Re: svn commit: r1853691 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util: ObjectInputStream.java SafeObjectInputStream.java UtilObject.java

2019-02-17 Thread Jacques Le Roux

Hi,

There is a problem with this commit, I'm working on it...

Jacques

Le 16/02/2019 à 10:42, jler...@apache.org a écrit :

Author: jleroux
Date: Sat Feb 16 09:42:03 2019
New Revision: 1853691

URL: http://svn.apache.org/viewvc?rev=1853691&view=rev
Log:
Improved: Improve ObjectInputStream class
(OFBIZ-10837)

As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
a code smell in Findbugs[2]) when extending to use the same name than the
extended Object

[1] 
https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
[2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html

Added:
 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
   (with props)
Removed:
 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
Modified:
 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Added: 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto
==
--- 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 (added)
+++ 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 Sat Feb 16 09:42:03 2019
@@ -0,0 +1,86 @@
+/***
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ 
***/
+package org.apache.ofbiz.base.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectStreamClass;
+import java.lang.reflect.Proxy;
+import java.util.List;
+import java.util.regex.Pattern;
+
+/**
+ * ObjectInputStream
+ *
+ */
+public class SafeObjectInputStream extends java.io.ObjectInputStream 
implements AutoCloseable {
+
+private ClassLoader classloader;
+private Pattern WHITELIST_PATTERN = null;
+
+public SafeObjectInputStream(InputStream in, ClassLoader loader) throws 
IOException {
+super(in);
+this.classloader = loader;
+}
+
+public SafeObjectInputStream(InputStream in, ClassLoader loader, 
List whitelist) throws IOException {
+super(in);
+this.classloader = loader;
+StringBuilder bld = new StringBuilder("(");
+for (int i = 0; i < whitelist.size(); i++) {
+bld.append(whitelist.get(i));
+if (i != whitelist.size() - 1) {
+bld.append("|");
+}
+}
+bld.append(")");
+WHITELIST_PATTERN = Pattern.compile(bld.toString());
+}
+
+
+/**
+ * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
+ */
+@Override
+protected Class resolveClass(ObjectStreamClass classDesc) throws 
IOException, ClassNotFoundException {
+if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
+throw new ClassCastException("Incompatible class: " + 
classDesc.getName());
+}
+
+return ObjectType.loadClass(classDesc.getName(), classloader);
+}
+
+/**
+ * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
+ */
+@Override
+protected Class resolveProxyClass(String[] interfaces) throws 
IOException, ClassNotFoundException {
+Class[] cinterfaces = new Class[interfaces.length];
+for (int i = 0; i < interfaces.length; i++) {
+cinterfaces[i] = classloader.loadClass(interfaces[i]);
+}
+
+try {
+return Proxy.getProxyClass(classloader, cinterfaces);
+} catch (IllegalArgumentException e) {
+throw new ClassNotFoundException(null, e);
+}
+
+}
+}

Propchange: 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputS

Re: Oracle Java release model changes and consequences for the project

2019-02-17 Thread Jacques Le Roux

+1

Jacques

Le 13/02/2019 à 12:51, Jacopo Cappellato a écrit :

Hi Michael,

yes AdoptOpenJDK is definitely a good fit.

Jacopo

On Wed, Feb 13, 2019 at 12:39 PM Michael Brohl 
wrote:


Hi Jacopo,

an alternative would be https://adoptopenjdk.net/ which provides
prebuild packages. The scripts for package building are Apache 2.0
licensed and they are providing Java 8 and 11 LTS versions.

Seems a good fit to me.

Since Java 8 is LTS there, we do not necessarily have to upgrade OFBiz
for the use of Java 11.

Best regards,

Michael


Am 13.02.19 um 11:06 schrieb Jacopo Cappellato:

Considering that now Oracle JDKs are no more free for commercial use, I
think that as a community we should make it a priority to suggest a
different Java build in the README and other public documents.
The simplest alternative (because it is the closest to Oracle JDK) is the
Open JDK 11 maintained by Oracle and distributed from:
https://jdk.java.net/11/

In my opinion our README should point to it rather than:
http://www.oracle.com/technetwork/java/javase/downloads/index.html
as it is now.
However, before we can do it, we have to resolve:
https://issues.apache.org/jira/browse/OFBIZ-10757
which should not be too difficult to achieve.

Just my two cents,

Jacopo


On Wed, Oct 24, 2018 at 2:21 PM James Yong  wrote:


Answering my last question.
  From the download page for Oracle JDK 11, demo purpose is allowed.

On 2018/10/24 07:38:19, James Yong  wrote:

Hi all,

Will the release model and licensing changes impact our demos hosted

with Apache Software Foundation?

Regards,
James

On 2018/10/24 06:54:05, James Yong  wrote:

Hi all,

OFBiz can be used as an application framework and not all business

use-case justify the yearly price-tag of Oracle JDK. Given that more
products(1) are moving to support OpenJDK, should OFBiz follow?

Regards,
James

(1) See plan of Atlasians product to support OpenJDK


https://community.atlassian.com/t5/Jira-discussions/Java-11-and-OpenJDK-support-for-Atlassian-Server-amp-Data-Center/m-p/872998#M4575

On 2018/07/31 06:35:46, Jacques Le Roux 
wrote:

Hi Michael,

How (by which mean) do you envision to "actively inform users about

our roadmap", blog, wiki or embedded documentation?

It seems the blog is not reaching all our users (needs attention).

Maybe an initial statement could be used there though.

The wiki is slowly deprecating in favour of the embedded

documentation. So I guess we will use the embedded documentation for
lasting information, right?

BTW All, I want to close OFBIZ-9226 "Check that OFBiz runs and

compile with Oracle JDK 9 (Java 9)" as unresolved and create a new

similar

issue for

Java 11, what do you think?

Jacques


Le 28/07/2018 à 13:29, Michael Brohl a écrit :

Hi Mathieu,

my goal is to actively inform users about our roadmap and provide

information on how the project will deal with the new Java release

model.

Users

testing OFBiz for their needs in a professional environment also

check if a project has answers to these questions so I am wrapping my

mind

around it.

This is just to make clear that I am not eager to switch to newer

Java versions just for the sake of it.

Am 28.07.18 um 12:54 schrieb Mathieu Lirzin:

I wonder if we should base the OFBiz 17.12 release on Java 8 or

Java

11. We have no fixed release date yet so we might have time to

do it.

Another way would be to make a new branch which will support

Java 11.

What do people think?

I think OFBiz should be conservative in its choices.

I agree!


Given the fact Java 11 is not release yet or is about to be

released,

Java 11 will be released as GA in Sept 18. At the same time,

non-subscribed users will get no updates for Java 8 any more.

OFBiz should keep compatibity with the previous LTS release

meaning java 8.  Of course

Yes, you are right. If you focus on subscribed users, they will

get Java 8 support until September 2023 (2026 for extended

subscription).

So following my thoughts to assume that users will subscribe, we

can stay with Java 8 for a while.

On the other hand, if we test Java 11 and find that we will have

few issues we can easily handle, it could be a good idea to make the

switch

with

release 17.12.

I am open to both (or other) models and would like to hear more

opinions about that.

This does not mean that OFBiz should not be tested with more

recent Java

releases too.

Having an extra branch has a maintenance burden that should be

balanced

with the benefits it provides.  What benefits do you see in

having a

Java 11 branch?


This is just an alternative to the Java 11 update of the next

branch. I do not favor this because of the extra maintenance burden you
mentioned.

In conclusion, we can stick to Java 8, informing our users that

they have to subscribe for further updates.

If we do this, we should think about a roadmap/ process to change

to Java 11 in the future. This could be, for example, set up during the
release

branch 21.x or 22.x to give us enough 

Re: svn commit: r1853691 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util: ObjectInputStream.java SafeObjectInputStream.java UtilObject.java

2019-02-17 Thread Jacques Le Roux

It's fixed so far, I have added a warning

Jacques

Le 17/02/2019 à 12:09, Jacques Le Roux a écrit :

Hi,

There is a problem with this commit, I'm working on it...

Jacques

Le 16/02/2019 à 10:42, jler...@apache.org a écrit :

Author: jleroux
Date: Sat Feb 16 09:42:03 2019
New Revision: 1853691

URL: http://svn.apache.org/viewvc?rev=1853691&view=rev
Log:
Improved: Improve ObjectInputStream class
(OFBIZ-10837)

As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1],
a code smell in Findbugs[2]) when extending to use the same name than the
extended Object

[1] 
https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false
[2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html

Added:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 (with props)
Removed:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java
Modified:
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java

Added: 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto

==
--- 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 (added)
+++ 
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java
 Sat Feb 16 09:42:03 2019
@@ -0,0 +1,86 @@
+/***
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ 
***/
+package org.apache.ofbiz.base.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectStreamClass;
+import java.lang.reflect.Proxy;
+import java.util.List;
+import java.util.regex.Pattern;
+
+/**
+ * ObjectInputStream
+ *
+ */
+public class SafeObjectInputStream extends java.io.ObjectInputStream 
implements AutoCloseable {
+
+    private ClassLoader classloader;
+    private Pattern WHITELIST_PATTERN = null;
+
+    public SafeObjectInputStream(InputStream in, ClassLoader loader) throws 
IOException {
+    super(in);
+    this.classloader = loader;
+    }
+
+    public SafeObjectInputStream(InputStream in, ClassLoader loader, 
List whitelist) throws IOException {
+    super(in);
+    this.classloader = loader;
+    StringBuilder bld = new StringBuilder("(");
+    for (int i = 0; i < whitelist.size(); i++) {
+    bld.append(whitelist.get(i));
+    if (i != whitelist.size() - 1) {
+    bld.append("|");
+    }
+    }
+    bld.append(")");
+    WHITELIST_PATTERN = Pattern.compile(bld.toString());
+    }
+
+
+    /**
+ * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass)
+ */
+    @Override
+    protected Class resolveClass(ObjectStreamClass classDesc) throws 
IOException, ClassNotFoundException {
+    if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) {
+    throw new ClassCastException("Incompatible class: " + 
classDesc.getName());
+    }
+
+    return ObjectType.loadClass(classDesc.getName(), classloader);
+    }
+
+    /**
+ * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[])
+ */
+    @Override
+    protected Class resolveProxyClass(String[] interfaces) throws 
IOException, ClassNotFoundException {
+    Class[] cinterfaces = new Class[interfaces.length];
+    for (int i = 0; i < interfaces.length; i++) {
+    cinterfaces[i] = classloader.loadClass(interfaces[i]);
+    }
+
+    try {
+    return Proxy.getProxyClass(classloader, cinterfaces);
+    } catch (IllegalArgumentException e) {
+    throw new ClassNotFoundException(null, e);
+    }
+
+    }
+}

Propchange: 
ofbiz/ofbiz-frame