Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1155824

Summary: [GSS] (6.3.z) Package certificate SecurityErrors triggered by MODULES-192
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: James Livingston <jlivings>
Component: Class LoadingAssignee: David M. Lloyd <david.lloyd>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Svehla <msvehla>
Severity: urgent Docs Contact:
Priority: high    
Version: 6.3.1CC: bbaranow, cdewolf, david.lloyd, jawilson, joallen, msvehla
Target Milestone: CR1Keywords: Regression
Target Release: EAP 6.3.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: JarFileResourceLoader attempts to retrieve the certificates before rather than after reading the class stream, which usually results in the certificates not being loaded. Consequence: When signed classes are loaded concurrently by multiple threads, a SecurityError may occur. Fix: Retrieve the certificates after reading the class stream instead. Result: No SecurityError occurs.
 Story Points: ---
Clone Of: 1155823 Environment:
Last Closed: 2019-08-19 12:42:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1155823    
Bug Blocks: 1151405, 1161356    

Description James Livingston 2014-10-22 23:05:33 UTC 
+++ This bug was initially created as a clone of Bug #1155823 +++

Bug 1116806 pulled in MODULES-192, which introduced a problem which can cause classloading failures of signed jars.

The JarEntry.getCodeSigners() call was moved from after to before the input stream is read, and as per the documentation it MUST be after. This will cause null to be returned rather than the signing certificates the first time the resource loader is called for it.

Usually the resource loader will only be called once for a class since it is cached after being loaded, so the only effect is the missing certificates. If however two threads concurrently load the same class, the second caller to the resource loader will get the certificates, resulting in a SecurityError since it does not match the lack of certificates for other classes.


This has been seen occurring for the MS SQL JDBC driver (which is code-signed) when deployed as module.
Comment 3 Dominik Pospisil 2014-12-03 11:32:28 UTC 
Fixed in jboss-modules-1.3.5.
Comment 4 Martin Svehla 2015-01-27 11:50:03 UTC 
Verified with EAP 6.3.3.CP.CR2 / JBoss Modules 1.3.5.Final