Hi Colm, Just to add more things, if cxf client with CXFAuthenticator is running in a container(tomcat,glassfish, wildfly or osgi container karaf ?) , the upgrade will get this not working. I already fixed this issue https://issues.apache.org/jira/browse/CXF-8378 in master and 3.3.x branch. Where can we add some note and let the community know this backward compatible issue in 3.3.8 and 3.4.1 ?
Cheers, Jim On Mon, Nov 23, 2020 at 3:58 PM Jim Ma <mail2ji...@gmail.com> wrote: > Hi Colm, > I think this commit [1] caused the regression. We have some tests for > CXFAuthenticator in CXF, but they are running > with the single "flat" classloader and don't throw this exception. > > [1] > https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57 > > Cheers, > Jim > > On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh <cohei...@apache.org> > wrote: > >> Hi Jim, >> >> Do you know which CXF commit caused the regression. Do we have no tests >> for CXFAuthenticator? >> >> Colm. >> >> On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <mail2ji...@gmail.com> wrote: >> >>> When upgrade cxf to 3.3.8/3.4.1, the cxf client with >>> CXFAuthenticator throws NoClassDefFoundError like following : >>> java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil >>> at >>> >>> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125) >>> >>> at >>> >>> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58) >>> >>> at >>> >>> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317) >>> >>> at >>> >>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453) >>> >>> at >>> >>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448) >>> >>> at java.security.AccessController.doPrivileged(Native Method) >>> at >>> >>> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447) >>> >>> at >>> >>> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439) >>> >>> at >>> >>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737) >>> >>> at >>> >>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) >>> >>> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) >>> at >>> >>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377) >>> >>> at >>> >>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373) >>> >>> at java.security.AccessController.doPrivileged(Native Method) >>> at >>> >>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373) >>> >>> at >>> >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597) >>> >>> at >>> >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625) >>> >>> at >>> >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570) >>> >>> at >>> >>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371) >>> >>> at >>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) >>> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671) >>> at >>> >>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63) >>> >>> at >>> >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) >>> >>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314) >>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) >>> at >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) >>> >>> From debug, it turns out ReferencingAuthenticator has to load another new >>> added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF >>> 3.4.1. >>> But the ReferenceingAuthenticator is very special class which is loaded >>> with a new created URLClassloader >>> (code with "new URLClassLoader(new URL[0], ClassLoader >>> .getSystemClassLoader()") to avoid some >>> classloader leakage issue (see >>> https://issues.apache.org/jira/browse/CXF-4529). Hence, this >>> ReflectionUtil >>> always >>> fails to load and throws this exception. Fixing this issue is simple, we >>> only need to add doPrivileged blocks in this class without introducing >>> ReflectionUtil. >>> I already sent a PR to fix this issue : >>> https://github.com/apache/cxf/pull/728. >>> >>> This issue looks like a backward compatible one and the upgrade will fail >>> the cxf client with CXFAuthenticator. >>> Should we release the next minor soon to include this fix? >>> >>> Cheers, >>> Jim >>> >>
