You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Karl Kovaciny (Jira)" <ji...@apache.org> on 2020/01/15 21:26:00 UTC
[jira] [Comment Edited] (FELIX-5667) Illegal access with Java 9
Jigsaw (Module System)
[ https://issues.apache.org/jira/browse/FELIX-5667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17015635#comment-17015635 ]
Karl Kovaciny edited comment on FELIX-5667 at 1/15/20 9:25 PM:
---------------------------------------------------------------
This problem suddenly cropped up when I turned on {{--illegal-access=deny}} in the JVM. So this issue will become very serious when that becomes the default.
The error in the log is {{java.net.MalformedURLException: Unknown protocol: file}}.
Another symptom is that without the correct UrlHandlers, it also formats jar URLs with file urls inside them, like
{noformat}
jar:file:/home/user/project/cnf/cache/4.3.0/bnd-cache/biz.aQute.launcher/biz.aQute.launcher.pre.jar!/{noformat}
This was hard for me to debug. I had to make myself aware of how {{URL.toString}} grabs a URLStreamHandlerFactory, look at a bunch of Felix source, and step into Reflection::verifyModuleAccess. If you don't fix this bug, please at least make a better error message.
By the way, I couldn't use
{code:java}
--add-exports=java.base/sun.net.www.content.audio=ALL-UNNAMED
--add-exports=java.base/sun.net.www.content.image=ALL-UNNAMED
{code}
I got a warning
{{ WARNING: package sun.net.www.content.image not in java.base}}
Any idea about that?
was (Author: karl kovaciny):
This problem suddenly cropped up when I turned on {{--illegal-access=deny}} in the JVM. So this issue will become very serious when that becomes the default.
The error in the log is {{java.net.MalformedURLException: Unknown protocol: file}}.
Without the correct UrlHandlers, it also formats jar URLs with file urls inside them, like
{noformat}
jar:file:/home/user/project/cnf/cache/4.3.0/bnd-cache/biz.aQute.launcher/biz.aQute.launcher.pre.jar!/{noformat}
This was really hard for me to debug. I had to make myself aware of how {{URL.toString}} grabs a URLStreamHandlerFactory, look at a bunch of Felix source, and step into the Reflection verifyModuleAccess method. If you don't fix this bug, please at least make a better error message.
By the way, I couldn't use
{code:java}
--add-exports=java.base/sun.net.www.content.audio=ALL-UNNAMED
--add-exports=java.base/sun.net.www.content.image=ALL-UNNAMED
{code}
{{I got a warning }}
{{ WARNING: package sun.net.www.content.image not in java.base}}
Any idea about that?
> Illegal access with Java 9 Jigsaw (Module System)
> -------------------------------------------------
>
> Key: FELIX-5667
> URL: https://issues.apache.org/jira/browse/FELIX-5667
> Project: Felix
> Issue Type: Bug
> Components: Framework
> Affects Versions: framework-5.6.4
> Reporter: Nicolas Roduit
> Priority: Critical
> Labels: java9
>
> The problem comes from the class URLHandlers and URLHandlersContentHandlerProxy containing hard-coded class references:
> URLHandlersContentHandlerProxy:
> {code}
> private static final String DEFAULT_CONTENT_HANDLER_PACKAGE = "sun.net.www.content|com.ibm.oti.net.www.content|gnu.java.net.content|org.apache.harmony.luni.internal.net.www.content|COM.newmonics.www.content";
> {code}
> URLHandlers
> {code}
> private static final String DEFAULT_STREAM_HANDLER_PACKAGE = "sun.net.www.protocol|com.ibm.oti.net.www.protocol|gnu.java.net.protocol|wonka.net|com.acunia.wonka.net|org.apache.harmony.luni.internal.net.www.protocol|weblogic.utils|weblogic.net|javax.net.ssl|COM.newmonics.www.protocols";
> {code}
> The restrictions to the class "sun.*" is already effective with Java WebStart (see https://bugs.openjdk.java.net/browse/JDK-8183007 and it will be in a future release of JRE). So it requires to export specifically the required classes. Here are for sun classes:
> --add-exports=java.base/sun.net.www.protocol.http=ALL-UNNAMED
> --add-exports=java.base/sun.net.www.protocol.https=ALL-UNNAMED
> --add-exports=java.base/sun.net.www.protocol.file=ALL-UNNAMED
> --add-exports=java.base/sun.net.www.protocol.ftp=ALL-UNNAMED
> --add-exports=java.base/sun.net.www.protocol.jar=ALL-UNNAMED
> --add-exports=java.base/sun.net.www.content.audio=ALL-UNNAMED
> --add-exports=java.base/sun.net.www.content.image=ALL-UNNAMED
> --add-exports=java.base/sun.net.www.content.text=ALL-UNNAMED
> The current implementation doesn't write any errors neither in felix nor in JWS (because the warning mode for problematic access will be implemented in jdk 10)
> So forgetting to export a package doesn't show any direct errors. In my opinion, the felix implementation should at least catch "java.lang.IllegalStateException: Unable to access ...":
> {code}
> private URLStreamHandler loadBuiltInStreamHandler(String protocol, ClassLoader classLoader) {
> StringTokenizer pkgTok = new StringTokenizer(m_streamPkgs, "| ");
> while (pkgTok.hasMoreTokens())
> {
> String pkg = pkgTok.nextToken().trim();
> String className = pkg + "." + protocol + ".Handler";
> try
> {
> // If a built-in handler is found then cache and return it
> Class handler = m_secureAction.forName(className, classLoader);
> if (handler != null)
> {
> return (URLStreamHandler) handler.newInstance();
> }
> }
> catch (Throwable ex)
> {
> // This could be a class not found exception or an
> // instantiation exception, not much we can do in either
> // case other than ignore it.
> }
> }
> {code}
> There are also issues regarding illegal reflective access. To run felix with Java Webstart it is required to add at least:
> --add-opens=java.base/java.net=ALL-UNNAMED
> --add-opens=java.base/java.lang=ALL-UNNAMED
> --add-opens=java.base/java.security=ALL-UNNAMED
--
This message was sent by Atlassian Jira
(v8.3.4#803005)