-
Bug
-
Resolution: Duplicate
-
P3
-
8u91, 9
FULL PRODUCT VERSION :
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
If a JNLP application uses a signed jar that contains a MANIFEST.MF with the property "Import-Package", which refers to other packages outside of this jar and the JNLP class loader loads a class from this jar, then a SecurityException occurs.
This is the exception that occurs if you load a class from the log4j-1.2.7.jar that contains the property "Import-Package" in its MANIFEST.MF.
REGRESSION. Last worked in version 8u77
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Download log4j-1.2.17.jar from http://mvnrepository.com/artifact/log4j/log4j/1.2.17
- sign the log4j-1.2.17.jar
- create a main class that calls the log4j logger
- build a signed jnlp application that contains the class in a jar and the log4j jar
- start the jnlp file via webstart
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
java.lang.ExceptionInInitializerError
at java.util.prefs.WindowsPreferencesFactory.userRoot(Unknown Source)
at java.util.prefs.Preferences.userRoot(Unknown Source)
at com.jgoodies.uif.application.ApplicationContext.getUserPreferences(ApplicationContext.java:412)
at com.asap.dragon.client.LocalPreferences.getPrefs(LocalPreferences.java:235)
at com.asap.dragon.client.LocalPreferences.getLanguage(LocalPreferences.java:120)
at com.asap.dragon.client.LocalPreferences.getCurrentLanguage(LocalPreferences.java:263)
at com.asap.dragon.client.LocalPreferences.createLocale(LocalPreferences.java:252)
at com.asap.dragon.client.LocalPreferences.getLocale(LocalPreferences.java:245)
at com.asap.dragon.client.ui.AbstractDragonApplication.startup(AbstractDragonApplication.java:186)
at com.jgoodies.uif.application.Application$1.run(Application.java:180)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.SecurityException: class "org.apache.log4j.spi.RootLogger"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.preDefineClass(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$100(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.slf4j.impl.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:66)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:277)
at org.slf4j.bridge.SLF4JBridgeHandler.getSLF4JLogger(SLF4JBridgeHandler.java:204)
at org.slf4j.bridge.SLF4JBridgeHandler.publish(SLF4JBridgeHandler.java:291)
at java.util.logging.Logger.log(Unknown Source)
at java.util.logging.Logger.doLog(Unknown Source)
at java.util.logging.Logger.log(Unknown Source)
at java.util.logging.LoggingProxyImpl.log(Unknown Source)
at sun.util.logging.LoggingSupport.log(Unknown Source)
at sun.util.logging.PlatformLogger$JavaLoggerProxy.doLog(Unknown Source)
at sun.util.logging.PlatformLogger.warning(Unknown Source)
at java.util.prefs.WindowsPreferences.<init>(Unknown Source)
at java.util.prefs.WindowsPreferences.<clinit>(Unknown Source)
... 24 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Remove the property "Import-Package" from the MANIFEST.MF of the jar file before signing.
java version "1.8.0_91"
Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.91-b14, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
If a JNLP application uses a signed jar that contains a MANIFEST.MF with the property "Import-Package", which refers to other packages outside of this jar and the JNLP class loader loads a class from this jar, then a SecurityException occurs.
This is the exception that occurs if you load a class from the log4j-1.2.7.jar that contains the property "Import-Package" in its MANIFEST.MF.
REGRESSION. Last worked in version 8u77
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_77"
Java(TM) SE Runtime Environment (build 1.8.0_77-b03)
Java HotSpot(TM) 64-Bit Server VM (build 25.77-b03, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
- Download log4j-1.2.17.jar from http://mvnrepository.com/artifact/log4j/log4j/1.2.17
- sign the log4j-1.2.17.jar
- create a main class that calls the log4j logger
- build a signed jnlp application that contains the class in a jar and the log4j jar
- start the jnlp file via webstart
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
java.lang.ExceptionInInitializerError
at java.util.prefs.WindowsPreferencesFactory.userRoot(Unknown Source)
at java.util.prefs.Preferences.userRoot(Unknown Source)
at com.jgoodies.uif.application.ApplicationContext.getUserPreferences(ApplicationContext.java:412)
at com.asap.dragon.client.LocalPreferences.getPrefs(LocalPreferences.java:235)
at com.asap.dragon.client.LocalPreferences.getLanguage(LocalPreferences.java:120)
at com.asap.dragon.client.LocalPreferences.getCurrentLanguage(LocalPreferences.java:263)
at com.asap.dragon.client.LocalPreferences.createLocale(LocalPreferences.java:252)
at com.asap.dragon.client.LocalPreferences.getLocale(LocalPreferences.java:245)
at com.asap.dragon.client.ui.AbstractDragonApplication.startup(AbstractDragonApplication.java:186)
at com.jgoodies.uif.application.Application$1.run(Application.java:180)
at java.awt.event.InvocationEvent.dispatch(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: java.lang.SecurityException: class "org.apache.log4j.spi.RootLogger"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.preDefineClass(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$100(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at org.slf4j.impl.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:66)
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:277)
at org.slf4j.bridge.SLF4JBridgeHandler.getSLF4JLogger(SLF4JBridgeHandler.java:204)
at org.slf4j.bridge.SLF4JBridgeHandler.publish(SLF4JBridgeHandler.java:291)
at java.util.logging.Logger.log(Unknown Source)
at java.util.logging.Logger.doLog(Unknown Source)
at java.util.logging.Logger.log(Unknown Source)
at java.util.logging.LoggingProxyImpl.log(Unknown Source)
at sun.util.logging.LoggingSupport.log(Unknown Source)
at sun.util.logging.PlatformLogger$JavaLoggerProxy.doLog(Unknown Source)
at sun.util.logging.PlatformLogger.warning(Unknown Source)
at java.util.prefs.WindowsPreferences.<init>(Unknown Source)
at java.util.prefs.WindowsPreferences.<clinit>(Unknown Source)
... 24 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Remove the property "Import-Package" from the MANIFEST.MF of the jar file before signing.