4 Replies Latest reply on Sep 16, 2016 6:33 PM by Hugo.Sendoa

    8u91 JNLPClassLoader is broken




      we've got massive problems with the new Java Version 8u91.


      First problem:

      The ClassLoader tries to load libs, which are not specified in the JNLP




           <jar href="App.jar" main="true"/>

           <jar href="lib.signed/3rdpartylib.jar"/>





      java 8u77 apache.log

      "GET /app/App.jnlp HTTP/1.1" 304 189 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_77"
      "GET /app/App.jar HTTP/1.1" 304 191 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_77"
      "GET /app/lib.signed/3rdpartylib.jar HTTP/1.1" 304 190 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_77"



      java 8u91 apache.log

      "GET /app/App.jnlp HTTP/1.1" 304 189 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_91"
      "GET /app/App.jar HTTP/1.1" 304 191 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_91"
      "GET /app/lib.signed/3rdpartylib.jar" HTTP/1.1" 304 190 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_91"
      ====  now the WTF-entries ====
      "GET /app/lib.signed/lib/3rdpartylib.jar" HTTP/1.1" 404 190 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_91"
      "GET /app/lib.signed/3rdpartylib_irgendwas.jar" HTTP/1.1" 404 190 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_91"
      "GET /app/lib.signed/lib/3rdpartylib_irgendwas.jar" HTTP/1.1" 404 190 "-" "JNLP/1.7.0 javaws/ () Java/1.8.0_91"

      Why? The ClassLoader reads the manifest.mf from the libs and tries to load them. Webstart isn't supposed to work like this!!


      Second Problem:

      After JavaWS has validated all the libs  (they all have a working comodo-RSA-Cert) our App generates a Exception

      Caused by: java.lang.SecurityException: class "org.jboss.logging.LoggerProviders"'s signer information does not match signer information of other classes in the same package

        at java.lang.ClassLoader.checkCerts(ClassLoader.java:898)

        at java.lang.ClassLoader.preDefineClass(ClassLoader.java:668)

        at java.lang.ClassLoader.defineClass(ClassLoader.java:761)

        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)

        at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)

        at java.net.URLClassLoader.access$100(URLClassLoader.java:73)

        at java.net.URLClassLoader$1.run(URLClassLoader.java:368)

        at java.net.URLClassLoader$1.run(URLClassLoader.java:362)

        at java.security.AccessController.doPrivileged(Native Method)

        at java.net.URLClassLoader.findClass(URLClassLoader.java:361)

        at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)

        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)

        at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)

        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

        at org.jboss.logging.Logger.getLogger(Logger.java:2164)

        at org.jboss.logging.Logger.getLogger(Logger.java:2189)

        at org.jnp.interfaces.NamingContext.<clinit>(NamingContext.java:183)

      That's odd because this works with java 8u77



      And in java 8u91 or 8u92 the same CodeSource looses it signer info in one occasion, which leads to that error




      What is the problem here?


      The only webstart related "bugfix" in 8u91 is



      I would like to comment there, but i'm not allowed to :/