Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-2971

Applications that use Hibernate with cglib proxies fail to deploy due to java.lang.SecurityException

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: EAP 5.0.0.CR5, EAP 5.0.0, EAP 5.0.1.CR1
    • Fix Version/s: EAP_EWP 5.1.0
    • Component/s: Hibernate
    • Labels:
      None
    • Affects:
      Release Notes
    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      A workaround is to replace:
      jboss-eap-5.0/jboss-as/common/lib/cglib.jar
      with an "unsigned" version of cglib.jar, which can be downloaded from:
      http://repository.jboss.com/maven2-brew/cglib/cglib/2.2/cglib-2.2.jar

      Show
      A workaround is to replace: jboss-eap-5.0/jboss-as/common/lib/cglib.jar with an "unsigned" version of cglib.jar, which can be downloaded from: http://repository.jboss.com/maven2-brew/cglib/cglib/2.2/cglib-2.2.jar
    • Similar Issues:
      Show 8 results 

      Description

      Applications that use Hibernate mapped to use cglib as its byte code provider will fail to deploy due to java.lang.SecurityException,

      An example of the error message is:

      Deployment "persistence.unit:unitName=lobtest.ear/lobtest-ejb-1.0-SNAPSHOT.jar#lobtest-jpa-jndi" is in error due to the following reason(s): java.lang.SecurityException: class "com.redhat.gss.lobtest.jpa.Item$$EnhancerByCGLIB$$defd1a7f"'s signer information does not match signer information of other classes in the same package

      This happens because cglib.jar in EAP 5 is signed and the cglib-instrumented proxy uses the same signer information as cglib.jar, instead of the signer information for the applications target class.

        Gliffy Diagrams

        1. cglib-2.2-signed.tgz
          263 kB
          Christopher O'Brien

          Issue Links

            Activity

            Hide
            laubai Laura Bailey added a comment -

            Documented as a known issue in the EAP 5.0.1 release notes. If this patch is no longer an appropriate fix, please detail otherwise.

            Applications that map Hibernate to use cglib as a byte provider fail to deploy because of a java.lang.SecurityException. An error message similar to the following is displayed:

            Deployment "persistence.unit:unitName=lobtest.ear/
            lobtest-ejb-1.0-SNAPSHOT.jar#lobtest-jpa-jndi" is in error due to the following reason(s):
            java.lang.SecurityException: class
            "com.redhat.gss.lobtest.jpa.Item$$EnhancerByCGLIB$$defd1a7f"'s signer information does not
            match signer information of other classes in the same package

            This occurs because the cglib.jar in JBoss Enterprise Application Platform is signed, and the cglib-instrumented proxy uses the cglib.jar signer information instead of the signer information of the application target class.

            The patch for this issue has been released alongside JBoss Enterprise Application Platform 5.0 and can be downloaded from <ulink url="https://support.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=1012">Red Hat Support</ulink>.

            Show
            laubai Laura Bailey added a comment - Documented as a known issue in the EAP 5.0.1 release notes. If this patch is no longer an appropriate fix, please detail otherwise. Applications that map Hibernate to use cglib as a byte provider fail to deploy because of a java.lang.SecurityException. An error message similar to the following is displayed: Deployment "persistence.unit:unitName=lobtest.ear/ lobtest-ejb-1.0-SNAPSHOT.jar#lobtest-jpa-jndi" is in error due to the following reason(s): java.lang.SecurityException: class "com.redhat.gss.lobtest.jpa.Item$$EnhancerByCGLIB$$defd1a7f"'s signer information does not match signer information of other classes in the same package This occurs because the cglib.jar in JBoss Enterprise Application Platform is signed, and the cglib-instrumented proxy uses the cglib.jar signer information instead of the signer information of the application target class. The patch for this issue has been released alongside JBoss Enterprise Application Platform 5.0 and can be downloaded from <ulink url="https://support.redhat.com/jbossnetwork/restricted/softwareDetail.html?softwareId=1012">Red Hat Support</ulink>.
            Hide
            sebersole Steve Ebersole added a comment -

            I have asked Chris (one of the principle CGLIB developers) about this issue as well as activity on CGLIB in general. Lets wait to see what he says.

            Yes my preference is to fix this in CGLIB (either Chris fixing it or use fixing it and giving him a patch for upstream). But if he does not respond or is not willing to fix this or accept a patch for whatever reason then my next preference is to actually7 just drop support for CGLIB from products.

            Show
            sebersole Steve Ebersole added a comment - I have asked Chris (one of the principle CGLIB developers) about this issue as well as activity on CGLIB in general. Lets wait to see what he says. Yes my preference is to fix this in CGLIB (either Chris fixing it or use fixing it and giving him a patch for upstream). But if he does not respond or is not willing to fix this or accept a patch for whatever reason then my next preference is to actually7 just drop support for CGLIB from products.
            Hide
            stliu Strong Liu added a comment -

            Thanks Steve, very glad to hear this
            would you ask a fix of JBPAPP-3284 too?

            Show
            stliu Strong Liu added a comment - Thanks Steve, very glad to hear this would you ask a fix of JBPAPP-3284 too?
            Hide
            stliu Strong Liu added a comment -

            It is just becoming
            near impossible to get cglib team to respond to issues. We even recently sent
            them 2 patches of major issues and still cannot get them to apply the
            changes upstream and cut releases.

            Show
            stliu Strong Liu added a comment - It is just becoming near impossible to get cglib team to respond to issues. We even recently sent them 2 patches of major issues and still cannot get them to apply the changes upstream and cut releases.
            Hide
            stliu Strong Liu added a comment -

            cglib now has been deprecated, see JBPAPP-4330

            Show
            stliu Strong Liu added a comment - cglib now has been deprecated, see JBPAPP-4330

              People

              • Assignee:
                stliu Strong Liu
                Reporter:
                gbadner Gail Badner
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development