Hi Jim, Do you know which CXF commit caused the regression. Do we have no tests for CXFAuthenticator?
Colm. On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <[email protected]> wrote: > When upgrade cxf to 3.3.8/3.4.1, the cxf client with > CXFAuthenticator throws NoClassDefFoundError like following : > java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil > at > > org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125) > > at > > org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58) > > at > > java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317) > > at > > sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453) > > at > > sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448) > > at java.security.AccessController.doPrivileged(Native Method) > at > > sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447) > > at > > sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439) > > at > > sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737) > > at > > sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) > > at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) > at > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377) > > at > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373) > > at java.security.AccessController.doPrivileged(Native Method) > at > > org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373) > > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597) > > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625) > > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570) > > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371) > > at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671) > at > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63) > > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) > > From debug, it turns out ReferencingAuthenticator has to load another new > added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF > 3.4.1. > But the ReferenceingAuthenticator is very special class which is loaded > with a new created URLClassloader > (code with "new URLClassLoader(new URL[0], ClassLoader > .getSystemClassLoader()") to avoid some > classloader leakage issue (see > https://issues.apache.org/jira/browse/CXF-4529). Hence, this > ReflectionUtil > always > fails to load and throws this exception. Fixing this issue is simple, we > only need to add doPrivileged blocks in this class without introducing > ReflectionUtil. > I already sent a PR to fix this issue : > https://github.com/apache/cxf/pull/728. > > This issue looks like a backward compatible one and the upgrade will fail > the cxf client with CXFAuthenticator. > Should we release the next minor soon to include this fix? > > Cheers, > Jim >
