Hi,

I ran into this problem which is by no means a showstopper for me, but one I am trying to understand.

I am using Ognl to be able to allow users to craft their own "toString" functions for arbitrary classes. One that has caused problems is an array of java.security.cert.X509Certificate, as one would get when nogotiating an SSL connection, and inspecting the server certs.

I tried to extract the subjectAlternativeNames of the first certificate using (https://docs.oracle.com/javase/8/docs/api/java/security/cert/X509Certificate.html#getSubjectAlternativeNames--) with the expression "[0].getSubjectAlternativeNames()", but received the following exception:

java.lang.IllegalAccessException: class ognl.OgnlRuntime cannot access class sun.security.x509.X509CertImpl (in module java.base) because module java.base does not export sun.security.x509 to unnamed module @5f16132a
at java.base/jdk.internal.reflect.Reflection.newIllegalAccessException(Reflection.java:392)
at java.base/java.lang.reflect.AccessibleObject.checkAccess(AccessibleObject.java:674)
at java.base/java.lang.reflect.Method.invoke(Method.java:560)
at ognl.OgnlRuntime.invokeMethodInsideSandbox(OgnlRuntime.java:882)
at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:867)
at ognl.OgnlRuntime.getMethodValue(OgnlRuntime.java:1712)
at ognl.ObjectPropertyAccessor.getPossibleProperty(ObjectPropertyAccessor.java:47)
at ognl.ObjectPropertyAccessor.getProperty(ObjectPropertyAccessor.java:110)
at ognl.OgnlRuntime.getProperty(OgnlRuntime.java:2352)

My first guess, not being familiar with the Ognl codebase, is that OgnlRuntime.findBestMethod() somehow needs to consider class interfaces and prioritise public interfaces over internal implementations when choosing the method to return.