glassfish
  1. glassfish
  2. GLASSFISH-20647

javax.servlet.jsp.jstl.core.LoopTagSupport exposes non-public interface through public API

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.2.2
    • Fix Version/s: None
    • Component/s: web_container
    • Labels:
      None
    • Environment:

      Description

      LoopTagSupport exports a default-access inner class implementation of LoopTagStatus through the getLoopStatus() function. In normal use, this class ends up being utilized in a <jstl:forEach> tag when the varStatus attribute is set.. The problem is that javax.el.BeanELResolver throws an exception because this class is non-accessible, so that for example the following code:

      <jstl:forEach items="$

      {breadcrumbPath.entries}

      " var="entry" varStatus="loop">
      <div>
      <a href="$

      {entry.resource}

      ">$

      {entry.displayName}

      </a>
       $

      {loop.isLast()?"":"˙"}

      </div>
      </jstl:forEach>

      results in an exception like:

      java.lang.IllegalAccessException: Class javax.el.BeanELResolver can not access a member of class javax.servlet.jsp.jstl.core.LoopTagSupport$1Status with modifiers "public"
      at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:95)
      at java.lang.reflect.AccessibleObject.slowCheckMemberAccess(AccessibleObject.java:261)
      at java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:253)
      at java.lang.reflect.Method.invoke(Method.java:594)
      at javax.el.BeanELResolver.invokeMethod(BeanELResolver.java:779)
      at javax.el.BeanELResolver.invoke(BeanELResolver.java:528)
      at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:257)
      at com.sun.el.parser.AstValue.getValue(AstValue.java:134)

      The inner class should be made public, or the bean resolver changed to not disallow access to public methods of default access inner classes. A workaround is to explicitly set the class to be accessible, but this is not always possible due to security sandbox restrictions.

      LoopTagSupport.java:387:
      /*

      • (Purposely inherit JavaDoc and semantics from LoopTag.
      • Subclasses can override this method for more fine-grained control
      • over LoopTagStatus, but an effort has been made to simplify
      • implementation of subclasses that are happy with reasonable default
      • behavior.)
        */
        public LoopTagStatus getLoopStatus() {

      // local implementation with reasonable default behavior
      class Status implements LoopTagStatus {

      /*

      • All our methods are straightforward. We inherit
      • our JavaDoc from LoopTagSupport; see that class
      • for more information.

        Activity

        badzen created issue -
        Hide
        badzen added a comment - - edited

        To clarify, the report title is misleading: the interface itself is public; the actual implementing class is default - so one would expect access to be allowed...

        Note however that Oracle says this is not a Java bug:

        http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7120817

        We'd have to invoke the Method object obtained from LoopTagStatus (the interface), and not the one obtained from LoopTagSupport$1Status (declared in LoopTagSupport.getLoopStatus()), and likely referenced from BeanELResolver (haven't read that source) via an Object.getClass() call...

        Show
        badzen added a comment - - edited To clarify, the report title is misleading: the interface itself is public; the actual implementing class is default - so one would expect access to be allowed... Note however that Oracle says this is not a Java bug: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7120817 We'd have to invoke the Method object obtained from LoopTagStatus (the interface), and not the one obtained from LoopTagSupport$1Status (declared in LoopTagSupport.getLoopStatus()), and likely referenced from BeanELResolver (haven't read that source) via an Object.getClass() call...
        kumara made changes -
        Field Original Value New Value
        Assignee michael.y.chen [ michael.y.chen ] kchung [ kchung ]
        Description
          LoopTagSupport exports a default-access inner class implementation of LoopTagStatus through the getLoopStatus() function. In normal use, this class ends up being utilized in a <jstl:forEach> tag when the varStatus attribute is set.. The problem is that javax.el.BeanELResolver throws an exception because this class is non-accessible, so that for example the following code:

                        <jstl:forEach items="${breadcrumbPath.entries}" var="entry" varStatus="loop">
                            <div>
                                 <a href="${entry.resource}">${entry.displayName}</a>
                                 &nbsp;${loop.isLast()?"":"&dot;"}
                            </div>
                        </jstl:forEach>

         results in an exception like:

        java.lang.IllegalAccessException: Class javax.el.BeanELResolver can not access a member of class javax.servlet.jsp.jstl.core.LoopTagSupport$1Status with modifiers "public"
        at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:95)
        at java.lang.reflect.AccessibleObject.slowCheckMemberAccess(AccessibleObject.java:261)
        at java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:253)
        at java.lang.reflect.Method.invoke(Method.java:594)
        at javax.el.BeanELResolver.invokeMethod(BeanELResolver.java:779)
        at javax.el.BeanELResolver.invoke(BeanELResolver.java:528)
        at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:257)
        at com.sun.el.parser.AstValue.getValue(AstValue.java:134)


          The inner class should be made public, or the bean resolver changed to not disallow access to public methods of default access inner classes. A workaround is to explicitly set the class to be accessible, but this is not always possible due to security sandbox restrictions.

         LoopTagSupport.java:387:
            /*
             * (Purposely inherit JavaDoc and semantics from LoopTag.
             * Subclasses can override this method for more fine-grained control
             * over LoopTagStatus, but an effort has been made to simplify
             * implementation of subclasses that are happy with reasonable default
             * behavior.)
             */
            public LoopTagStatus getLoopStatus() {

                // local implementation with reasonable default behavior
                class Status implements LoopTagStatus {

                    /*
                     * All our methods are straightforward. We inherit
                     * our JavaDoc from LoopTagSupport; see that class
                     * for more information.
          LoopTagSupport exports a default-access inner class implementation of LoopTagStatus through the getLoopStatus() function. In normal use, this class ends up being utilized in a <jstl:forEach> tag when the varStatus attribute is set.. The problem is that javax.el.BeanELResolver throws an exception because this class is non-accessible, so that for example the following code:

                        <jstl:forEach items="${breadcrumbPath.entries}" var="entry" varStatus="loop">
                            <div>
                                 <a href="${entry.resource}">${entry.displayName}</a>
                                 &nbsp;${loop.isLast()?"":"&dot;"}
                            </div>
                        </jstl:forEach>

         results in an exception like:

        java.lang.IllegalAccessException: Class javax.el.BeanELResolver can not access a member of class javax.servlet.jsp.jstl.core.LoopTagSupport$1Status with modifiers "public"
        at sun.reflect.Reflection.ensureMemberAccess(Reflection.java:95)
        at java.lang.reflect.AccessibleObject.slowCheckMemberAccess(AccessibleObject.java:261)
        at java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:253)
        at java.lang.reflect.Method.invoke(Method.java:594)
        at javax.el.BeanELResolver.invokeMethod(BeanELResolver.java:779)
        at javax.el.BeanELResolver.invoke(BeanELResolver.java:528)
        at javax.el.CompositeELResolver.invoke(CompositeELResolver.java:257)
        at com.sun.el.parser.AstValue.getValue(AstValue.java:134)


          The inner class should be made public, or the bean resolver changed to not disallow access to public methods of default access inner classes. A workaround is to explicitly set the class to be accessible, but this is not always possible due to security sandbox restrictions.

         LoopTagSupport.java:387:
            /*
             * (Purposely inherit JavaDoc and semantics from LoopTag.
             * Subclasses can override this method for more fine-grained control
             * over LoopTagStatus, but an effort has been made to simplify
             * implementation of subclasses that are happy with reasonable default
             * behavior.)
             */
            public LoopTagStatus getLoopStatus() {

                // local implementation with reasonable default behavior
                class Status implements LoopTagStatus {

                    /*
                     * All our methods are straightforward. We inherit
                     * our JavaDoc from LoopTagSupport; see that class
                     * for more information.
        Component/s web_container [ 10622 ]
        Hide
        kchung added a comment -

        This was fixed in javax.el-api-2.2 branch and the trunk.

        Show
        kchung added a comment - This was fixed in javax.el-api-2.2 branch and the trunk.
        kchung made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        kchung added a comment -

        This is a duplicate of https://java.net/jira/browse/UEL-33

        Show
        kchung added a comment - This is a duplicate of https://java.net/jira/browse/UEL-33

          People

          • Assignee:
            kchung
            Reporter:
            badzen
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: