Bug 1155823

Summary: [GSS] (6.4.0) Package certificate SecurityErrors triggered by MODULES-192
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: James Livingston <jlivings>
Component: Class LoadingAssignee: David M. Lloyd <david.lloyd>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Svehla <msvehla>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.3.1CC: cdewolf, jmartisk, joallen, kkhan, msvehla
Target Milestone: DR11Keywords: Regression
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In previous releases of JBoss EAP 6, the `JarFileResourceLoader` attempted to retrieve the certificates before rather than after reading the class stream, which resulted in the certificates not being loaded. This would cause a `SecurityError` to occur when signed classes were loaded concurrently by multiple threads. In this release the `JarFileResourceLoader` retrieves the certificates after reading the class stream and the `SecurityError` no longer occurs.
 Story Points: ---
Clone Of:
: 1155824 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1155824, 1161353    

Description James Livingston 2014-10-22 23:00:22 UTC 
Bug 1116806 pulled in MODULES-192, which introduced a problem which can cause classloading failures of signed jars.

The JarEntry.getCodeSigners() call was moved from after to before the input stream is read, and as per the documentation it MUST be after. This will cause null to be returned rather than the signing certificates the first time the resource loader is called for it.

Usually the resource loader will only be called once for a class since it is cached after being loaded, so the only effect is the missing certificates. If however two threads concurrently load the same class, the second caller to the resource loader will get the certificates, resulting in a SecurityError since it does not match the lack of certificates for other classes.


This has been seen occurring for the MS SQL JDBC driver (which is code-signed) when deployed as module.
Comment 1 Kabir Khan 2014-11-20 12:07:26 UTC 
Assume this is fixed by 1.3.5 modules upgrade
Comment 2 Martin Svehla 2014-11-24 08:14:05 UTC 
*** Bug 1154682 has been marked as a duplicate of this bug. ***
Comment 3 Jan Martiska 2014-11-26 12:51:47 UTC 
Martin, you seem to have encountered the same bug and therefore I suppose you will be more competent to verify this ;)
Comment 4 Martin Svehla 2014-12-02 10:54:29 UTC 
Verified with EAP 6.4.0.DR11 / JBoss Modules 1.3.6.Final