You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "Timothy Ward (JIRA)" <ji...@apache.org> on 2018/08/15 12:17:00 UTC
[jira] [Created] (FELIX-5908) NoClassDefFoundError for the CM
Security Domain combiner
Timothy Ward created FELIX-5908:
-----------------------------------
Summary: NoClassDefFoundError for the CM Security Domain combiner
Key: FELIX-5908
URL: https://issues.apache.org/jira/browse/FELIX-5908
Project: Felix
Issue Type: Bug
Components: Configuration Admin
Affects Versions: configadmin-1.9.4
Reporter: Timothy Ward
This is a pretty weird bug, so I'll try to explain it.
When running with security on the Configuration Admin Updater thread applies an Access Control Context which, amongst other things, sets up a Domain Combiner. This Domain Combiner lazily creates a combined Protection Domain based on the target bundle.
All of this works fine until you end up in the following situation:
# The MS/MSF being called attempts to perform a checked operation (for which they may or may not have permission)
# The Check causes the CM Domain Combiner to be instantiated, triggering a class load if it is the first time
# The Loading of the class can then trigger *more* security checks in some cases, for example setting the CodeSource of the class being defined can require a security check if there are multiple frameworks in the VM, or if the code was installed from a custom URL handler that has a custom toExternalForm() implementation
# This security check retrievers the CM Domain Combiner, which attempts to load the class again
# The Java ClassLoader detects the cycle and throws a NoClassDefFoundError
I am setting up a "simple" test demonstrating this (it necessarily has several moving parts) and a proposed patch.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)