Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1155823 - [GSS] (6.4.0) Package certificate SecurityErrors triggered by MODULES-192
[GSS] (6.4.0) Package certificate SecurityErrors triggered by MODULES-192
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Class Loading (Show other bugs)
6.3.1
Unspecified Unspecified
unspecified Severity urgent
: DR11
: EAP 6.4.0
Assigned To: David M. Lloyd
Martin Svehla
: Regression
: 1154682 (view as bug list)
Depends On:
Blocks: 1155824 1161353
  Show dependency treegraph
 
Reported: 2014-10-22 19:00 EDT by James Livingston
Modified: 2018-03-06 15:40 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
In previous releases of JBoss EAP 6, the `JarFileResourceLoader` attempted to retrieve the certificates before rather than after reading the class stream, which resulted in the certificates not being loaded. This would cause a `SecurityError` to occur when signed classes were loaded concurrently by multiple threads. In this release the `JarFileResourceLoader` retrieves the certificates after reading the class stream and the `SecurityError` no longer occurs.
Story Points: ---
Clone Of:
: 1155824 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Bugzilla 1116806 None VERIFIED (6.4.0) Performance degradation caused by MODULES-192 2018-06-27 22:14 EDT
JBoss Issue Tracker MODULES-201 Major Resolved Package certificate SecurityErrors triggered by MODULES-192 2018-06-27 22:14 EDT

  None (edit)
Description James Livingston 2014-10-22 19:00:22 EDT 
Bug 1116806 pulled in MODULES-192, which introduced a problem which can cause classloading failures of signed jars.

The JarEntry.getCodeSigners() call was moved from after to before the input stream is read, and as per the documentation it MUST be after. This will cause null to be returned rather than the signing certificates the first time the resource loader is called for it.

Usually the resource loader will only be called once for a class since it is cached after being loaded, so the only effect is the missing certificates. If however two threads concurrently load the same class, the second caller to the resource loader will get the certificates, resulting in a SecurityError since it does not match the lack of certificates for other classes.


This has been seen occurring for the MS SQL JDBC driver (which is code-signed) when deployed as module.
Comment 1 Kabir Khan 2014-11-20 07:07:26 EST 
Assume this is fixed by 1.3.5 modules upgrade
Comment 2 Martin Svehla 2014-11-24 03:14:05 EST 
*** Bug 1154682 has been marked as a duplicate of this bug. ***
Comment 3 Jan Martiska 2014-11-26 07:51:47 EST 
Martin, you seem to have encountered the same bug and therefore I suppose you will be more competent to verify this ;)
Comment 4 Martin Svehla 2014-12-02 05:54:29 EST 
Verified with EAP 6.4.0.DR11 / JBoss Modules 1.3.6.Final
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.