Timothy Ward created FELIX-5908:
-----------------------------------
Summary: NoClassDefFoundError for the CM Security Domain combiner
Key: FELIX-5908
URL: https://issues.apache.org/jira/browse/FELIX-5908
Project: Felix
Issue Type: Bug
Components: Configuration Admin
Affects Versions: configadmin-1.9.4
Reporter: Timothy Ward
This is a pretty weird bug, so I'll try to explain it.
When running with security on the Configuration Admin Updater thread applies an
Access Control Context which, amongst other things, sets up a Domain Combiner.
This Domain Combiner lazily creates a combined Protection Domain based on the
target bundle.
All of this works fine until you end up in the following situation:
# The MS/MSF being called attempts to perform a checked operation (for which
they may or may not have permission)
# The Check causes the CM Domain Combiner to be instantiated, triggering a
class load if it is the first time
# The Loading of the class can then trigger *more* security checks in some
cases, for example setting the CodeSource of the class being defined can
require a security check if there are multiple frameworks in the VM, or if the
code was installed from a custom URL handler that has a custom toExternalForm()
implementation
# This security check retrievers the CM Domain Combiner, which attempts to
load the class again
# The Java ClassLoader detects the cycle and throws a NoClassDefFoundError
I am setting up a "simple" test demonstrating this (it necessarily has several
moving parts) and a proposed patch.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
