-
Notifications
You must be signed in to change notification settings - Fork 38.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NotWritablePropertyException when attempting to declaratively configure ClassLoader properties #28269
Comments
We have a very defensive check against ClassLoader access in place now, for declarative references to ClassLoader properties specifically. In common application setup, there should never be a need to set a ClassLoader property declaratively. Could you provide some insight into what it is being configured there and where the value to the ClassLoader property is coming from? Generally speaking, any such ClassLoader configuration should be left up to the container ( Last but not least, we are aware that this is technically a regression for isolated declarative configuration cases, as a side effect of a defensive security measure. If there are common scenarios where this regression remains unresolvable, we might specifically enable certain ClassLoader configuration scenarios again in a follow-up Spring Framework release. We aim to understand every such scenario first, considering alternatives before re-enabling declarative ClassLoader access for them. |
@jhoeller but what has changed from 5.2.19 to 5.2.20 everything was working fine in 5.2.19 but breaking with 5.2.20. |
This was a change in response to the current CVE which uses an attack vector via accidentally exposed ClassLoaders. As a consequence, ClassLoader access via declarative bindings has been severely restricted. Sorry for the inconvenience... We'd like to understand which specific kind of bean you are configuring that needs to accept a declarative "classLoader" property. This is not commonly done, ClassLoaders are usually configured programmatically. If you could show the bean definition affected, we could evaluate alternatives or whether this suggests re-enabling as per my final paragraph above. |
Following on from the discussion started in #28261. The Eclipse Gemini Blueprints project uses the It appears that Gemini has had no updates since 2018, so the odds of them redesigning their stuff seems remote, but this leaves us in the unpleasant position of being unable to upgrade to 5.3.18 |
This is snippet of my code the way I using. bean is configured through XML public class HazelcastClassLoaderSetter implements BeanPostProcessor
{
private ClassLoader classLoader;
public void setClassLoader(ClassLoader classLoader)
{
this.classLoader = classLoader;
}
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException
{
if (bean instanceof Config)
{
((Config) bean).setClassLoader(classLoader);
}
return bean;
}
} |
@szwlhd alright, and where does the ClassLoader reference come from? Some XML reference to another bean? If all you need to do there is pass the Spring-managed bean ClassLoader along to Hazelcast, the proper way to do this is to make |
To all affected here, we recommend revisiting each such rare case of custom ClassLoader injection since there is usually a preferable official mechanism to use instead. That said, we intend to relax this new ClassLoader defensiveness check to re-enable ClassLoader configuration properties in general, as far as possible without sacrificing the original defensiveness against accidental ClassLoader exposure. For that reason, I'm scheduling this ticket for 5.3.19, along with a backport to 5.2.21. |
By when we are expecting 5.2.21 release ? |
@szwlhd we do our best to keep our milestones page accurate. You can figure it out yourself. |
Thanks a lot |
…er methods Closes spring-projectsgh-28269 (cherry picked from commit 9f91168) (cherry picked from commit 69c7eb9)
Till now my application is running fine with 5.2.19.RELEASE version but as soon as I update spring framework to 5.2.20.RELEASE I get error NotWritablePropertyException : Bean property 'classLoader' is not writable or has an invalid setter method. Does the parameter type of the setter match the return type of the getter?
Could you please look into this.
The text was updated successfully, but these errors were encountered: