780770 – (SOA-3223) JBoss VFS eagerly loads signing information, resulting in SecurityException

Bug 780770 (SOA-3223) - JBoss VFS eagerly loads signing information, resulting in SecurityException

Summary: JBoss VFS eagerly loads signing information, resulting in SecurityException

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	SOA-3223
Product:	JBoss Enterprise SOA Platform 5
Classification:	JBoss
Component:	EAP
Sub Component:
Version:	5.2.0 ER1
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	5.2.0 GA,5.2.0.ER2
Assignee:	Kevin Conner
QA Contact:
Docs Contact:
URL:	http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On:
Blocks:	780812
TreeView+	depends on / blocked

Reported:	2011-07-27 18:56 UTC by Len DiMaggio
Modified:	2011-08-29 19:27 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-08-29 19:27:12 UTC
Type:	Bug

Attachments	(Terms of Use)
server.log (209.14 KB, text/plain) 2011-07-27 18:57 UTC, Len DiMaggio	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SOA-3223	0	Blocker	Closed	JBoss VFS eagerly loads signing information, resulting in SecurityException	2014-02-07 10:14:04 UTC

Description Len DiMaggio 2011-07-27 18:56:18 UTC

project_key: SOA

Running the business_rules_service quickstart raises this exception:

2011-07-27 14:29:33,231 WARN  [org.jboss.detailed.classloader.ClassLoaderManager] (pool-38-thread-1) Unexpected error during load of:org.drools.spi.CompiledInvoker
java.lang.SecurityException: class "org.drools.spi.CompiledInvoker"'s signer information does not match signer information of other classes in the same package

Comment 1 Len DiMaggio 2011-07-27 18:56:43 UTC

Affects Testing: Added: [Blocks Testing]
Blocked Tests: Added: Rules based services

Comment 2 Len DiMaggio 2011-07-27 18:57:08 UTC

Attachment: Added: server.log

Comment 3 Len DiMaggio 2011-07-27 20:34:29 UTC

Assigning to David to incorporate review comments.

Comment 4 David Le Sage 2011-08-03 00:39:43 UTC

Release Notes Docs Status: Added: Not Required
Writer: Added: dlesage

Comment 5 Douglas Palmer 2011-08-05 14:35:07 UTC

This is still an issue with my ER2 builds.

Comment 6 Kevin Conner 2011-08-08 16:20:59 UTC

The issue occurs when the org.drools.util.CompositeClassLoader first attempts to load a class from the 'org.drools.spi' package as it results in the attempt being made without any signing information.  Previous classes within that package have been loaded through the normal classloader mechanism and have the correct signer information attached.

Still investigating.

Comment 7 Kevin Conner 2011-08-09 04:21:48 UTC

It looks like this is a bug in the CertificateReaderInputStream, inherited from EAP.  Drools seems to be triggering this issue through their EclipseJavaCompiler class.

I think I have enough information to create a test case, will handle this tomorrow.

Comment 8 Kevin Conner 2011-08-09 15:44:41 UTC

Raised JBVFS-176 to cover this issue.  I have compiled my suggested fix and installed it into SOA, this addresses the drools classloading issue.

Comment 9 Kevin Conner 2011-08-09 15:49:50 UTC

Link: Added: This issue depends JBPAPP-6983

Comment 10 Pavel Macik 2011-08-11 14:35:57 UTC

Link: Added: This issue is a dependency of SOA-3258

Comment 11 Douglas Palmer 2011-08-12 22:55:14 UTC

Patch jar integrated into SOA-P for ER2.

Comment 12 Len DiMaggio 2011-08-29 19:27:12 UTC

Verified fixed in the ER3 build.

Note You need to log in before you can comment on or make changes to this bug.