When upgrade cxf to 3.3.8/3.4.1, the cxf client with CXFAuthenticator throws NoClassDefFoundError like following : java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil at org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125)
at org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58) at java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317) at sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453) at sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448) at java.security.AccessController.doPrivileged(Native Method) at sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447) at sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373) at java.security.AccessController.doPrivileged(Native Method) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371) at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) >From debug, it turns out ReferencingAuthenticator has to load another new added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF 3.4.1. But the ReferenceingAuthenticator is very special class which is loaded with a new created URLClassloader (code with "new URLClassLoader(new URL[0], ClassLoader .getSystemClassLoader()") to avoid some classloader leakage issue (see https://issues.apache.org/jira/browse/CXF-4529). Hence, this ReflectionUtil always fails to load and throws this exception. Fixing this issue is simple, we only need to add doPrivileged blocks in this class without introducing ReflectionUtil. I already sent a PR to fix this issue : https://github.com/apache/cxf/pull/728. This issue looks like a backward compatible one and the upgrade will fail the cxf client with CXFAuthenticator. Should we release the next minor soon to include this fix? Cheers, Jim