I doubt you have any options here for runtime weaving. The classloader in this case is controlled by Spring, and the security managers likely have a tight multi-tenant designed security policy.
The best bet, even with Spring is to change to compile-time weaving; this was the answer for an app I developed in the same situation.
Also, note that Java 11, and later versions of Spring all are getting better at access control and fixing holes. Earlier versions of Spring used to take advantage of the security holes in the JVM to work, many of these security holes are getting closed off.
You will also see more of these issues in the next LTS release (15 I think is the number).
Tim
From: aspectj-users <aspectj-users-bounces@xxxxxxxxxxx> On Behalf Of Andy Clement
Sent: Wednesday, June 9, 2021 3:59 PM
To: aspectj-users@xxxxxxxxxxx
Subject: Re: [aspectj-users] Openjdk11 and Security Manager
I'm not an expert on Java Security unfortunately (you might find a few of those folks if you ask this on Stack overflow?).
With your reference to it working for one classloader and not another, how feasible is it to set the context classloader to the one you find that works? Or will that break something else? (Thread.currentThread().setContextClassLoader(..))
It is possible some doPrivileged blocks are missing in the reflection area but then I see the doPrivileged call deeper in the checkPackageAccess call, so maybe raising up the privileged check will just make it fail sooner.
I am running into a weird exception on an open jdk 11 vm with a tight security manager policy.
What kind of control do I have to ReflectionBasedReferenceTypeDelegateFactory ?
In the past I had issues with how I get/handle the classloader but found a way to bypass it. However it was my own code so I could deal with it. Now I am facing a similar issue via the latest aspectj 1.9.6
//ClassLoader loader = Thread.currentThread().getContextClassLoader(); //doesn't work
ClassLoader loader = this.getClass().getClassLoader(); //<---- this works
Note that granting the permission is not a viable solution. It will be almost impossible to convince the vm owners to modify the policy. Has to be a different way.
Here's the full exception
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.jdk.internal.loader")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at java.base/java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1238)
at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:691)
at java.base/java.lang.ClassLoader$1.run(ClassLoader.java:689)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:689)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:398)
at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createDelegate(ReflectionBasedReferenceTypeDelegateFactory.java:40)
at org.aspectj.weaver.reflect.ReflectionWorld.resolveDelegate(ReflectionWorld.java:111)
at org.aspectj.weaver.World.resolveToReferenceType(World.java:363)
at org.aspectj.weaver.World.resolve(World.java:258)
at org.aspectj.weaver.World.resolve(World.java:180)
at org.aspectj.weaver.World.resolve(World.java:326)
at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:103)
at org.aspectj.weaver.reflect.ReflectionWorld.resolve(ReflectionWorld.java:93)
at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.toResolvedTypeArray(ReflectionBasedReferenceTypeDelegateFactory.java:214)
at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMethod(ReflectionBasedReferenceTypeDelegateFactory.java:107)
at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegateFactory.createResolvedMember(ReflectionBasedReferenceTypeDelegateFactory.java:98)
at org.aspectj.weaver.reflect.ReflectionBasedReferenceTypeDelegate.getDeclaredMethods(ReflectionBasedReferenceTypeDelegate.java:290)
at org.aspectj.weaver.ReferenceType.getDeclaredMethods(ReferenceType.java:571)
at org.aspectj.weaver.ResolvedType.addAndRecurse(ResolvedType.java:271)
at org.aspectj.weaver.ResolvedType.getMethodsWithoutIterator(ResolvedType.java:265)
at org.aspectj.weaver.ResolvedType.lookupResolvedMember(ResolvedType.java:420)
at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:178)
at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
at org.aspectj.weaver.JoinPointSignatureIterator.findSignaturesFromSupertypes(JoinPointSignatureIterator.java:202)
at org.aspectj.weaver.JoinPointSignatureIterator.hasNext(JoinPointSignatureIterator.java:69)
at org.aspectj.weaver.patterns.SignaturePattern.matches(SignaturePattern.java:298)
at org.aspectj.weaver.patterns.KindedPointcut.matchInternal(KindedPointcut.java:106)
at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
at org.aspectj.weaver.patterns.OrPointcut.matchInternal(OrPointcut.java:51)
at org.aspectj.weaver.patterns.Pointcut.match(Pointcut.java:146)
at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.getShadowMatch(PointcutExpressionImpl.java:235)
at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesExecution(PointcutExpressionImpl.java:101)
at org.aspectj.weaver.internal.tools.PointcutExpressionImpl.matchesMethodExecution(PointcutExpressionImpl.java:92)
at org.springframework.aop.aspectj.AspectJExpressionPointcut.getShadowMatch(AspectJExpressionPointcut.java:408)
at org.springframework.aop.aspectj.AspectJExpressionPointcut.matches(AspectJExpressionPointcut.java:266)
at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:223)
at org.springframework.aop.support.AopUtils.canApply(AopUtils.java:262)
at org.springframework.aop.support.AopUtils.findAdvisorsThatCanApply(AopUtils.java:294)
at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findAdvisorsThatCanApply(AbstractAdvisorAutoProxyCreator.java:118)
at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.findEligibleAdvisors(AbstractAdvisorAutoProxyCreator.java:88)
at org.springframework.aop.framework.autoproxy.AbstractAdvisorAutoProxyCreator.getAdvicesAndAdvisorsForBean(AbstractAdvisorAutoProxyCreator.java:69)
at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.wrapIfNecessary(AbstractAutoProxyCreator.java:361)
at org.springframework.aop.framework.autoproxy.AbstractAutoProxyCreator.postProcessAfterInitialization(AbstractAutoProxyCreator.java:324)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:409)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.postProcessObjectFromFactoryBean(AbstractAutowireCapableBeanFactory.java:1657)
at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:112)
... 42 more
_______________________________________________
aspectj-users mailing list
aspectj-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/aspectj-users
![]()
| Scanned by McAfee and confirmed virus-free. |