When upgrade cxf to 3.3.8/3.4.1, the cxf client with
CXFAuthenticator throws NoClassDefFoundError like following :
java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil
at
org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)

at
org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58)

at
java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317)

at
sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453)

at
sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448)

at java.security.AccessController.doPrivileged(Native Method)
at
sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447)

at
sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439)

at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737)

at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)

at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377)

at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373)

at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570)

at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371)

at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)

at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)

at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)

>From debug, it turns out ReferencingAuthenticator has to load another new
added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF
3.4.1.
But the ReferenceingAuthenticator is very special class which is loaded
with a new created URLClassloader
(code with  "new URLClassLoader(new URL[0], ClassLoader
.getSystemClassLoader()") to avoid some
classloader leakage issue (see
https://issues.apache.org/jira/browse/CXF-4529). Hence, this ReflectionUtil
always
fails to load and throws this exception. Fixing this issue is simple, we
only need to add doPrivileged blocks in this class without introducing
ReflectionUtil.
I already sent a PR to fix this issue :
https://github.com/apache/cxf/pull/728.

This issue looks like a backward compatible one and the upgrade will fail
the cxf client with CXFAuthenticator.
Should we release the next minor soon to include this fix?

Cheers,
Jim

Reply via email to