Caused by: java.lang.SecurityException: class "javax.annotation.Nullable"'s signer information does not match signer information of other classes in the same package at java.lang.ClassLoader.checkCerts(ClassLoader.java:806) at java.lang.ClassLoader.preDefineClass(ClassLoader.java:487) at java.lang.ClassLoader.defineClassCond(ClassLoader.java:625) at java.lang.ClassLoader.defineClass(ClassLoader.java:615) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141) at java.net.URLClassLoader.defineClass(URLClassLoader.java:283) at java.net.URLClassLoader.access$000(URLClassLoader.java:58) at java.net.URLClassLoader$1.run(URLClassLoader.java:197) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:190) at java.lang.ClassLoader.loadClass(ClassLoader.java:306) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301) at java.lang.ClassLoader.loadClass(ClassLoader.java:247)
Application is Maven based and there are loads of transitive dependencies. Time for good classpath hunt!
Going through classpath revealed that only one javax.annotation.Nullable class is present in com.google.code.findbugs:jsr305:1.3.9 dependency. Aparently it is not a case of having multiple class definition, which happens quite often with javax.servlet API classes.
Searching further I found another dependency, with same javax.annotation package, but with diferent (jsr250) classes inside - org.eclipse.jetty.orbit:javax.annotation:1.1.0.v201108011116 This jar is special. It is (jarsigner) signed with certificate to guard it's content.
Case is clear now, package javax.annotation from inside of signed jsr250 jar is protected from being tampered and classes from unsigned jsr305 jar, having same package, are considered malicious as they are trying to sneak in signed jar's package. JVM performs check when such classes are loaded and eventually throws SecurityException.
My solution was simply to exclude com.google.code.findbugs:jsr305 dependency, because it was not really needed. When this is not an option, then signed orbit org.eclipse.jetty.orbit:javax.annotation dependency must be excluded and use some another (unsigned) added instead. Truly annoying and googling around revealed that poor package javax.annnotation is almost same transitive classpath blight as infamous commons-logging.jar
Short summary of javax.annnotation libraries
JSR 250: Common Annotations for the JavaTM Platform
- javax.annotation (Generated, ManagedBean , PostConstruct, PreDestroy, Resource, Resources)
- javax.annotation.security (DeclareRoles, DenyAll, PermitAll, RolesAllowed, RunAs)
- javax.annotation.sql (DataSourceDefinition, DataSourceDefinitions) - since version 1.1
- jsr250-api.jar - http://mvnrepository.com/artifact/javax.annotation/jsr250-api
- javax.annotation-api.jar - http://mvnrepository.com/artifact/javax.annotation/javax.annotation-api
- Geronimo - http://mvnrepository.com/artifact/org.apache.geronimo.specs/geronimo-annotation_1.0_spec
- Glassfish - http://mvnrepository.com/artifact/org.glassfish/javax.annotation
- Jetty Orbit - http://mvnrepository.com/artifact/org.eclipse.jetty.orbit/javax.annotation
- And loads of others - http://mavenhub.com/c/javax/annotation/postconstruct
JSR 305: Annotations for Software Defect Detection
- javax.annotation (CheckForNull, ... , Nonnull, Nullable, ... , WillNotClose)
- javax.annotation.concurrent (GuardedBy, ... , ThreadSafe)
- javax.annotation.meta (Exclusive, ... , When)
Oddly enough, Findbugs packaged jar is only Maven distributed version
- jsr305.jar http://mavenhub.com/c/javax/annotation/nullable/jar
Early version of jsr299 (WebBeans, later CDI) tried to jump into javax.annotation package too, but fortunately were kicked out
- http://mavenhub.com/c/javax/annotation/named
- javax.annotation.Named
- javax.annotation.NonBinding
- javax.annotation.Stereotype
For example obscure jsr308. And starting with Java 6, stub of jsr250 (Generated, PostConstruct, PreDestroy,Resource, Resources) is part of standard library -http://docs.oracle.com/javase/6/docs/api/javax/annotation/package-summary.html
Well this is real mess
No comments:
Post a Comment