base/java.security.AccessController.checkPermission(AccessController.java:385)
    at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
    at com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
    at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
    at java.base/java.lang.System.getProperty(System.java:506)
    at java.base/java.lang.System.getProperty(System.java:475)
    at jakarta.el.FactoryFinder.find(FactoryFinder.java:106)
    at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:140)
    at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:110)
    at jakarta.el.ELUtil.<clinit>(ELUtil.java:60)
    at jakarta.el.ELManager.getExpressionFactory(ELManager.java:38)
    at jakarta.el.ELProcessor.<init>(ELProcessor.java:78)

I believe the issue occurs on this line: https://github.com/eclipse-ee4j/el-ri/blob/73dd7029596c15923c08bf73e86dbea07f8c7b7b/api/src/main/java/jakarta/el/FactoryFinder.java#L106

I do not see any PrivilegedActions in the Eclipse EL API or Implementation, so I hope someone with more experience can provide additional information. Should this be addressed in our applications or in the API code? Thank you.

markt-asf commented 3 years ago

In this instance I'd say there needs to be a privileged block to read that system property.