[
https://issues.apache.org/jira/browse/SLING-11220?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Carsten Ziegeler closed SLING-11220.
------------------------------------
> Feature launcher loads from repository even if artifact is in FAR
> -----------------------------------------------------------------
>
> Key: SLING-11220
> URL: https://issues.apache.org/jira/browse/SLING-11220
> Project: Sling
> Issue Type: Bug
> Components: Feature Model, Starter
> Affects Versions: Feature Model Launcher 1.1.26
> Environment: MacOS, Java 17 or 11
> Reporter: Hans-Peter Stoerr
> Assignee: Carsten Ziegeler
> Priority: Minor
> Fix For: Feature Model Launcher 1.2.2
>
> Attachments: felixcontainer.zip
>
>
> If the feature launcher is provided with a FAR, which contains all the
> artifacts for the features that should be launched, then it still tries to
> find the artifact in $HOME/.m2/repository and, if that fails, in
> [https://repo.maven.apache.org/maven2] . If it cannot find it there, it logs
> a INFO log containing a stacktrace, and only then takes the artifact from the
> FAR. I think that's troublesome for several reasons:
> * First in intranets or in a DMZ it's not guaranteed that you have internet
> access. Even worse: on production systems you don't want the starter to
> access the network or getting files from $HOME/.m2/repository, since that
> offers various attack avenues for injecting code into the system. So this
> behaviour is not exactly desirable.
> * For the Sling Starter 12 there are are about 2900 lines with more than 245
> stacktraces logged (see below).
> It is currently possible to avoid those network / $HOME/.m2/repository
> accesses by explicitly specifying repository urls, so that the default
> entries aren't active. In a no network setting, it is currently even
> necessary to add at least one repository url that contains the felix
> framework. For this purpose I created a felixcontainer.jar that contains it
> in a repository like structure, so that the starter can be run like this,
> even without the stacktraces:
> java -jar org.apache.sling.feature.launcher.jar -f
> org.apache.sling.starter-12-oak_tar_far.far -u
> 'jar:file:org.apache.sling.starter-12-oak_tar_far.far!' -u
> 'jar:file:felixcontainer.zip!'
> But this looks unpleasantly complicated. So I'm proposing several points:
> # The feature launcher should just take the artifacts from the FAR if they
> are there, and only consult any repositories if it isn't found there. This
> could be the default behaviour, or it should be configurable via a switch.
> (Please note that the current behaviour could be actually desirable in one
> setting: when started in a development setting, each restart of the feature
> launcher takes the newest artifacts from the local maven repository. So you
> wouldn't have to recreate the whole FAR to redeploy changes.)
> # When the behaviour is "FAR last", then at least the log message could log
> a message on INFO level and that stacktrace only DEBUG level, if it's
> required at all. (That's less confusing - initially I thought that's an error
> message and the FAR artifacts were completely ignored.)
> This is the stacktrace that's logged 245 times:
> {code:java}
> [INFO] Artifact not found in one repository
> java.io.FileNotFoundException: JAR entry
> commons-codec/commons-codec/1.15/commons-codec-1.15.jar not found in
> felixcontainer.zip
> at
> java.base/sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:147)
> at
> org.apache.sling.feature.io.artifacts.ArtifactManager$DefaultArtifactHandler.getArtifact(ArtifactManager.java:424)
> at
> org.apache.sling.feature.io.artifacts.ArtifactManager.getArtifactHandler(ArtifactManager.java:248)
> at
> org.apache.sling.feature.launcher.impl.FeatureProcessor$1.provide(FeatureProcessor.java:86)
> at
> org.apache.sling.feature.launcher.impl.FeatureProcessor.lambda$createApplication$4(FeatureProcessor.java:120)
> at
> org.apache.sling.feature.io.archive.ArchiveReader.read(ArchiveReader.java:121)
> at
> org.apache.sling.feature.launcher.impl.FeatureProcessor.createApplication(FeatureProcessor.java:118)
> at
> org.apache.sling.feature.launcher.impl.Bootstrap.assemble(Bootstrap.java:208)
> at org.apache.sling.feature.launcher.impl.Bootstrap.run(Bootstrap.java:123)
> at org.apache.sling.feature.launcher.impl.Main.main(Main.java:402){code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
