Hi Jim, My opinion is it's not necessary to add an update note for a regression bug. Let's instead just release a new version before the end of the year with the fix, so users can upgrade to that version instead if they are using CXFAuthenticator.
Colm. On Thu, Nov 26, 2020 at 1:53 AM Jim Ma <mail2ji...@gmail.com> wrote: > Hi Colm, > Just to add more things, if cxf client with CXFAuthenticator is running in > a container(tomcat,glassfish, wildfly or osgi container karaf ?) , the > upgrade > will get this not working. I already fixed this issue > https://issues.apache.org/jira/browse/CXF-8378 in master and 3.3.x > branch. Where can we add > some note and let the community know this backward compatible issue in > 3.3.8 and 3.4.1 ? > > Cheers, > Jim > > > On Mon, Nov 23, 2020 at 3:58 PM Jim Ma <mail2ji...@gmail.com> wrote: > >> Hi Colm, >> I think this commit [1] caused the regression. We have some tests for >> CXFAuthenticator in CXF, but they are running >> with the single "flat" classloader and don't throw this exception. >> >> [1] >> https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57 >> >> Cheers, >> Jim >> >> On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh <cohei...@apache.org> >> wrote: >> >>> Hi Jim, >>> >>> Do you know which CXF commit caused the regression. Do we have no tests >>> for CXFAuthenticator? >>> >>> Colm. >>> >>> On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <mail2ji...@gmail.com> wrote: >>> >>>> When upgrade cxf to 3.3.8/3.4.1, the cxf client with >>>> CXFAuthenticator throws NoClassDefFoundError like following : >>>> java.lang.NoClassDefFoundError: >>>> org/apache/cxf/common/util/ReflectionUtil >>>> at >>>> >>>> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125) >>>> >>>> at >>>> >>>> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58) >>>> >>>> at >>>> >>>> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317) >>>> >>>> at >>>> >>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453) >>>> >>>> at >>>> >>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448) >>>> >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> >>>> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447) >>>> >>>> at >>>> >>>> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439) >>>> >>>> at >>>> >>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737) >>>> >>>> at >>>> >>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) >>>> >>>> at >>>> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) >>>> at >>>> >>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377) >>>> >>>> at >>>> >>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373) >>>> >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> >>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373) >>>> >>>> at >>>> >>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597) >>>> >>>> at >>>> >>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625) >>>> >>>> at >>>> >>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570) >>>> >>>> at >>>> >>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371) >>>> >>>> at >>>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) >>>> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671) >>>> at >>>> >>>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63) >>>> >>>> at >>>> >>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) >>>> >>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) >>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441) >>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356) >>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314) >>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) >>>> at >>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) >>>> >>>> From debug, it turns out ReferencingAuthenticator has to load another >>>> new >>>> added class ReflectionUtil to do some security check in CXF 3.3.8 and >>>> CXF >>>> 3.4.1. >>>> But the ReferenceingAuthenticator is very special class which is loaded >>>> with a new created URLClassloader >>>> (code with "new URLClassLoader(new URL[0], ClassLoader >>>> .getSystemClassLoader()") to avoid some >>>> classloader leakage issue (see >>>> https://issues.apache.org/jira/browse/CXF-4529). Hence, this >>>> ReflectionUtil >>>> always >>>> fails to load and throws this exception. Fixing this issue is simple, we >>>> only need to add doPrivileged blocks in this class without introducing >>>> ReflectionUtil. >>>> I already sent a PR to fix this issue : >>>> https://github.com/apache/cxf/pull/728. >>>> >>>> This issue looks like a backward compatible one and the upgrade will >>>> fail >>>> the cxf client with CXFAuthenticator. >>>> Should we release the next minor soon to include this fix? >>>> >>>> Cheers, >>>> Jim >>>> >>>
