I am working on the EL-4.0 feature in Open Liberty for EE9. However, I encountered some security issues during our testing.
Errors when Java 2 Security enabled.
The implementation we used is Tomcat Jasper EL 10.0.0-M7. Although we are mixing the API and implementation, I believe that shouldn't necessarily be an issue since both APIs are the same spec?
Please see the stack trace below.
java.security.AccessControlException: Access denied ("java.util.PropertyPermission" "java.home" "read")
at java.base/java.security.AccessController.throwACE(AccessController.java:176)
at java.base/java.security.AccessController.checkPermissionHelper(AccessController.java:238)
at java.base/java.security.AccessController.checkPermission(AccessController.java:385)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at com.ibm.ws.kernel.launch.internal.MissingDoPrivDetectionSecurityManager.checkPermission(MissingDoPrivDetectionSecurityManager.java:45)
at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
at java.base/java.lang.System.getProperty(System.java:506)
at java.base/java.lang.System.getProperty(System.java:475)
at jakarta.el.FactoryFinder.find(FactoryFinder.java:106)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:140)
at jakarta.el.ExpressionFactory.newInstance(ExpressionFactory.java:110)
at jakarta.el.ELUtil.<clinit>(ELUtil.java:60)
at jakarta.el.ELManager.getExpressionFactory(ELManager.java:38)
at jakarta.el.ELProcessor.<init>(ELProcessor.java:78)
I do not see any PrivilegedActions in the Eclipse EL API or Implementation, so I hope someone with more experience can provide additional information. Should this be addressed in our applications or in the API code? Thank you.
Hello,
I am working on the EL-4.0 feature in Open Liberty for EE9. However, I encountered some security issues during our testing.
Errors when Java 2 Security enabled.
The implementation we used is Tomcat Jasper EL 10.0.0-M7. Although we are mixing the API and implementation, I believe that shouldn't necessarily be an issue since both APIs are the same spec?
Please see the stack trace below.
I believe the issue occurs on this line: https://github.com/eclipse-ee4j/el-ri/blob/73dd7029596c15923c08bf73e86dbea07f8c7b7b/api/src/main/java/jakarta/el/FactoryFinder.java#L106
I do not see any PrivilegedActions in the Eclipse EL API or Implementation, so I hope someone with more experience can provide additional information. Should this be addressed in our applications or in the API code? Thank you.