Re: [aspectj-users] Openjdk11 and Security Manager

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [aspectj-users] Openjdk11 and Security Manager

From: Andy Clement <andrew.clement@xxxxxxxxx>
Date: Wed, 9 Jun 2021 12:59:15 -0700
Delivered-to: aspectj-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/aspectj-users/>
List-help: <mailto:aspectj-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/aspectj-users>, <mailto:aspectj-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/aspectj-users>, <mailto:aspectj-users-request@eclipse.org?subject=unsubscribe>

Hey,

I'm not an expert on Java Security unfortunately (you might find a few of those folks if you ask this on Stack overflow?).

With your reference to it working for one classloader and not another, how feasible is it to set the context classloader to the one you find that works? Or will that break something else? (Thread.currentThread().setContextClassLoader(..))

It is possible some doPrivileged blocks are missing in the reflection area but then I see the doPrivileged call deeper in the checkPackageAccess call, so maybe raising up the privileged check will just make it fail sooner.

cheers,

Andy

On Wed, 9 Jun 2021 at 10:00, Constantin Moisei <constantin.moisei@xxxxxxxxx> wrote:

Hello,

I am running into a weird exception on an open jdk 11 vm with a tight security manager policy.

What kind of control do I have to ReflectionBasedReferenceTypeDelegateFactory ?

In the past I had issues with how I get/handle the classloader but found a way to bypass it. However it was my own code so I could deal with it. Now I am facing a similar issue via the latest aspectj 1.9.6

 //ClassLoader loader = Thread.currentThread().getContextClassLoader(); //doesn't work
 ClassLoader loader = this.getClass().getClassLoader(); //<---- this works

Note that granting the permission is not a viable solution. It will be almost impossible to convince the vm owners to modify the policy. Has to be a different way.

Here's the full exception

Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.loader")
		at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
		at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
		at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
		at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238)
		at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:691)
		at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:689)
		at java.base/java.security.AccessController.doPrivileged(Native Method)
		at java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:689)
		at java.base/java.lang.Class.forName0(Native Method)
		at java.base/java.lang.Class.forName(Class.java:398)
		at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40)
		at org.aspectj.weaver.reflect.ReflectionWorld.resolveDelegate(ReflectionWorld.java:111)
		at org.aspectj.weaver.World.resolveToReferenceType(World.java:363)
		at org.aspectj.weaver.World.resolve(World.java:258)
		at org.aspectj.weaver.World.resolve(World.java:180)
		at org.aspectj.weaver.World.resolve(World.java:326)
		at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:103)
		at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:93)
		at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.toResolvedTypeArray(ReflectionBasedReferenceTypeDelegateFactory.java:214)
		at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMethod(ReflectionBasedReferenceTypeDelegateFactory.java:107)
		at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMember(ReflectionBasedReferenceTypeDelegateFactory.java:98)
		at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(ReflectionBasedReferenceTypeDelegate.java:290)
		at org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:571)
		at org.aspectj.weaver.ResolvedType.addAndRecurse(ResolvedType.java:271)
		at org.aspectj.weaver.ResolvedType.getMethodsWithoutIterator(ResolvedType.java:265)
		at org.aspectj.weaver.ResolvedType.lookupResolvedMember(ResolvedType.java:420)
		at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:178)
		at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
		at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
		at org.aspectj.weaver.JoinPointSignatureIterator.hasNext(JoinPointSignatureIterator.java:69)
		at org.aspectj.weaver.patterns.SignaturePattern.matches(SignaturePattern.java:298)
		at org.aspectj.weaver.patterns.KindedPointcut.matchInternal(KindedPointcut.java:106)
		at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
		at org.aspectj.weaver.patterns.OrPointcut.matchInternal(OrPointcut.java:51)
		at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
		at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.getShadowMatch(PointcutExpressionImpl.java:235)
		at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesExecution(PointcutExpressionImpl.java:101)
		at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesMethodExecution(PointcutExpressionImpl.java:92)
		at org.springframework.aop.aspectj.AspectJExpressionPointcut.getShadowMatch(AspectJExpressionPointcut.java:408)
		at org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExpressionPointcut.java:266)
		at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:223)
		at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262)
		at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:294)
		at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118)
		at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88)
		at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69)
		at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:361)
		at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:324)
		at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:409)
		at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:1657)
		at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:112)
		... 42 more

_______________________________________________
aspectj-users mailing list
aspectj-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users

Follow-Ups:
- Re: [aspectj-users] Openjdk11 and Security Manager
  - From: n614cd

References:
- [aspectj-users] Openjdk11 and Security Manager
  - From: Constantin Moisei

Prev by Date: [aspectj-users] Openjdk11 and Security Manager
Next by Date: Re: [aspectj-users] Openjdk11 and Security Manager
Previous by thread: [aspectj-users] Openjdk11 and Security Manager
Next by thread: Re: [aspectj-users] Openjdk11 and Security Manager
Index(es):
- Date
- Thread

Breadcrumbs