SecurityException when using Apache Derby with Equinox Servletbridge [message #1220422] |
Wed, 11 December 2013 11:28  |
Eclipse User |
|
|
|
We encountered a SecurityException in the Eclipse Scout project since we updated our pretty old Equinox servletbridge to version 1.3 to be compatible with the Luna release train.
The sample web-application we deployed to Tomcat 7 has an Apache Derby fragment (with fragment-host = system.bundle) containing the official Derby libraries in version 10.9.1 [1].
A security exception is thrown when the CloseableURLClassLoader calls the method checkForSealedPackage() with the package "org.apache.derby.iapi.services.io" as a parameter.
Having a deeper look at the manifest file in the derby.jar, we found out that the "Sealed" header is set to true. However, the package "org.apache.derby.iapi.services.io" is not listed explicitly as non-sealed in the manifest file so the value of the sealed header is considered.
My understanding of the Sealed header is to guarantee that all classes in a package come from the same code source [2].
In our example the class "org/apache/derby/iapi/services/io/FormatableProperties.class" is loaded first from the derby.jar.
Because the package cannot be found at the beginning (see method defineClass in CloseableURLClassLoader) "definePackage" is called, which does not check for sealed packages.
Later the class "org/apache/derby/iapi/services/io/Formatable.class" is loaded from the same derby.jar. Since the package is known now, the method checkForSealedPackage() is called resulting in a SecurityException.
However, both classes come from the same derby.jar file so I don't understand why I SecurityException should be thrown here.
Shouldn't the checkForSealedPackage() method also consider the parameter jarFileURL in its check?
Anyways, if the check for the sealed packages are correctly implemented, are there any recommendations how we can successfully use the derby.jar in combination with the Equinox servletbridge without having to modify the manifest file in the derby.jar?
Notes: The package org/apache/derby/iapi/services/io/ is not the only one that causes the security exception. there are some more packages that result in the same exception.
Cheers,
Ken
[1] http://git.eclipse.org/c/scout/org.eclipse.scout.rt.git/tree/org.apache.derby.jdbc_1091.fragment
[2] http://docs.oracle.com/javase/tutorial/deployment/jar/sealman.html
|
|
|
|
|
|
|
|
Powered by
FUDForum. Page generated in 0.04083 seconds