OK. Thanks, Colm. Let's release a new version with this fix. On Fri, Nov 27, 2020 at 2:38 PM Colm O hEigeartaigh <cohei...@apache.org> wrote:
> Hi Jim, > > My opinion is it's not necessary to add an update note for a regression > bug. Let's instead just release a new version before the end of the year > with the fix, so users can upgrade to that version instead if they are > using CXFAuthenticator. > > Colm. > > On Thu, Nov 26, 2020 at 1:53 AM Jim Ma <mail2ji...@gmail.com> wrote: > >> Hi Colm, >> Just to add more things, if cxf client with CXFAuthenticator is running >> in a container(tomcat,glassfish, wildfly or osgi container karaf ?) , the >> upgrade >> will get this not working. I already fixed this issue >> https://issues.apache.org/jira/browse/CXF-8378 in master and 3.3.x >> branch. Where can we add >> some note and let the community know this backward compatible issue in >> 3.3.8 and 3.4.1 ? >> >> Cheers, >> Jim >> >> >> On Mon, Nov 23, 2020 at 3:58 PM Jim Ma <mail2ji...@gmail.com> wrote: >> >>> Hi Colm, >>> I think this commit [1] caused the regression. We have some tests for >>> CXFAuthenticator in CXF, but they are running >>> with the single "flat" classloader and don't throw this exception. >>> >>> [1] >>> https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57 >>> >>> Cheers, >>> Jim >>> >>> On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh < >>> cohei...@apache.org> wrote: >>> >>>> Hi Jim, >>>> >>>> Do you know which CXF commit caused the regression. Do we have no tests >>>> for CXFAuthenticator? >>>> >>>> Colm. >>>> >>>> On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <mail2ji...@gmail.com> wrote: >>>> >>>>> When upgrade cxf to 3.3.8/3.4.1, the cxf client with >>>>> CXFAuthenticator throws NoClassDefFoundError like following : >>>>> java.lang.NoClassDefFoundError: >>>>> org/apache/cxf/common/util/ReflectionUtil >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125) >>>>> >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58) >>>>> >>>>> at >>>>> >>>>> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317) >>>>> >>>>> at >>>>> >>>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453) >>>>> >>>>> at >>>>> >>>>> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448) >>>>> >>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>> at >>>>> >>>>> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447) >>>>> >>>>> at >>>>> >>>>> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439) >>>>> >>>>> at >>>>> >>>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737) >>>>> >>>>> at >>>>> >>>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) >>>>> >>>>> at >>>>> java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377) >>>>> >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373) >>>>> >>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373) >>>>> >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597) >>>>> >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625) >>>>> >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570) >>>>> >>>>> at >>>>> >>>>> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371) >>>>> >>>>> at >>>>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) >>>>> at >>>>> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671) >>>>> at >>>>> >>>>> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63) >>>>> >>>>> at >>>>> >>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) >>>>> >>>>> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) >>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441) >>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356) >>>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314) >>>>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) >>>>> at >>>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) >>>>> >>>>> From debug, it turns out ReferencingAuthenticator has to load another >>>>> new >>>>> added class ReflectionUtil to do some security check in CXF 3.3.8 and >>>>> CXF >>>>> 3.4.1. >>>>> But the ReferenceingAuthenticator is very special class which is loaded >>>>> with a new created URLClassloader >>>>> (code with "new URLClassLoader(new URL[0], ClassLoader >>>>> .getSystemClassLoader()") to avoid some >>>>> classloader leakage issue (see >>>>> https://issues.apache.org/jira/browse/CXF-4529). Hence, this >>>>> ReflectionUtil >>>>> always >>>>> fails to load and throws this exception. Fixing this issue is simple, >>>>> we >>>>> only need to add doPrivileged blocks in this class without introducing >>>>> ReflectionUtil. >>>>> I already sent a PR to fix this issue : >>>>> https://github.com/apache/cxf/pull/728. >>>>> >>>>> This issue looks like a backward compatible one and the upgrade will >>>>> fail >>>>> the cxf client with CXFAuthenticator. >>>>> Should we release the next minor soon to include this fix? >>>>> >>>>> Cheers, >>>>> Jim >>>>> >>>>