[ https://issues.apache.org/jira/browse/FELIX-5908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16581037#comment-16581037 ]
ASF GitHub Bot commented on FELIX-5908: --------------------------------------- GitHub user timothyjward opened a pull request: https://github.com/apache/felix/pull/150 Configuration Admin Security can cause a NoClassDefFoundError Fixes FELIX-5908 You can merge this pull request into a Git repository by running: $ git pull https://github.com/timothyjward/felix config-security Alternatively you can review and apply these changes as the patch at: https://github.com/apache/felix/pull/150.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #150 ---- commit 561a99c53854c0449bd922a344f9eee513df5222 Author: Tim Ward <timothyjward@...> Date: 2018-08-15T12:21:20Z FELIX-5908 - Tests to demonstrate the NoClassDefFoundError that can occur with security on Also includes general security tests to ensure that Config Admin runs correctly with Security on Signed-off-by: Tim Ward <timothyjw...@apache.org> commit 007a88b104deb92fcd890d81bbac5a0df1ec4708 Author: Tim Ward <timothyjward@...> Date: 2018-08-15T12:52:30Z FELIX-5908 Avoid a NoClassDefFoundError by eagerly instantiating the ProtectionDomain Signed-off-by: Tim Ward <timothyjw...@apache.org> ---- > NoClassDefFoundError for the CM Security Domain combiner > -------------------------------------------------------- > > Key: FELIX-5908 > URL: https://issues.apache.org/jira/browse/FELIX-5908 > Project: Felix > Issue Type: Bug > Components: Configuration Admin > Affects Versions: configadmin-1.9.4 > Reporter: Timothy Ward > Priority: Major > > This is a pretty weird bug, so I'll try to explain it. > When running with security on the Configuration Admin Updater thread applies > an Access Control Context which, amongst other things, sets up a Domain > Combiner. This Domain Combiner lazily creates a combined Protection Domain > based on the target bundle. > > All of this works fine until you end up in the following situation: > # The MS/MSF being called attempts to perform a checked operation (for which > they may or may not have permission) > # The Check causes the CM Domain Combiner to be instantiated, triggering a > class load if it is the first time > # The Loading of the class can then trigger *more* security checks in some > cases, for example setting the CodeSource of the class being defined can > require a security check if there are multiple frameworks in the VM, or if > the code was installed from a custom URL handler that has a custom > toExternalForm() implementation > # This security check retrievers the CM Domain Combiner, which attempts to > load the class again > # The Java ClassLoader detects the cycle and throws a NoClassDefFoundError > > I am setting up a "simple" test demonstrating this (it necessarily has > several moving parts) and a proposed patch. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)