[jira] [Created] (FELIX-5908) NoClassDefFoundError for the CM Security Domain combiner

["Timothy Ward (JIRA)" <ji...@apache.org>]

Timothy Ward created FELIX-5908:
-----------------------------------

             Summary: NoClassDefFoundError for the CM Security Domain combiner
                 Key: FELIX-5908
                 URL: https://issues.apache.org/jira/browse/FELIX-5908
             Project: Felix
          Issue Type: Bug
          Components: Configuration Admin
    Affects Versions: configadmin-1.9.4
            Reporter: Timothy Ward


This is a pretty weird bug, so I'll try to explain it.

When running with security on the Configuration Admin Updater thread applies an Access Control Context which, amongst other things, sets up a Domain Combiner. This Domain Combiner lazily creates a combined Protection Domain based on the target bundle.

 

All of this works fine until you end up in the following situation:
 # The MS/MSF being called attempts to perform a checked operation (for which they may or may not have permission)
 # The Check causes the CM Domain Combiner to be instantiated, triggering a class load if it is the first time
 # The Loading of the class can then trigger *more* security checks in some cases, for example setting the CodeSource of the class being defined can require a security check if there are multiple frameworks in the VM, or if the code was installed from a custom URL handler that has a custom toExternalForm() implementation
 # This security check retrievers the CM Domain Combiner, which attempts to load the class again
 # The Java ClassLoader detects the cycle and throws a NoClassDefFoundError

 

I am setting up a "simple" test demonstrating this (it necessarily has several moving parts) and a proposed patch.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)