Hi Colm, I think this commit [1] caused the regression. We have some tests for CXFAuthenticator in CXF, but they are running with the single "flat" classloader and don't throw this exception.
[1] https://github.com/apache/cxf/commit/58539be7c6367b0e7db354cd90467fe006ddef57 Cheers, Jim On Fri, Nov 20, 2020 at 10:08 PM Colm O hEigeartaigh <[email protected]> wrote: > Hi Jim, > > Do you know which CXF commit caused the regression. Do we have no tests > for CXFAuthenticator? > > Colm. > > On Fri, Nov 20, 2020 at 11:19 AM Jim Ma <[email protected]> wrote: > >> When upgrade cxf to 3.3.8/3.4.1, the cxf client with >> CXFAuthenticator throws NoClassDefFoundError like following : >> java.lang.NoClassDefFoundError: org/apache/cxf/common/util/ReflectionUtil >> at >> >> org.apache.cxf.transport.http.ReferencingAuthenticator.tryWith(ReferencingAuthenticator.java:125) >> >> at >> >> org.apache.cxf.transport.http.ReferencingAuthenticator.getPasswordAuthentication(ReferencingAuthenticator.java:58) >> >> at >> >> java.net.Authenticator.requestPasswordAuthentication(Authenticator.java:317) >> >> at >> >> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:453) >> >> at >> >> sun.net.www.protocol.http.HttpURLConnection$1.run(HttpURLConnection.java:448) >> >> at java.security.AccessController.doPrivileged(Native Method) >> at >> >> sun.net.www.protocol.http.HttpURLConnection.privilegedRequestPasswordAuthentication(HttpURLConnection.java:447) >> >> at >> >> sun.net.www.protocol.http.HttpURLConnection.getServerAuthentication(HttpURLConnection.java:2439) >> >> at >> >> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1737) >> >> at >> >> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) >> >> at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) >> at >> >> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:377) >> >> at >> >> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream$2.run(URLConnectionHTTPConduit.java:373) >> >> at java.security.AccessController.doPrivileged(Native Method) >> at >> >> org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.getResponseCode(URLConnectionHTTPConduit.java:373) >> >> at >> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1597) >> >> at >> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1625) >> >> at >> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1570) >> >> at >> >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1371) >> >> at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) >> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:671) >> at >> >> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63) >> >> at >> >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) >> >> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314) >> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) >> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140) >> >> From debug, it turns out ReferencingAuthenticator has to load another new >> added class ReflectionUtil to do some security check in CXF 3.3.8 and CXF >> 3.4.1. >> But the ReferenceingAuthenticator is very special class which is loaded >> with a new created URLClassloader >> (code with "new URLClassLoader(new URL[0], ClassLoader >> .getSystemClassLoader()") to avoid some >> classloader leakage issue (see >> https://issues.apache.org/jira/browse/CXF-4529). Hence, this >> ReflectionUtil >> always >> fails to load and throws this exception. Fixing this issue is simple, we >> only need to add doPrivileged blocks in this class without introducing >> ReflectionUtil. >> I already sent a PR to fix this issue : >> https://github.com/apache/cxf/pull/728. >> >> This issue looks like a backward compatible one and the upgrade will fail >> the cxf client with CXFAuthenticator. >> Should we release the next minor soon to include this fix? >> >> Cheers, >> Jim >> >
