JBoss Enterprise Application Platform 4 and 5
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-2971

Applications that use Hibernate with cglib proxies fail to deploy due to java.lang.SecurityException

    Details

    • Type: Bug Bug
    • Status: Closed Closed (View Workflow)
    • Priority: Major Major
    • Resolution: Won't Fix Won't Fix
    • Affects Version/s: EAP 5.0.0.CR5, EAP 5.0.0, EAP 5.0.1.CR1
    • Fix Version/s: EAP_EWP 5.1.0
    • Component/s: Hibernate
    • Security Level: Public (Everyone can see)
    • Labels:
      None
    • Affects:
      Release Notes
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      A workaround is to replace:
      jboss-eap-5.0/jboss-as/common/lib/cglib.jar
      with an "unsigned" version of cglib.jar, which can be downloaded from:
      http://repository.jboss.com/maven2-brew/cglib/cglib/2.2/cglib-2.2.jar

      Show
      A workaround is to replace: jboss-eap-5.0/jboss-as/common/lib/cglib.jar with an "unsigned" version of cglib.jar, which can be downloaded from: http://repository.jboss.com/maven2-brew/cglib/cglib/2.2/cglib-2.2.jar
    • Similar Issues:
      Show 8 results 

      Description

      Applications that use Hibernate mapped to use cglib as its byte code provider will fail to deploy due to java.lang.SecurityException,

      An example of the error message is:

      Deployment "persistence.unit:unitName=lobtest.ear/lobtest-ejb-1.0-SNAPSHOT.jar#lobtest-jpa-jndi" is in error due to the following reason(s): java.lang.SecurityException: class "com.redhat.gss.lobtest.jpa.Item$$EnhancerByCGLIB$$defd1a7f"'s signer information does not match signer information of other classes in the same package

      This happens because cglib.jar in EAP 5 is signed and the cglib-instrumented proxy uses the same signer information as cglib.jar, instead of the signer information for the applications target class.

      1. cglib-2.2-signed.tgz
        263 kB
        Christopher O'Brien

        Issue Links

          Activity

          Hide
          Laura Bailey
          added a comment -

          Documented as a known issue in the EAP 5.0.1 release notes. If this patch is no longer an appropriate fix, please detail otherwise.

          Applications that map Hibernate to use cglib as a byte provider fail to deploy because of a java.lang.SecurityException. An error message similar to the following is displayed:

          Deployment "persistence.unit:unitName=lobtest.ear/
          lobtest-ejb-1.0-SNAPSHOT.jar#lobtest-jpa-jndi" is in error due to the following reason(s):
          java.lang.SecurityException: class
          "com.redhat.gss.lobtest.jpa.Item$$EnhancerByCGLIB$$defd1a7f"'s signer information does not
          match signer information of other classes in the same package

          This occurs because the cglib.jar in JBoss Enterprise Application Platform is signed, and the cglib-instrumented proxy uses the cglib.jar signer information instead of the signer information of the application target class.

          The patch for this issue has been released alongside JBoss Enterprise Application Platform 5.0 and can be downloaded from <ulink url="https://support.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=1012">Red Hat Support</ulink>.

          Show
          Laura Bailey
          added a comment - Documented as a known issue in the EAP 5.0.1 release notes. If this patch is no longer an appropriate fix, please detail otherwise. Applications that map Hibernate to use cglib as a byte provider fail to deploy because of a java.lang.SecurityException. An error message similar to the following is displayed: Deployment "persistence.unit:unitName=lobtest.ear/ lobtest-ejb-1.0-SNAPSHOT.jar#lobtest-jpa-jndi" is in error due to the following reason(s): java.lang.SecurityException: class "com.redhat.gss.lobtest.jpa.Item$$EnhancerByCGLIB$$defd1a7f"'s signer information does not match signer information of other classes in the same package This occurs because the cglib.jar in JBoss Enterprise Application Platform is signed, and the cglib-instrumented proxy uses the cglib.jar signer information instead of the signer information of the application target class. The patch for this issue has been released alongside JBoss Enterprise Application Platform 5.0 and can be downloaded from <ulink url="https://support.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=1012">Red Hat Support</ulink>.
          Hide
          Steve Ebersole
          added a comment -

          I have asked Chris (one of the principle CGLIB developers) about this issue as well as activity on CGLIB in general. Lets wait to see what he says.

          Yes my preference is to fix this in CGLIB (either Chris fixing it or use fixing it and giving him a patch for upstream). But if he does not respond or is not willing to fix this or accept a patch for whatever reason then my next preference is to actually7 just drop support for CGLIB from products.

          Show
          Steve Ebersole
          added a comment - I have asked Chris (one of the principle CGLIB developers) about this issue as well as activity on CGLIB in general. Lets wait to see what he says. Yes my preference is to fix this in CGLIB (either Chris fixing it or use fixing it and giving him a patch for upstream). But if he does not respond or is not willing to fix this or accept a patch for whatever reason then my next preference is to actually7 just drop support for CGLIB from products.
          Hide
          Strong Liu
          added a comment -

          Thanks Steve, very glad to hear this
          would you ask a fix of JBPAPP-3284 too?

          Show
          Strong Liu
          added a comment - Thanks Steve, very glad to hear this would you ask a fix of JBPAPP-3284 too?
          Hide
          Strong Liu
          added a comment -

          It is just becoming
          near impossible to get cglib team to respond to issues. We even recently sent
          them 2 patches of major issues and still cannot get them to apply the
          changes upstream and cut releases.

          Show
          Strong Liu
          added a comment - It is just becoming near impossible to get cglib team to respond to issues. We even recently sent them 2 patches of major issues and still cannot get them to apply the changes upstream and cut releases.
          Hide
          Strong Liu
          added a comment -

          cglib now has been deprecated, see JBPAPP-4330

          Show
          Strong Liu
          added a comment - cglib now has been deprecated, see JBPAPP-4330

            People

            • Assignee:
              Strong Liu
              Reporter:
              Gail Badner
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: