Unable to use Configuration classes in signed jar due to CGLIB [SPR-12833]

[spring-projects-issues]

Denis Carniel opened SPR-12833 and commented

When using Java Configuration from a signed jar (in a multi-module project), I get an error stating that the class enhanced by CGLIB doesn't have the same signer information than other classes from the same package.

Looking into ConfigurationClassPostProcessor and related classes code it appears that classes annotated with @Configuration will always be enhanced using CGLIB (I've plenty of other classes in the same module that work fine but they are apparently enhanced using JDK proxy).

Is there a way to use Java Configuration from a signed jar ? Or to have @configuration classes enhanced using JDK proxy ? (I tried giving them interfaces with no luck).

---

Affects: 4.1.4

Reference URL: https://stackoverflow.com/questions/29162865/use-java-configuration-in-signed-jar

Issue Links:

• Upgrade to CGLIB 3.2 [SPR-13353] #17937 Upgrade to CGLIB 3.2 ("depends on")

1 votes, 3 watchers

[spring-projects-issues]

Juergen Hoeller commented

@Configuration classes currently always get enhanced via CGLIB. This can't happen through interface-based proxies since it's about a runtime-generated subclass which overrides all @Bean methods... in order to intercept them for cross-reference calls between @Bean methods.

That said, there is a 'lite' mode of @Bean processing where we don't apply any CGLIB processing: simply declare your @Bean methods on classes not annotated with @Configuration (but typically with another Spring stereotype instead, e.g. @Component). As long as you don't do programmatic calls between your @Bean methods, this is going to work just as fine.

Of course, the real problem is that CGLIB doesn't seem to work with signed jars. We'll see whether there's anything we can do about this. After all, there are quite a few Spring features which happen to apply CGLIB.

Juergen

[spring-projects-issues]

Denis Carniel commented

Thanks for the workaround, that worked for me.

I guess that ticket can be kept to track the general issue of using CGLIB and signed jars, but I'll lower the priority.

Denis

[spring-projects-issues]

Dmitry Fedosov commented

Hello, I found out that this issue has been solved in original CGLIB repository - cglib/cglib@f9d2f6c
Are you planning to merge these changes into your version of CGLIB?

My team is using this CGLIB proxies for AOP, but we have to distribute out app via Java Web Start, so, all jars should be signed. For now, we got stuck with a class loader with disabled security checkings. It would be great, if we could get rid of this workaround.

[spring-projects-issues]

Juergen Hoeller commented

In contrast to our ASM fork, we do not maintain a CGLIB fork of our own; we're just repackaging CGLIB 3.1 proper. So in order to pick up CGLIB changes since 3.1, we'd really need a new CGLIB release in Maven Central.

I've been waiting for CGLIB 3.2 for quite a while already. The work seems to have been done, but no release has been made available yet. Feel free to raise this with the CGLIB team and push for a release on their side!

Juergen