New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to use Configuration classes in signed jar due to CGLIB [SPR-12833] #17430

Closed
spring-issuemaster opened this Issue Mar 20, 2015 · 4 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

spring-issuemaster commented Mar 20, 2015

Denis Carniel opened SPR-12833 and commented

When using Java Configuration from a signed jar (in a multi-module project), I get an error stating that the class enhanced by CGLIB doesn't have the same signer information than other classes from the same package.

Looking into ConfigurationClassPostProcessor and related classes code it appears that classes annotated with @Configuration will always be enhanced using CGLIB (I've plenty of other classes in the same module that work fine but they are apparently enhanced using JDK proxy).

Is there a way to use Java Configuration from a signed jar ? Or to have @configuration classes enhanced using JDK proxy ? (I tried giving them interfaces with no luck).


Affects: 4.1.4

Reference URL: https://stackoverflow.com/questions/29162865/use-java-configuration-in-signed-jar

Issue Links:

  • #17937 Upgrade to CGLIB 3.2 ("depends on")

1 votes, 3 watchers

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

spring-issuemaster commented Mar 20, 2015

Juergen Hoeller commented

@Configuration classes currently always get enhanced via CGLIB. This can't happen through interface-based proxies since it's about a runtime-generated subclass which overrides all @Bean methods... in order to intercept them for cross-reference calls between @Bean methods.

That said, there is a 'lite' mode of @Bean processing where we don't apply any CGLIB processing: simply declare your @Bean methods on classes not annotated with @Configuration (but typically with another Spring stereotype instead, e.g. @Component). As long as you don't do programmatic calls between your @Bean methods, this is going to work just as fine.

Of course, the real problem is that CGLIB doesn't seem to work with signed jars. We'll see whether there's anything we can do about this. After all, there are quite a few Spring features which happen to apply CGLIB.

Juergen

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

spring-issuemaster commented Mar 20, 2015

Denis Carniel commented

Thanks for the workaround, that worked for me.

I guess that ticket can be kept to track the general issue of using CGLIB and signed jars, but I'll lower the priority.

Denis

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

spring-issuemaster commented Aug 16, 2015

Dmitry Fedosov commented

Hello, I found out that this issue has been solved in original CGLIB repository - cglib/cglib@f9d2f6c
Are you planning to merge these changes into your version of CGLIB?

My team is using this CGLIB proxies for AOP, but we have to distribute out app via Java Web Start, so, all jars should be signed. For now, we got stuck with a class loader with disabled security checkings. It would be great, if we could get rid of this workaround.

@spring-issuemaster

This comment has been minimized.

Copy link
Collaborator Author

spring-issuemaster commented Aug 17, 2015

Juergen Hoeller commented

In contrast to our ASM fork, we do not maintain a CGLIB fork of our own; we're just repackaging CGLIB 3.1 proper. So in order to pick up CGLIB changes since 3.1, we'd really need a new CGLIB release in Maven Central.

I've been waiting for CGLIB 3.2 for quite a while already. The work seems to have been done, but no release has been made available yet. Feel free to raise this with the CGLIB team and push for a release on their side!

Juergen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment