4 Replies Latest reply on Sep 16, 2016 6:33 PM by Hugo.Sendoa

    8u91 JNLPClassLoader is broken

    boecko

      Hi,

       

      we've got massive problems with the new Java Version 8u91.

       

      First problem:

      The ClassLoader tries to load libs, which are not specified in the JNLP

       

      App.jnlp

      <resources>

           <jar href="App.jar" main="true"/>

           <jar href="lib.signed/3rdpartylib.jar"/>

      </resources>

       

       

       

      java 8u77 apache.log

      "GET /app/App.jnlp HTTP/1.1" 304 189 "-" "JNLP/1.7.0 javaws/11.77.2.03 () Java/1.8.0_77"
      "GET /app/App.jar HTTP/1.1" 304 191 "-" "JNLP/1.7.0 javaws/11.77.2.03 () Java/1.8.0_77"
      "GET /app/lib.signed/3rdpartylib.jar HTTP/1.1" 304 190 "-" "JNLP/1.7.0 javaws/11.77.2.03 () Java/1.8.0_77"
      

       

       

      java 8u91 apache.log

      "GET /app/App.jnlp HTTP/1.1" 304 189 "-" "JNLP/1.7.0 javaws/11.91.2.14 () Java/1.8.0_91"
      "GET /app/App.jar HTTP/1.1" 304 191 "-" "JNLP/1.7.0 javaws/11.91.2.14 () Java/1.8.0_91"
      "GET /app/lib.signed/3rdpartylib.jar" HTTP/1.1" 304 190 "-" "JNLP/1.7.0 javaws/11.91.2.14 () Java/1.8.0_91"
      ====  now the WTF-entries ====
      "GET /app/lib.signed/lib/3rdpartylib.jar" HTTP/1.1" 404 190 "-" "JNLP/1.7.0 javaws/11.91.2.14 () Java/1.8.0_91"
      "GET /app/lib.signed/3rdpartylib_irgendwas.jar" HTTP/1.1" 404 190 "-" "JNLP/1.7.0 javaws/11.91.2.14 () Java/1.8.0_91"
      "GET /app/lib.signed/lib/3rdpartylib_irgendwas.jar" HTTP/1.1" 404 190 "-" "JNLP/1.7.0 javaws/11.91.2.14 () Java/1.8.0_91"
      ...
      

      Why? The ClassLoader reads the manifest.mf from the libs and tries to load them. Webstart isn't supposed to work like this!!

       

      Second Problem:

      After JavaWS has validated all the libs  (they all have a working comodo-RSA-Cert) our App generates a Exception

      Caused by: java.lang.SecurityException: class "org.jboss.logging.LoggerProviders"'s signer information does not match signer information of other classes in the same package

        at java.lang.ClassLoader.checkCerts(ClassLoader.java:898)

        at java.lang.ClassLoader.preDefineClass(ClassLoader.java:668)

        at java.lang.ClassLoader.defineClass(ClassLoader.java:761)

        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)

        at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)

        at java.net.URLClassLoader.access$100(URLClassLoader.java:73)

        at java.net.URLClassLoader$1.run(URLClassLoader.java:368)

        at java.net.URLClassLoader$1.run(URLClassLoader.java:362)

        at java.security.AccessController.doPrivileged(Native Method)

        at java.net.URLClassLoader.findClass(URLClassLoader.java:361)

        at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)

        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)

        at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)

        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

        at org.jboss.logging.Logger.getLogger(Logger.java:2164)

        at org.jboss.logging.Logger.getLogger(Logger.java:2189)

        at org.jnp.interfaces.NamingContext.<clinit>(NamingContext.java:183)

      That's odd because this works with java 8u77

      javaws_8u77_defineclass.png

       

      And in java 8u91 or 8u92 the same CodeSource looses it signer info in one occasion, which leads to that error

      javaws_8u92_defineclass_w_signer.png

      javaws_8u92_defineclass_wo_signer.png

       

      What is the problem here?

       

      The only webstart related "bugfix" in 8u91 is

      https://bugs.openjdk.java.net/browse/JDK-8144963

       

      I would like to comment there, but i'm not allowed to :/

       

      greetings

       

      Andy