Bug Analysis Document: 305331: EclipseLink deployment on JBoss EAP 5.0.0 GA using signed JPA 1.0 ejb3-persistence.jar
Document History
Date
|
Author
|
Version Description & Notes
|
20100312
|
Michael O'Brien
|
1.0 Initial investigation of solution scenarios
|
Status
- In progress 20100311 for options 3,4 and 5.
- Currently recommending Option 1 - until options 3,4 and 5 are validated
Overview
- The EAP 5.0.0 GA version of the JBoss Application Server ships with signed library jars. This presents a problem for users of EclipseLink that place our unsigned implementation jar eclipselink.jar beside the JPA 1.0 javax specification jar - ejb3-persistence.jar in the common/lib library folder off the server. On deploymehnt in EAP 5.0.0 GA we receive a Security Exception because of the difference in security levels.
- The Community Edition of JBoss 5.1.0 and 6.0.0 M1 do not have these issues because their library jars are unsigned.
- This document details several possible solutions to this signed jar issue and recommends the best approach.
- JBoss JIRA JBPAPP-2971 is encountering the same issue with cglib.jar - one of the alternatives for this JIRA are the same as Option 1
Concepts
JPA Specification Notes
JPA 1.0 Specification
JPA 2.0 Specification
Reproduction
- Reproduction in standalone EAR (outside of test framework configuration)
- trunk examples JBoss EAR with commented JPA 2.0 calls and persistence.xml tags
Results: unsigned/signed conflict SecurityException - expected
Logs:
2010-03-11 11:10:08,988 INFO [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss (Microcontainer) [5.0.0.GA (build: SVNTag=JBPAPP_5_0_0_GA
date=200910202128)] Started in 1m:3s:180ms
2010-03-11 11:10:47,698 INFO [org.jboss.ejb3.deployers.Ejb3DependenciesDeployer] (HDScanner) Encountered deployment
AbstractVFSDeploymentContext@26267218{vfszip:/C:/opt/jboss-eap-5.0/jboss-as/server/default/deploy/org.eclipse.persistence.example.jpa.server.jboss.EnterpriseEAR.ear/org.eclipse.persistence.example.jpa.server.jboss.EnterpriseEJB.jar/}
2010-03-11 11:10:48,059 INFO [org.jboss.jpa.deployment.PersistenceUnitDeployment] (HDScanner) Starting persistence unit
persistence.unit:unitName=org.eclipse.persistence.example.jpa.server.jboss.EnterpriseEAR.ear/org.eclipse.persistence.example.jpa.server.jboss.EnterpriseEJB.jar#example
2010-03-11 11:10:48,069 WARN [org.jboss.detailed.classloader.ClassLoaderManager] (HDScanner) Unexpected error during load of:javax.persistence.spi.ProviderUtil java.lang.SecurityException: lass "javax.persistence.spi.ProviderUtil"'s signer information does not match signer information of other classes in the
same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java:769)
...
at
org.jboss.jpa.deployment.PersistenceUnitDeployment.start(PersistenceUnitDeployment.java:285)
>and resultant secondary exception CNFE because the signed JPA 1.0 specification class was not loaded 2010-03-11 11:10:48,069 ERROR
[org.jboss.kernel.plugins.dependency.AbstractKernelController] (HDScanner) Error installing to Start:
name=persistence.unit:unitName=org.eclipse.persistence.example.jpa.server.jboss.EnterpriseEAR.ear/org.eclipse.persistence.example.jpa.server.jboss.EnterpriseEJB.jar#example
state=Create
java.lang.NoClassDefFoundError: javax/persistence/spi/ProviderUtil
Caused by: java.lang.ClassNotFoundException: Unexpected error during load of: javax.persistence.spi.ProviderUtil, msg=class
"javax.persistence.spi.ProviderUtil"'s signer information does not match signer information of other classes in the same package
Prerequisites
Data Model
Use Case 1: Container managed Persistence Unit injected on a Stateless Session Bean invoked via a Servlet client
- This use case is valid for options 1, 2, 5
Use Case 2: Application managed Persistence Unit injected on Servlet client
- This use case is valid for options 1, 2, 3, 4, 5
StackTrace
Logs
Analysis
Server Configuration 1:
- place eclipselink.jar into common/lib.
- replace the signed JBoss EAP 5.0.0 (ejb3-persistence.jar) with the unsigned version from JBoss 5.1.0 (community edition) - both JPA 1.0 versions in common/lib
- restart server, deploy EAR
Client Configuration 1:
- Remove the JPA 2.0 API in the stateless session bean and revert persistence.xml from a JPA 2.0 to JPA 1.0 level before running the example project in trunk
- Client EAR runs out of the box using default HSQL TX datasource - https://bugs.eclipse.org/bugs/attachment.cgi?id=161810
- Client is a Servlet with JNDI injection via
public static final String APPLICATION_SERVICE_JNDI_NAME = "org.eclipse.persistence.example.jpa.server.jboss.EnterpriseEAR/ApplicationService/local";
...
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
env.put(Context.PROVIDER_URL, "localhost");
env.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
InitialContext ctx = new InitialContext(env);
return (ApplicationServiceLocal) ctx.lookup(APPLICATION_SERVICE_JNDI_NAME);
Results 1:
- JPA 1.0 application runs fine
12:01:41,308 INFO [STDOUT] [EL Finest]: 2010-03-11 12:01:41.308--UnitOfWork(11747982)--Thread(Thread[http-127.0.0.1-8080-1,5,jboss])--Register the existing object org.eclipse.persistence.example.jpa.server.business.Cell@3324876( id: 2 state: null left: null right: null parent: HashSet@34627602 references: HashSet@34627602)
Option 2: Ship signed eclipselink.jar - invalid
- This option has us sign our eclipselink.jar with jarsigner - however we do not have access to the private keys used to sign the JBoss libraries so this is currently not feasible.
- If the user's application is signed (IE: they are running a signed applet persistence client) - they will need to resign the jar.
Option 3: Global Shared Library - Server level scope - verifying
- In this option we create a global shared library on the server or in a jar-only EAR that is accessible to all server applications.
- This shared library must override the common/lib/ejb3-persistence.jar.
Server Configuration 3:
- no eclipselink.jar into common/lib.
Shared Library on EAR/lib
- Add EAR/lib/eclipselink.jar and EAR/lib/javax.persistence_2.0.0.v201002051058.jar
- Reference these two jars in the war/src/META-INF/manifest.MF
- Class-Path: javax.persistence_2.0.0.v201002051058.jar eclipselink.jar
- Getting CCE because the ejb3.persistence.jar on the server is taking precedence by default over the specification jar shipped with the EAR - IE: you cannot have two javax.persistence jars.
- java.lang.ClassCastException: org.eclipse.persistence.jpa.PersistenceProvider cannot be cast to javax.persistence.spi.PersistenceProvider
- Solution would be a similar override as for WebLogic via
<wls:prefer-application-packages>
Client Configuration 3:
- place eclipselink.jar and the jpa 1.0/2.0 specification jar into EAR/lib.
- One of
- jboss-app.xml
- EAR/lib
- application.xml
Results 3:
Option 4: Application Shared Library - Local EAR level scope - verifying
Server Configuration 4:
Client Configuration 4:
Results 4:
Option 5: Generate an eclipselink jar with the JPA 2.0 dependencies removed
Server Configuration 5:
Client Configuration 5:
Results 5:
Option 6: ship eclipselink and javax.persistence jar only in EAR - infeasible
Server Configuration 6:
- Remove ejb3-persistence.jar from common/lib on the server.
Client Configuration 6:
- add javax.persistence and eclipselink.jar to the EAR/lib directory.
Results 6:
- The JBoss server will not start because the web apps internal to the server require the presence of ejb3-persistence at the global server classpath level.
Open Issues
Issue #
|
Owner
|
Description / Notes
|
I1
|
mobrien
|
-
|
Decisions
Issue #
|
Description / Notes
|
Decision
|
|
|
|
Future Considerations
References