Wednesday 27 November 2013

How many javax.annotation jars is out there?!?!

Today I've me very strange Exception. Here comes it's mighty stacktrace.

Caused by: java.lang.SecurityException: class "javax.annotation.Nullable"'s signer information does not match signer information of other classes in the same package
 at java.lang.ClassLoader.checkCerts(ClassLoader.java:806)
 at java.lang.ClassLoader.preDefineClass(ClassLoader.java:487)
 at java.lang.ClassLoader.defineClassCond(ClassLoader.java:625)
 at java.lang.ClassLoader.defineClass(ClassLoader.java:615)
 at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
 at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
 at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
 at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
 at java.security.AccessController.doPrivileged(Native Method)
 at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
 at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:247)


Application is Maven based and there are loads of transitive dependencies. Time for good classpath hunt!


Going through classpath revealed that only one javax.annotation.Nullable class is present in com.google.code.findbugs:jsr305:1.3.9 dependency. Aparently it is not a case of having multiple class definition, which happens quite often with javax.servlet API classes.
Searching further I found another dependency, with same javax.annotation package, but with diferent (jsr250) classes inside - org.eclipse.jetty.orbit:javax.annotation:1.1.0.v201108011116 This jar is special. It is (jarsigner) signed with certificate to guard it's content.
Case is clear now, package javax.annotation from inside of signed jsr250 jar is protected from being tampered and classes from unsigned jsr305 jar, having same package, are considered malicious as they are trying to sneak in signed jar's package. JVM performs check when such classes are loaded and eventually throws SecurityException.

My solution was simply to exclude com.google.code.findbugs:jsr305 dependency, because it was not really needed. When this is not an option, then signed orbit org.eclipse.jetty.orbit:javax.annotation dependency must be excluded and use some another (unsigned) added instead. Truly annoying and googling around revealed that poor package javax.annnotation is almost same transitive classpath blight as infamous commons-logging.jar

Short summary of javax.annnotation libraries

JSR 250: Common Annotations for the JavaTM Platform

  • javax.annotation (Generated, ManagedBean , PostConstruct, PreDestroy, Resource, Resources)
  • javax.annotation.security (DeclareRoles, DenyAll, PermitAll, RolesAllowed, RunAs) 
  • javax.annotation.sql (DataSourceDefinition, DataSourceDefinitions) - since version 1.1 
Usual Maven suspects:
  • jsr250-api.jar - http://mvnrepository.com/artifact/javax.annotation/jsr250-api
  • javax.annotation-api.jar - http://mvnrepository.com/artifact/javax.annotation/javax.annotation-api
  • Geronimo - http://mvnrepository.com/artifact/org.apache.geronimo.specs/geronimo-annotation_1.0_spec
  • Glassfish - http://mvnrepository.com/artifact/org.glassfish/javax.annotation
  • Jetty Orbit - http://mvnrepository.com/artifact/org.eclipse.jetty.orbit/javax.annotation
  • And loads of others - http://mavenhub.com/c/javax/annotation/postconstruct

JSR 305: Annotations for Software Defect Detection

  • javax.annotation (CheckForNull, ... , Nonnull, Nullable, ... , WillNotClose)
  • javax.annotation.concurrent (GuardedBy, ... , ThreadSafe)
  • javax.annotation.meta (Exclusive, ... , When)
Usual Maven suspects:
Oddly enough, Findbugs packaged jar is only Maven distributed version
  • jsr305.jar http://mavenhub.com/c/javax/annotation/nullable/jar 


Early version of jsr299 (WebBeans, later CDI) tried to jump into javax.annotation package too, but fortunately were kicked out
  • http://mavenhub.com/c/javax/annotation/named
  • javax.annotation.Named
  • javax.annotation.NonBinding
  • javax.annotation.Stereotype 
But wait, there is more!
For example obscure jsr308. And starting with Java 6, stub of jsr250 (Generated, PostConstruct, PreDestroy,Resource, Resources) is part of standard library -http://docs.oracle.com/javase/6/docs/api/javax/annotation/package-summary.html
Well this is real mess

No comments:

Post a Comment