Bug 807578

Summary: Hibernate 3.3 causes security check failure when combined with Spring Roo
Product: [Retired] JBoss Enterprise WFK Platform 2 Reporter: Tomas Repel <trepel>
Component: SpringAssignee: Marius Bogoevici <mariusb>
Status: CLOSED WONTFIX QA Contact: Tomas Repel <trepel>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0.0.ER3CC: irooskov, kpiwko, mnovotny, rruss
Target Milestone: ---   
Target Release: 2.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Packaging Hibernate 3.3 and Spring Roo libraries in an application causes the security check to fail, due to a combination of signed and unsigned jars. This is because the Hibernate jars in Enterprise Web Server come signed, and Hibernate has a transitive dependency on commons-collections. Spring Roo uses Struts Tiles, an artifact that has a transitive dependency on commons-beanutils, which is unsigned and contains same classes as commons-collections. The workaround for this issue is to use the community or unsigned version of commons-collections within an application that also uses Spring Roo.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-22 12:11:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
war with hibernate 3.3 and spring roo none

Description Tomas Repel 2012-03-28 08:40:06 UTC 
Created attachment 573271 [details]
war with hibernate 3.3 and spring roo

Description of problem:

Hibernate has transitive dependency on commons-collections. Spring Roo uses Tiles in examples and Tiles transitively depends on commons-beanutils.

When a developer packages Hibernate and Spring Roo libs in an application, he
gets a combination of signed commons-collections and unsigned commons-beanutils.

The problem is described in more detail: https://bugzilla.redhat.com/show_bug.cgi?id=769022

How reproducible:

Always.

Steps to Reproduce:
1. deploy attached war on EAP6 Beta 
2. navigate to localhost/spring-roo-10-petclinic
  
Security check failure:

09:17:02,454 WARN  [org.jboss.modules] (http-localhost-127.0.0.1-8080-1) Failed to define class org.apache.commons.collections.ArrayStack in Module "deployment.spring-roo-10-petclinic.war:main" from Service Module Loader: java.lang.SecurityException: class "org.apache.commons.collections.ArrayStack"'s signer information does not match signer information of other classes in the same package
	at java.lang.ClassLoader.checkCerts(ClassLoader.java:787) [rt.jar:1.6.0_22]
	at java.lang.ClassLoader.preDefineClass(ClassLoader.java:502) [rt.jar:1.6.0_22]
	at java.lang.ClassLoader.defineClass(ClassLoader.java:628) [rt.jar:1.6.0_22]
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) [rt.jar:1.6.0_22]
	at org.jboss.modules.ModuleClassLoader.doDefineOrLoadClass(ModuleClassLoader.java:327)
	at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:391)
	at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:243)
	at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:73)
	at org.jboss.modules.Module.loadModuleClass(Module.java:517)
	at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:182)
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:468)
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:456)
	at org.jboss.modules.ConcurrentClassLoader.performLoadClassChecked(ConcurrentClassLoader.java:423)
	at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
	at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:120)
	at org.apache.commons.digester.Digester.<init>(Digester.java:153) [commons-digester-1.8.1.jar:1.8.1]
	at org.apache.tiles.definition.digester.DigesterDefinitionsReader.<init>(DigesterDefinitionsReader.java:269) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.definition.dao.BaseLocaleUrlDefinitionDAO.init(BaseLocaleUrlDefinitionDAO.java:141) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.definition.dao.CachingLocaleUrlDefinitionDAO.init(CachingLocaleUrlDefinitionDAO.java:109) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.definition.LocaleDefinitionsFactory.init(LocaleDefinitionsFactory.java:122) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.factory.TilesContainerFactory.postCreationOperations(TilesContainerFactory.java:506) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.factory.TilesContainerFactory.storeContainerDependencies(TilesContainerFactory.java:469) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.factory.TilesContainerFactory.initializeContainer(TilesContainerFactory.java:368) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.factory.TilesContainerFactory.createTilesContainer(TilesContainerFactory.java:287) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.factory.TilesContainerFactory.createContainer(TilesContainerFactory.java:231) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.startup.BasicTilesInitializer.createContainer(BasicTilesInitializer.java:117) [tiles-core-2.1.3.jar:2.1.3]
	at org.apache.tiles.startup.BasicTilesInitializer.initialize(BasicTilesInitializer.java:53) [tiles-core-2.1.3.jar:2.1.3]
	at org.springframework.web.servlet.view.tiles2.TilesConfigurer.afterPropertiesSet(TilesConfigurer.java:339) [spring-webmvc-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1514) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1452) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:519) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585) [spring-beans-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913) [spring-context-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464) [spring-context-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.configureAndRefreshWebApplicationContext(FrameworkServlet.java:631) [spring-webmvc-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:588) [spring-webmvc-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.createWebApplicationContext(FrameworkServlet.java:645) [spring-webmvc-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.initWebApplicationContext(FrameworkServlet.java:508) [spring-webmvc-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.servlet.FrameworkServlet.initServletBean(FrameworkServlet.java:449) [spring-webmvc-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.servlet.HttpServletBean.init(HttpServletBean.java:133) [spring-webmvc-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at javax.servlet.GenericServlet.init(GenericServlet.java:242) [jboss-servlet-api_3.0_spec-1.0.0.Final-redhat-1.jar:1.0.0.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1202) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:952) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:703) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:541) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:479) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:407) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.tuckey.web.filters.urlrewrite.NormalRewrittenUrl.doRewrite(NormalRewrittenUrl.java:195) [urlrewritefilter-3.1.0.jar:3.1.0]
	at org.tuckey.web.filters.urlrewrite.RuleChain.handleRewrite(RuleChain.java:159) [urlrewritefilter-3.1.0.jar:3.1.0]
	at org.tuckey.web.filters.urlrewrite.RuleChain.doRules(RuleChain.java:141) [urlrewritefilter-3.1.0.jar:3.1.0]
	at org.tuckey.web.filters.urlrewrite.UrlRewriter.processRequest(UrlRewriter.java:90) [urlrewritefilter-3.1.0.jar:3.1.0]
	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:417) [urlrewritefilter-3.1.0.jar:3.1.0]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77) [spring-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) [spring-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88) [spring-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) [spring-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173) [spring-security-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259) [spring-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:147) [spring-orm-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) [spring-web-3.1.0.RELEASE.jar:3.1.0.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.0.Final-redhat-1.jar:7.1.0.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final-redhat-1.jar:7.1.0.Final-redhat-1]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final-redhat-1.jar:]
	at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_22]


Expected results:


Additional info:
Comment 1 Marius Bogoevici 2012-04-12 20:35:12 UTC 
Suggestion - rework the technical note from 769022 to include this case.
Comment 2 Karel Piwko 2012-06-13 12:22:00 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Packaging Hibernate 3.3 and Spring Roo libraries in an
application causes the security check to fail, due
to a combination of signed and unsigned jars. This is because the Hibernate jars in Enterprise Web Server come signed, and Hibernate has a transitive
dependency on commons-collections. 

Spring Roo uses Struts Tiles, an artifact that has a transitive dependency on commons-beanutils, which is unsigned and contains same classes as commons-collections.

The workaround for this issue is to use the community or unsigned version of commons-collections within an application that also uses Spring Roo.
Comment 4 Karel Piwko 2012-10-22 12:11:45 UTC 
Spring Roo 1.0.x, which supports JPA1/Hibernate 3.3 is no longer supported in WFK 2.1.0.

Newer versions of Spring Roo target JPA2/Hibernate 4.