CXF-8378: Backward compatible issue in 3.4.1 and 3.3.8

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

CXF-8378: Backward compatible issue in 3.4.1 and 3.3.8

jim ma
When upgrade cxf to 3.3.8/3.4.1, the cxf client with
CXFAuthenticator throws NoClassDefFoundError like following :
java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil
at
org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)

at
org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58)

at
java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)

at
sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)

at
sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)

at java.security.AccessController.doPrivileged(Native Method)
at
sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)

at
sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439)

at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737)

at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)

at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377)

at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373)

at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371)

at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)

at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)

at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)

From debug, it turns out ReferencingAuthenticator has to load another new
added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF
3.4.1.
But the ReferenceingAuthenticator is very special class which is loaded
with a new created URLClassloader
(code with  "new URLClassLoader(new URL[0], ClassLoader
.getSystemClassLoader()") to avoid some
classloader leakage issue (see
https://issues.apache.org/jira/browse/CXF-4529). Hence, this ReflectionUtil
always
fails to load and throws this exception. Fixing this issue is simple, we
only need to add doPrivileged blocks in this class without introducing
ReflectionUtil.
I already sent a PR to fix this issue :
https://github.com/apache/cxf/pull/728.

This issue looks like a backward compatible one and the upgrade will fail
the cxf client with CXFAuthenticator.
Should we release the next minor soon to include this fix?

Cheers,
Jim
Reply | Threaded
Open this post in threaded view
|

Re: CXF-8378: Backward compatible issue in 3.4.1 and 3.3.8

coheigea
Administrator
Hi Jim,

Do you know which CXF commit caused the regression. Do we have no tests for
CXFAuthenticator?

Colm.

On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <[hidden email]> wrote:

> When upgrade cxf to 3.3.8/3.4.1, the cxf client with
> CXFAuthenticator throws NoClassDefFoundError like following :
> java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil
> at
>
> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)
>
> at
>
> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58)
>
> at
>
> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)
>
> at
>
> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)
>
> at
>
> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)
>
> at java.security.AccessController.doPrivileged(Native Method)
> at
>
> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)
>
> at
>
> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439)
>
> at
>
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737)
>
> at
>
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
>
> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
> at
>
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377)
>
> at
>
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373)
>
> at java.security.AccessController.doPrivileged(Native Method)
> at
>
> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373)
>
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597)
>
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625)
>
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570)
>
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371)
>
> at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671)
> at
>
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
>
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
>
> From debug, it turns out ReferencingAuthenticator has to load another new
> added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF
> 3.4.1.
> But the ReferenceingAuthenticator is very special class which is loaded
> with a new created URLClassloader
> (code with  "new URLClassLoader(new URL[0], ClassLoader
> .getSystemClassLoader()") to avoid some
> classloader leakage issue (see
> https://issues.apache.org/jira/browse/CXF-4529). Hence, this
> ReflectionUtil
> always
> fails to load and throws this exception. Fixing this issue is simple, we
> only need to add doPrivileged blocks in this class without introducing
> ReflectionUtil.
> I already sent a PR to fix this issue :
> https://github.com/apache/cxf/pull/728.
>
> This issue looks like a backward compatible one and the upgrade will fail
> the cxf client with CXFAuthenticator.
> Should we release the next minor soon to include this fix?
>
> Cheers,
> Jim
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF-8378: Backward compatible issue in 3.4.1 and 3.3.8

jim ma
Hi Colm,
I think this commit [1] caused the regression.   We have some tests for
CXFAuthenticator in CXF, but they are running
with the single "flat" classloader and don't throw this exception.

[1]
https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57

Cheers,
Jim

On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh <[hidden email]>
wrote:

> Hi Jim,
>
> Do you know which CXF commit caused the regression. Do we have no tests
> for CXFAuthenticator?
>
> Colm.
>
> On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <[hidden email]> wrote:
>
>> When upgrade cxf to 3.3.8/3.4.1, the cxf client with
>> CXFAuthenticator throws NoClassDefFoundError like following :
>> java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil
>> at
>>
>> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)
>>
>> at
>>
>> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58)
>>
>> at
>>
>> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)
>>
>> at
>>
>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)
>>
>> at
>>
>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)
>>
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>>
>> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)
>>
>> at
>>
>> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439)
>>
>> at
>>
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737)
>>
>> at
>>
>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
>>
>> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>> at
>>
>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377)
>>
>> at
>>
>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373)
>>
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>>
>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373)
>>
>> at
>>
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597)
>>
>> at
>>
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625)
>>
>> at
>>
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570)
>>
>> at
>>
>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371)
>>
>> at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671)
>> at
>>
>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
>>
>> at
>>
>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>>
>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
>>
>> From debug, it turns out ReferencingAuthenticator has to load another new
>> added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF
>> 3.4.1.
>> But the ReferenceingAuthenticator is very special class which is loaded
>> with a new created URLClassloader
>> (code with  "new URLClassLoader(new URL[0], ClassLoader
>> .getSystemClassLoader()") to avoid some
>> classloader leakage issue (see
>> https://issues.apache.org/jira/browse/CXF-4529). Hence, this
>> ReflectionUtil
>> always
>> fails to load and throws this exception. Fixing this issue is simple, we
>> only need to add doPrivileged blocks in this class without introducing
>> ReflectionUtil.
>> I already sent a PR to fix this issue :
>> https://github.com/apache/cxf/pull/728.
>>
>> This issue looks like a backward compatible one and the upgrade will fail
>> the cxf client with CXFAuthenticator.
>> Should we release the next minor soon to include this fix?
>>
>> Cheers,
>> Jim
>>
>
Reply | Threaded
Open this post in threaded view
|

Re: CXF-8378: Backward compatible issue in 3.4.1 and 3.3.8

jim ma
Hi Colm,
Just to add more things, if cxf client with CXFAuthenticator is running in
a container(tomcat,glassfish, wildfly or osgi container karaf ?) , the
upgrade
will get this not working. I already fixed this issue
https://issues.apache.org/jira/browse/CXF-8378 in master and 3.3.x branch.
Where can we add
some note and let the community know this backward compatible issue in
3.3.8 and 3.4.1 ?

Cheers,
Jim


On Mon, Nov 23, 2020 at 3:58 PM Jim Ma <[hidden email]> wrote:

> Hi Colm,
> I think this commit [1] caused the regression.   We have some tests for
> CXFAuthenticator in CXF, but they are running
> with the single "flat" classloader and don't throw this exception.
>
> [1]
> https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57
>
> Cheers,
> Jim
>
> On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh <[hidden email]>
> wrote:
>
>> Hi Jim,
>>
>> Do you know which CXF commit caused the regression. Do we have no tests
>> for CXFAuthenticator?
>>
>> Colm.
>>
>> On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <[hidden email]> wrote:
>>
>>> When upgrade cxf to 3.3.8/3.4.1, the cxf client with
>>> CXFAuthenticator throws NoClassDefFoundError like following :
>>> java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil
>>> at
>>>
>>> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58)
>>>
>>> at
>>>
>>> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)
>>>
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)
>>>
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)
>>>
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)
>>>
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439)
>>>
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737)
>>>
>>> at
>>>
>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
>>>
>>> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>>> at
>>>
>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377)
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373)
>>>
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at
>>>
>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373)
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597)
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625)
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570)
>>>
>>> at
>>>
>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371)
>>>
>>> at
>>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>>> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671)
>>> at
>>>
>>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
>>>
>>> at
>>>
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>>>
>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>>> at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
>>>
>>> From debug, it turns out ReferencingAuthenticator has to load another new
>>> added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF
>>> 3.4.1.
>>> But the ReferenceingAuthenticator is very special class which is loaded
>>> with a new created URLClassloader
>>> (code with  "new URLClassLoader(new URL[0], ClassLoader
>>> .getSystemClassLoader()") to avoid some
>>> classloader leakage issue (see
>>> https://issues.apache.org/jira/browse/CXF-4529). Hence, this
>>> ReflectionUtil
>>> always
>>> fails to load and throws this exception. Fixing this issue is simple, we
>>> only need to add doPrivileged blocks in this class without introducing
>>> ReflectionUtil.
>>> I already sent a PR to fix this issue :
>>> https://github.com/apache/cxf/pull/728.
>>>
>>> This issue looks like a backward compatible one and the upgrade will fail
>>> the cxf client with CXFAuthenticator.
>>> Should we release the next minor soon to include this fix?
>>>
>>> Cheers,
>>> Jim
>>>
>>
Reply | Threaded
Open this post in threaded view
|

Re: CXF-8378: Backward compatible issue in 3.4.1 and 3.3.8

coheigea
Administrator
Hi Jim,

My opinion is it's not necessary to add an update note for a regression
bug. Let's instead just release a new version before the end of the year
with the fix, so users can upgrade to that version instead if they are
using CXFAuthenticator.

Colm.

On Thu, Nov 26, 2020 at 1:53 AM Jim Ma <[hidden email]> wrote:

> Hi Colm,
> Just to add more things, if cxf client with CXFAuthenticator is running in
> a container(tomcat,glassfish, wildfly or osgi container karaf ?) , the
> upgrade
> will get this not working. I already fixed this issue
> https://issues.apache.org/jira/browse/CXF-8378 in master and 3.3.x
> branch. Where can we add
> some note and let the community know this backward compatible issue in
> 3.3.8 and 3.4.1 ?
>
> Cheers,
> Jim
>
>
> On Mon, Nov 23, 2020 at 3:58 PM Jim Ma <[hidden email]> wrote:
>
>> Hi Colm,
>> I think this commit [1] caused the regression.   We have some tests for
>> CXFAuthenticator in CXF, but they are running
>> with the single "flat" classloader and don't throw this exception.
>>
>> [1]
>> https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57
>>
>> Cheers,
>> Jim
>>
>> On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh <[hidden email]>
>> wrote:
>>
>>> Hi Jim,
>>>
>>> Do you know which CXF commit caused the regression. Do we have no tests
>>> for CXFAuthenticator?
>>>
>>> Colm.
>>>
>>> On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <[hidden email]> wrote:
>>>
>>>> When upgrade cxf to 3.3.8/3.4.1, the cxf client with
>>>> CXFAuthenticator throws NoClassDefFoundError like following :
>>>> java.lang.NoClassDefFoundError:
>>>> org/apache/cxf/common/util/ReflectionUtil
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)
>>>>
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58)
>>>>
>>>> at
>>>>
>>>> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)
>>>>
>>>> at
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)
>>>>
>>>> at
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)
>>>>
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)
>>>>
>>>> at
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439)
>>>>
>>>> at
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737)
>>>>
>>>> at
>>>>
>>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
>>>>
>>>> at
>>>> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377)
>>>>
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373)
>>>>
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373)
>>>>
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597)
>>>>
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625)
>>>>
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570)
>>>>
>>>> at
>>>>
>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371)
>>>>
>>>> at
>>>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>>>> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671)
>>>> at
>>>>
>>>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
>>>>
>>>> at
>>>>
>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>>>>
>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
>>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>>>> at
>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
>>>>
>>>> From debug, it turns out ReferencingAuthenticator has to load another
>>>> new
>>>> added class ReflectionUtil to do some security check in CXF 3.3.8 and
>>>> CXF
>>>> 3.4.1.
>>>> But the ReferenceingAuthenticator is very special class which is loaded
>>>> with a new created URLClassloader
>>>> (code with  "new URLClassLoader(new URL[0], ClassLoader
>>>> .getSystemClassLoader()") to avoid some
>>>> classloader leakage issue (see
>>>> https://issues.apache.org/jira/browse/CXF-4529). Hence, this
>>>> ReflectionUtil
>>>> always
>>>> fails to load and throws this exception. Fixing this issue is simple, we
>>>> only need to add doPrivileged blocks in this class without introducing
>>>> ReflectionUtil.
>>>> I already sent a PR to fix this issue :
>>>> https://github.com/apache/cxf/pull/728.
>>>>
>>>> This issue looks like a backward compatible one and the upgrade will
>>>> fail
>>>> the cxf client with CXFAuthenticator.
>>>> Should we release the next minor soon to include this fix?
>>>>
>>>> Cheers,
>>>> Jim
>>>>
>>>
Reply | Threaded
Open this post in threaded view
|

Re: CXF-8378: Backward compatible issue in 3.4.1 and 3.3.8

jim ma
OK. Thanks, Colm. Let's release a new version with this fix.

On Fri, Nov 27, 2020 at 2:38 PM Colm O hEigeartaigh <[hidden email]>
wrote:

> Hi Jim,
>
> My opinion is it's not necessary to add an update note for a regression
> bug. Let's instead just release a new version before the end of the year
> with the fix, so users can upgrade to that version instead if they are
> using CXFAuthenticator.
>
> Colm.
>
> On Thu, Nov 26, 2020 at 1:53 AM Jim Ma <[hidden email]> wrote:
>
>> Hi Colm,
>> Just to add more things, if cxf client with CXFAuthenticator is running
>> in a container(tomcat,glassfish, wildfly or osgi container karaf ?) , the
>> upgrade
>> will get this not working. I already fixed this issue
>> https://issues.apache.org/jira/browse/CXF-8378 in master and 3.3.x
>> branch. Where can we add
>> some note and let the community know this backward compatible issue in
>> 3.3.8 and 3.4.1 ?
>>
>> Cheers,
>> Jim
>>
>>
>> On Mon, Nov 23, 2020 at 3:58 PM Jim Ma <[hidden email]> wrote:
>>
>>> Hi Colm,
>>> I think this commit [1] caused the regression.   We have some tests for
>>> CXFAuthenticator in CXF, but they are running
>>> with the single "flat" classloader and don't throw this exception.
>>>
>>> [1]
>>> https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57
>>>
>>> Cheers,
>>> Jim
>>>
>>> On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh <
>>> [hidden email]> wrote:
>>>
>>>> Hi Jim,
>>>>
>>>> Do you know which CXF commit caused the regression. Do we have no tests
>>>> for CXFAuthenticator?
>>>>
>>>> Colm.
>>>>
>>>> On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <[hidden email]> wrote:
>>>>
>>>>> When upgrade cxf to 3.3.8/3.4.1, the cxf client with
>>>>> CXFAuthenticator throws NoClassDefFoundError like following :
>>>>> java.lang.NoClassDefFoundError:
>>>>> org/apache/cxf/common/util/ReflectionUtil
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)
>>>>>
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58)
>>>>>
>>>>> at
>>>>>
>>>>> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)
>>>>>
>>>>> at
>>>>>
>>>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)
>>>>>
>>>>> at
>>>>>
>>>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)
>>>>>
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at
>>>>>
>>>>> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)
>>>>>
>>>>> at
>>>>>
>>>>> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439)
>>>>>
>>>>> at
>>>>>
>>>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737)
>>>>>
>>>>> at
>>>>>
>>>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
>>>>>
>>>>> at
>>>>> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377)
>>>>>
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373)
>>>>>
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373)
>>>>>
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597)
>>>>>
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625)
>>>>>
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570)
>>>>>
>>>>> at
>>>>>
>>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371)
>>>>>
>>>>> at
>>>>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
>>>>> at
>>>>> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671)
>>>>> at
>>>>>
>>>>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
>>>>>
>>>>> at
>>>>>
>>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
>>>>>
>>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
>>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
>>>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
>>>>> at
>>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
>>>>>
>>>>> From debug, it turns out ReferencingAuthenticator has to load another
>>>>> new
>>>>> added class ReflectionUtil to do some security check in CXF 3.3.8 and
>>>>> CXF
>>>>> 3.4.1.
>>>>> But the ReferenceingAuthenticator is very special class which is loaded
>>>>> with a new created URLClassloader
>>>>> (code with  "new URLClassLoader(new URL[0], ClassLoader
>>>>> .getSystemClassLoader()") to avoid some
>>>>> classloader leakage issue (see
>>>>> https://issues.apache.org/jira/browse/CXF-4529). Hence, this
>>>>> ReflectionUtil
>>>>> always
>>>>> fails to load and throws this exception. Fixing this issue is simple,
>>>>> we
>>>>> only need to add doPrivileged blocks in this class without introducing
>>>>> ReflectionUtil.
>>>>> I already sent a PR to fix this issue :
>>>>> https://github.com/apache/cxf/pull/728.
>>>>>
>>>>> This issue looks like a backward compatible one and the upgrade will
>>>>> fail
>>>>> the cxf client with CXFAuthenticator.
>>>>> Should we release the next minor soon to include this fix?
>>>>>
>>>>> Cheers,
>>>>> Jim
>>>>>
>>>>