Gracefully degradation if loading system properties throws an exception (e.g. Java Security Manager)

[karlrwjohnson]

I'm trying to run Janino in an environment where the Java Security Manager restricts reading system properties unless specifically permitted. (Yes, my organization's IT department relies on Java's Security Manager, despite the fact Oracle has deprecated it and plans to remove it. I'm not in charge of that decision.)

When the Security Manager blocks reading a property, it throws a security exception where the read was attempted. I can petition my IT department to add new system properties, but the process is bureaucratic and slow.

Between 3.1.6 and 3.1.9, Janino started reading several System Properties while loading the classes AbstractCompiler and SimpleCompiler. I have successfully petitioned the security folks to permit loading system properties from a wildcard (org.janino.*), but the fallback mechanism in SystemProperties.java -- whereby it checks for a full classpath, but falls back to the class' simple name if another value is not found -- makes it very difficult to write a policy exception because every time a new class in Janino reads a system property, we'd have to account for it.

I propose wrapping these reads in a simple try/catch block.

I can provide a merge request.

[aunkrig]

Crazy what these architecture departments come up with... fixed it.
Please test.

[karlrwjohnson]

Thanks for fixing this so quickly.

Do you have a release we can use to test with? I see that 3.1.9 is still the latest release.

What do you recommend?

[aunkrig]

No problem; I will soon prepare a new release. Stay tuned...

[aunkrig]

Release 3.1.10 is out the door.

[karlrwjohnson]

Thanks, I'm starting to validate the change. Just waiting on pipelines...

[karlrwjohnson]

Oh man, you gotta be kidding me. Apparently there's other usages of System.getProperty that are throwing errors now. I didn't even know Boolean.getBoolean("name.of.property") was a thing.

	Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "org.codehaus.janino.CodeContext.suppressStackMapTable" "read")
		at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
		at java.base/java.security.AccessController.checkPermission(AccessController.java:897)
		at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
		at java.base/java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1066)
		at java.base/java.lang.System.getProperty(System.java:816)
		at java.base/java.lang.Boolean.getBoolean(Boolean.java:265)
		at org.codehaus.janino.CodeContext.<clinit>(CodeContext.java:64)
		... 156 more

Meanwhile, our IT department has agreed to add wildcard exceptions for Janino, so I think we'll be okay soon even if there aren't any other changes. I can't speak for anyone else who's using the Security Manager.

As far as I'm concerned, I don't need this issue to be open any longer. I'll leave it up to you what you want to do with it.

Thanks again!

[aunkrig]

I'd say that nobody else has ever configured the SecurityManager to catch System.getProperty() (and its friends), so since you don't requeire it any more, I'll refrain from fixing all the occurrences.