Re: Gbean within a signed jar
On Feb 20, 2007, at 11:08 AM, Spotts, Joel ((ISS Atlanta)) wrote: I am working on an example to highlight the issue, and will create a JIRA issue. I am having trouble figuring out how to attach a file to a JIRA issue. Where should I be looking? Sounds great. Thanks Yoel. For an existing Jira, there's an "Attach file to this issue" operation (in left hand column). So, you'll need to create the issue first, then attach... --kevan
RE: Gbean within a signed jar
I am working on an example to highlight the issue, and will create a JIRA issue. I am having trouble figuring out how to attach a file to a JIRA issue. Where should I be looking? Thanks, Yoel -Original Message- From: [EMAIL PROTECTED] on behalf of Aaron Mulder Sent: Fri 2/16/2007 2:24 PM To: user@geronimo.apache.org Cc: Subject: Re: Gbean within a signed jar Can you create a Jira issue to investigate that approach? I'm not sure whether it would work but it sounds like it's worth following up on. If you can attach a small example that demonstrates the problem, that would be great too. (If nothing else, maybe we could just try the repackaging approach if we notice that the original JAR was signed.) Thanks, Aaron On 2/16/07, Spotts, Joel (ISS Atlanta) <[EMAIL PROTECTED]> wrote: > Is it possible the geronimo code creates the proxy in the same package as the target class? If the proxy was created in a different package (like proxy.), IIRC, no SecurityException would be thrown. > > Thanks, > > Yoel > > -Original Message- > From: Dain Sundstrom [mailto:[EMAIL PROTECTED] > Sent: Mon 2/12/2007 10:23 PM > To: user@geronimo.apache.org > Cc: > Subject: Re: Gbean within a signed jar > > > > Alternatively, just change the code that complains about the > signature. We could add a flag to the Geronimo class loader to hide > all signing data. > > -dain > > > > > <>
Re: Gbean within a signed jar
Can you create a Jira issue to investigate that approach? I'm not sure whether it would work but it sounds like it's worth following up on. If you can attach a small example that demonstrates the problem, that would be great too. (If nothing else, maybe we could just try the repackaging approach if we notice that the original JAR was signed.) Thanks, Aaron On 2/16/07, Spotts, Joel (ISS Atlanta) <[EMAIL PROTECTED]> wrote: Is it possible the geronimo code creates the proxy in the same package as the target class? If the proxy was created in a different package (like proxy.), IIRC, no SecurityException would be thrown. Thanks, Yoel -Original Message- From: Dain Sundstrom [mailto:[EMAIL PROTECTED] Sent: Mon 2/12/2007 10:23 PM To: user@geronimo.apache.org Cc: Subject: Re: Gbean within a signed jar Alternatively, just change the code that complains about the signature. We could add a flag to the Geronimo class loader to hide all signing data. -dain
RE: Gbean within a signed jar
Is it possible the geronimo code creates the proxy in the same package as the target class? If the proxy was created in a different package (like proxy.), IIRC, no SecurityException would be thrown. Thanks, Yoel -Original Message- From: Dain Sundstrom [mailto:[EMAIL PROTECTED] Sent: Mon 2/12/2007 10:23 PM To: user@geronimo.apache.org Cc: Subject: Re: Gbean within a signed jar Alternatively, just change the code that complains about the signature. We could add a flag to the Geronimo class loader to hide all signing data. -dain <>
RE: Gbean within a signed jar
Thanks Kevan. Does anyone else have any more info as to what the drawbacks are with disabling proxy classes? What features in the console are affected? It seems that turning off proxying does solve runtime issues, but I am having another issue related to these proxy classes. We have an EAR with some EJBs. The actual EJB classes are contained within a signed jar. When I try and deploy and EAR offline, I get the same SecurityException. Passing that system property does not seem to have any impact. It seems that proxy classes are also created in that instance. Any idea how to address this issue? Thanks, Yoel -Original Message- From: Kevan Miller [mailto:[EMAIL PROTECTED] Sent: Mon 2/12/2007 2:44 PM To: user@geronimo.apache.org Cc: Subject: Re: Gbean within a signed jar On Feb 12, 2007, at 11:27 AM, Spotts, Joel ((ISS Atlanta)) wrote: Kevan, How do I turn off proxy generation? What do you mean by breaking admin console? I wont be able to control that app from the admin console? Are there other side effects? Hi Yoel, Disable proxy generation like this: export JAVA_OPTS=-DXorg.apache.geronimo.gbean.NoProxy=true ./geronimo.sh run Server startup will be a few seconds faster. You should see a log entry like this: 14:28:05,885 WARN [AbstractGBeanReference] GBean reference proxies has been disabled: This is an experimental and untested operating mode Starting Geronimo Application Server v1.1.1 It's my understanding that there are some admin console functions that won't work, with NoProxy. I must confess that I don't know what specific features they are... Generated GBean proxies give the admin console a common management GBean interface to work with. Without proxies some GBean inspection/management functions won't work. I ran a quick test with NoProxy -- starting stopping web apps, etc -- and didn't run into any errors. Perhaps someone better versed in our console implementation can explain what exactly won't work... --kevan <>
Re: Gbean within a signed jar
Alternatively, just change the code that complains about the signature. We could add a flag to the Geronimo class loader to hide all signing data. -dain On Feb 6, 2007, at 11:54 AM, Spotts, Joel (ISS Atlanta) wrote: I have a gbean packaged within a signed jar that is placed in my EAR. Trouble is it seems that geronimo uses proxy classes on the gbean class files, which results in the dreaded: java.lang.SecurityException: class "..."'s signer information does not match signer information of other classes in the same package when geronimo attempts to start the gbean. Anyone have a solution to this problem other than not signing the jar? Thanks, Yoel Spotts
Re: Gbean within a signed jar
On Feb 12, 2007, at 11:27 AM, Spotts, Joel ((ISS Atlanta)) wrote: Kevan, How do I turn off proxy generation? What do you mean by breaking admin console? I wont be able to control that app from the admin console? Are there other side effects? Hi Yoel, Disable proxy generation like this: export JAVA_OPTS=-DXorg.apache.geronimo.gbean.NoProxy=true ./geronimo.sh run Server startup will be a few seconds faster. You should see a log entry like this: 14:28:05,885 WARN [AbstractGBeanReference] GBean reference proxies has been disabled: This is an experimental and untested operating mode Starting Geronimo Application Server v1.1.1 It's my understanding that there are some admin console functions that won't work, with NoProxy. I must confess that I don't know what specific features they are... Generated GBean proxies give the admin console a common management GBean interface to work with. Without proxies some GBean inspection/ management functions won't work. I ran a quick test with NoProxy -- starting stopping web apps, etc -- and didn't run into any errors. Perhaps someone better versed in our console implementation can explain what exactly won't work... --kevan Thanks, Yoel From: Kevan Miller [mailto:[EMAIL PROTECTED] Sent: Saturday, February 10, 2007 12:56 PM To: user@geronimo.apache.org Subject: Re: Gbean within a signed jar On Feb 6, 2007, at 2:54 PM, Spotts, Joel ((ISS Atlanta)) wrote: I have a gbean packaged within a signed jar that is placed in my EAR. Trouble is it seems that geronimo uses proxy classes on the gbean class files, which results in the dreaded: java.lang.SecurityException: class "..."'s signer information does not match signer information of other classes in the same package when geronimo attempts to start the gbean. Anyone have a solution to this problem other than not signing the jar? Hi Yoel, Interesting. First I've heard of this problem, but it makes sense. I don't really have a "solution" for you. 1) As you suggest, don't sign your jar... :-P 2) Turn off proxy generation in the server. This, however, has the unfortunate side-effect of breaking the admin console. So, this really isn't much of an option. Perhaps somebody else can chime in... --kevan
RE: Gbean within a signed jar
Kevan, How do I turn off proxy generation? What do you mean by breaking admin console? I wont be able to control that app from the admin console? Are there other side effects? Thanks, Yoel _ From: Kevan Miller [mailto:[EMAIL PROTECTED] Sent: Saturday, February 10, 2007 12:56 PM To: user@geronimo.apache.org Subject: Re: Gbean within a signed jar On Feb 6, 2007, at 2:54 PM, Spotts, Joel ((ISS Atlanta)) wrote: I have a gbean packaged within a signed jar that is placed in my EAR. Trouble is it seems that geronimo uses proxy classes on the gbean class files, which results in the dreaded: java.lang.SecurityException: class "..."'s signer information does not match signer information of other classes in the same package when geronimo attempts to start the gbean. Anyone have a solution to this problem other than not signing the jar? Hi Yoel, Interesting. First I've heard of this problem, but it makes sense. I don't really have a "solution" for you. 1) As you suggest, don't sign your jar... :-P 2) Turn off proxy generation in the server. This, however, has the unfortunate side-effect of breaking the admin console. So, this really isn't much of an option. Perhaps somebody else can chime in... --kevan
Re: Gbean within a signed jar
On Feb 6, 2007, at 2:54 PM, Spotts, Joel ((ISS Atlanta)) wrote: I have a gbean packaged within a signed jar that is placed in my EAR. Trouble is it seems that geronimo uses proxy classes on the gbean class files, which results in the dreaded: java.lang.SecurityException: class "..."'s signer information does not match signer information of other classes in the same package when geronimo attempts to start the gbean. Anyone have a solution to this problem other than not signing the jar? Hi Yoel, Interesting. First I've heard of this problem, but it makes sense. I don't really have a "solution" for you. 1) As you suggest, don't sign your jar... :-P 2) Turn off proxy generation in the server. This, however, has the unfortunate side-effect of breaking the admin console. So, this really isn't much of an option. Perhaps somebody else can chime in... --kevan