[ https://issues.apache.org/jira/browse/FELIX-5908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16582337#comment-16582337 ]
Karl Pauls commented on FELIX-5908: ----------------------------------- vote is on its way :-) > NoClassDefFoundError for the CM Security Domain combiner > -------------------------------------------------------- > > Key: FELIX-5908 > URL: https://issues.apache.org/jira/browse/FELIX-5908 > Project: Felix > Issue Type: Bug > Components: Configuration Admin > Affects Versions: configadmin-1.9.4 > Reporter: Timothy Ward > Assignee: Carsten Ziegeler > Priority: Major > Fix For: configadmin-1.9.6 > > > This is a pretty weird bug, so I'll try to explain it. > When running with security on the Configuration Admin Updater thread applies > an Access Control Context which, amongst other things, sets up a Domain > Combiner. This Domain Combiner lazily creates a combined Protection Domain > based on the target bundle. > > All of this works fine until you end up in the following situation: > # The MS/MSF being called attempts to perform a checked operation (for which > they may or may not have permission) > # The Check causes the CM Domain Combiner to be instantiated, triggering a > class load if it is the first time > # The Loading of the class can then trigger *more* security checks in some > cases, for example setting the CodeSource of the class being defined can > require a security check if there are multiple frameworks in the VM, or if > the code was installed from a custom URL handler that has a custom > toExternalForm() implementation > # This security check retrievers the CM Domain Combiner, which attempts to > load the class again > # The Java ClassLoader detects the cycle and throws a NoClassDefFoundError > > I am setting up a "simple" test demonstrating this (it necessarily has > several moving parts) and a proposed patch. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)