5 Replies Latest reply on May 6, 2014 8:22 AM by Jani Rautiainen-Oracle

    getResourceAsStream in JCS 14.1

    Andrew Higginbottom-Oracle

      I have an application (war) that deployed fine in JCS 13.1 but is now throwing the following at deploy time:

       

      Caused by: java.lang.NoSuchMethodException: java.lang.Object.getResourceAsStream(java.lang.String)

          at java.lang.Class.getDeclaredMethod(Class.java:2004)

       

      Any idea why this would not work any more? I can't find anything in the documentation regarding restrictions on this method.

        • 1. Re: getResourceAsStream in JCS 14.1
          Jani Rautiainen-Oracle

          I haven't seen this. Is your code accessing the class loader or does this come from some internal processing of the JCS ?

          --

          Jani Rautiainen

          Fusion Applications Developer Relations

          https://blogs.oracle.com/fadevrel/

          • 2. Re: getResourceAsStream in JCS 14.1
            Andrew Higginbottom-Oracle

            It appears to be coming from the code in a library(Apache Velocity) used in the application I am trying to deploy. Here's some more detail from the stack trace:

             

            Caused by: java.lang.NoSuchMethodException: java.lang.Object.getResourceAsStream(java.lang.String)

              at java.lang.Class.getDeclaredMethod(Class.java:2004)

              at oracle.cloud.jcs.scanning.impl.extension.reflection.ReflectionMethodInvokeValidator$1.run(ReflectionMethodInvokeValidator.java:263)

              at oracle.cloud.jcs.scanning.impl.extension.reflection.ReflectionMethodInvokeValidator$1.run(ReflectionMethodInvokeValidator.java:259)

              at java.security.AccessController.doPrivileged(Native Method)

              at oracle.cloud.jcs.scanning.impl.extension.reflection.ReflectionMethodInvokeValidator.findMethod(ReflectionMethodInvokeValidator.java:259)

              at oracle.cloud.jcs.scanning.impl.extension.reflection.ReflectionMethodInvokeValidator.findMethod(ReflectionMethodInvokeValidator.java:282)

              at oracle.cloud.jcs.scanning.impl.extension.reflection.ReflectionMethodInvokeValidator.findMethod(ReflectionMethodInvokeValidator.java:282)

              at oracle.cloud.jcs.security.SecurityManager_PWVUR56870iberv.__findM_J6a(SecurityManager_PWVUR56870iberv.java:1209)

              at oracle.cloud.jcs.security.SecurityManager_PWVUR56870iberv.__deny_or_fwd__j5eZMTey___Z5k91JO63NVDFZ2ML4__W4d_REF_POLICY_ID_502(SecurityManager_PWVUR56870iberv.java:389)

              at org.apache.velocity.runtime.resource.loader.ResourceLoader.resourceExists(ResourceLoader.java:224)

              at org.apache.velocity.runtime.resource.ResourceManagerImpl.getLoaderForResource(ResourceManagerImpl.java:629)

              at org.apache.velocity.runtime.resource.ResourceManagerImpl.getLoaderNameForResource(ResourceManagerImpl.java:612)

              at org.apache.velocity.runtime.RuntimeInstance.getLoaderNameForResource(RuntimeInstance.java:1595)

              at org.apache.velocity.runtime.VelocimacroFactory.initVelocimacro(VelocimacroFactory.java:159)

              at org.apache.velocity.runtime.RuntimeInstance.init(RuntimeInstance.java:274)

              at org.apache.velocity.runtime.RuntimeInstance.init(RuntimeInstance.java:646)

              at org.apache.velocity.app.VelocityEngine.init(VelocityEngine.java:116)

            • 3. Re: getResourceAsStream in JCS 14.1
              Jani Rautiainen-Oracle

              Unfortunately this seems like something you would need to contact support to resolve. One thing you could try to triage is to comment out the dependency if possible to see if the application works after that ..

              --

              Jani Rautiainen

              Fusion Applications Developer Relations

              https://blogs.oracle.com/fadevrel/

              • 4. Re: getResourceAsStream in JCS 14.1
                Andrew Higginbottom-Oracle

                Thanks Jani

                 

                I have now rebuilt apache velocity from source and removed the calls to getResourceAsStream(), which has resolved the error I was seeing.

                 

                At this point I have a new occurrence of what appears to be the same error, this time in another class within a jar in the application. This class is trying to read its configuration from a properties file on the classpath and fails with the following:

                 

                2014-05-05 21:36:03 CDT: weblogic.application.ModuleException: [HTTP:101216]Servlet: "WebDeterminationsServlet" failed to preload on startup in Web application: "owd1045jcs.war".

                com.oracle.determinations.web.platform.exceptions.error.MissingResourceError: Missing file: configuration****

                  at com.oracle.determinations.web.platform.resources.DefaultResourceLoader.loadFromResourceStream(DefaultResourceLoader.java:115)

                  at com.oracle.determinations.web.platform.resources.DefaultResourceLoader.loadProperties(DefaultResourceLoader.java:21)

                  at com.oracle.determinations.web.platform.servlet.WebDeterminationsServlet.init(WebDeterminationsServlet.java:72)

                 

                Examining the bytecode for that class (I don't have the source) reveals a call to this.getClassLoader().getResourceAsStream().

                 

                Following this I made a very simple test app which calls this.getClassLoader().getResourceAsStream(). It worked fine with the class directly in WEB-INF/classes and then also with it packaged in a jar and included in WEB-INF/lib.

                 

                One thing I did notice is different is that the whitelist log for the actual WAR I am trying to deploy mentions the following:

                [INFO]    - ---------------------------- Note ----------------------------

                            The application is found to be using the following packages. These packages

                            are typically trusted third-party APIs, and so the violations are not

                            reported here.

                           

                            However, these packages are subject to run-time validation and security

                            checks when your application is running. Any API violations will be caught

                            and the error will be reported.

                           

                            If you have modified any of the sources of these classes, Oracle highly

                            recommends validating that your usages all comply with the allowed set of

                            usages specified in the Java Cloud Service documentation.

                            ---------------------------- Note ----------------------------

                           

                           

                [Whitelist-Trusted-API] ------ - -----------------------------------------

                [Whitelist-Trusted-API] S.NO   -                  Class Pattern

                [Whitelist-Trusted-API] ------ - -----------------------------------------

                [Whitelist-Trusted-API] 1      - com.oracle.determinations.**

                ...

                [Whitelist-Trusted-API] 12     - org.apache.velocity.**

                ...

                [Whitelist-Trusted-API] ------ - -----------------------------------------

                 

                Nothing like this appears in the whitelist for my test app, which has the namespace "aeh.jcs.test". Could the JCS be imposing stricter security on classes with specific namespaces in jars?

                • 5. Re: getResourceAsStream in JCS 14.1
                  Jani Rautiainen-Oracle

                  JCS did introduce stricter enforcement on 13.2, I have a similar open issue in 18705215 for "oracle.security.jps.ResourcePermission" which was available in 13.1. but restricted after 13.2. Unfortunately the only fix for my issue is for JCS to do a security review on the feature and remove the restriction if appropriate. Your case might be similar ..

                   

                  --

                  Jani Rautiainen

                  Fusion Applications Developer Relations

                  https://blogs.oracle.com/fadevrel/