Re: [aspectj-users] Openjdk11 and Security Manager

[Constantin Moisei <constantin.moisei@xxxxxxxxx>]

Thanks both Andy and Tim! 

As Tim pointed out we don't control the weaving, it happens during the app startup. 

I could look into what Tim mentions here, to just use compile time weaving but I need to do some research. 

My original thought was to create an alternate factory and allow it to use it's getClass().getClassloader(). I mean that could be a fix. I didn't check the source it but how is the classloader handled at this line (ReflectionBasedReferenceTypeDelegateFactory.java:40)  

>at java.base/java.lang.Class.forName(Class.java:398)

 >at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40)

Talking about sources, where is the repo ? I could create my own variant to see if I can bypass the issue.

On Wed, 9 Jun 2021 at 15:05, <n614cd@xxxxxxxxx> wrote:

I doubt you have any options here for runtime weaving. The classloader in this case is controlled by Spring, and the security managers likely have a tight multi-tenant designed security policy.

The best bet, even with Spring is to change to compile-time weaving; this was the answer for an app I developed in the same situation.

Also, note that Java 11, and later versions of Spring all are getting better at access control and fixing holes. Earlier versions of Spring used to take advantage of the security holes in the JVM to work, many of these security holes are getting closed off.

You will also see more of these issues in the next LTS release (15 I think is the number).

 

 

Tim

 

From: aspectj-users <aspectj-users-bounces@xxxxxxxxxxx> On Behalf Of Andy Clement
Sent: Wednesday, June 9, 2021 3:59 PM
To: aspectj-users@xxxxxxxxxxx
Subject: Re: [aspectj-users] Openjdk11 and Security Manager

 

Hey,

 

I'm not an expert on Java Security unfortunately (you might find a few of those folks if you ask this on Stack overflow?).

 

With your reference to it working for one classloader and not another, how feasible is it to set the context classloader to the one you find that works? Or will that break something else? (Thread.currentThread().setContextClassLoader(..))

 

It is possible some doPrivileged blocks are missing in the reflection area but then I see the doPrivileged call deeper in the checkPackageAccess call, so maybe raising up the privileged check will just make it fail sooner.

 

cheers,

Andy

 

On Wed, 9 Jun 2021 at 10:00, Constantin Moisei <constantin.moisei@xxxxxxxxx> wrote:

Hello,

I am running into a weird exception on an open jdk 11 vm with a tight security manager policy.

What kind of control do I have to  ReflectionBasedReferenceTypeDelegateFactory ? 

In the past I had issues with how I get/handle the classloader but found a way to bypass it. However it was my own code so I could deal with it. Now I am facing a similar issue via the latest aspectj 1.9.6

 //ClassLoader loader = Thread.currentThread().getContextClassLoader(); //doesn't work

 ClassLoader loader = this.getClass().getClassLoader(); //<---- this works

Note that granting the permission is not a viable solution. It will be almost impossible to convince the vm owners to modify the policy. Has to be a different way.

Here's the full exception

Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.loader")
               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
               at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
               at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238)
               at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:691)
               at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:689)
               at java.base/java.security.AccessController.doPrivileged(Native Method)
               at java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:689)
               at java.base/java.lang.Class.forName0(Native Method)
               at java.base/java.lang.Class.forName(Class.java:398)
               at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40)
               at org.aspectj.weaver.reflect.ReflectionWorld.resolveDelegate(ReflectionWorld.java:111)
               at org.aspectj.weaver.World.resolveToReferenceType(World.java:363)
               at org.aspectj.weaver.World.resolve(World.java:258)
               at org.aspectj.weaver.World.resolve(World.java:180)
               at org.aspectj.weaver.World.resolve(World.java:326)
               at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:103)
               at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:93)
               at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.toResolvedTypeArray(ReflectionBasedReferenceTypeDelegateFactory.java:214)
               at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMethod(ReflectionBasedReferenceTypeDelegateFactory.java:107)
               at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMember(ReflectionBasedReferenceTypeDelegateFactory.java:98)
               at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(ReflectionBasedReferenceTypeDelegate.java:290)
               at org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:571)
               at org.aspectj.weaver.ResolvedType.addAndRecurse(ResolvedType.java:271)
               at org.aspectj.weaver.ResolvedType.getMethodsWithoutIterator(ResolvedType.java:265)
               at org.aspectj.weaver.ResolvedType.lookupResolvedMember(ResolvedType.java:420)
               at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:178)
               at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
               at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
               at org.aspectj.weaver.JoinPointSignatureIterator.hasNext(JoinPointSignatureIterator.java:69)
               at org.aspectj.weaver.patterns.SignaturePattern.matches(SignaturePattern.java:298)
               at org.aspectj.weaver.patterns.KindedPointcut.matchInternal(KindedPointcut.java:106)
               at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
               at org.aspectj.weaver.patterns.OrPointcut.matchInternal(OrPointcut.java:51)
               at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
               at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.getShadowMatch(PointcutExpressionImpl.java:235)
               at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesExecution(PointcutExpressionImpl.java:101)
               at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesMethodExecution(PointcutExpressionImpl.java:92)
               at org.springframework.aop.aspectj.AspectJExpressionPointcut.getShadowMatch(AspectJExpressionPointcut.java:408)
               at org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExpressionPointcut.java:266)
               at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:223)
               at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262)
               at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:294)
               at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118)
               at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88)
               at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69)
               at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:361)
               at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:324)
               at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:409)
               at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:1657)
               at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:112)
               ... 42 more

 

_______________________________________________
aspectj-users mailing list
aspectj-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users

 

---

Scanned by McAfee and confirmed virus-free.

 

_______________________________________________
aspectj-users mailing list
aspectj-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users