Re: svn commit: r1853691 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util: ObjectInputStream.java SafeObjectInputStream.java UtilObject.java
It's fixed so far, I have added a warning Jacques Le 17/02/2019 à 12:09, Jacques Le Roux a écrit : Hi, There is a problem with this commit, I'm working on it... Jacques Le 16/02/2019 à 10:42, jler...@apache.org a écrit : Author: jleroux Date: Sat Feb 16 09:42:03 2019 New Revision: 1853691 URL: http://svn.apache.org/viewvc?rev=1853691&view=rev Log: Improved: Improve ObjectInputStream class (OFBIZ-10837) As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (with props) Removed: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto == --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (added) +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java Sat Feb 16 09:42:03 2019 @@ -0,0 +1,86 @@ +/*** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.base.util; + +import java.io.IOException; +import java.io.InputStream; +import java.io.ObjectStreamClass; +import java.lang.reflect.Proxy; +import java.util.List; +import java.util.regex.Pattern; + +/** + * ObjectInputStream + * + */ +public class SafeObjectInputStream extends java.io.ObjectInputStream implements AutoCloseable { + + private ClassLoader classloader; + private Pattern WHITELIST_PATTERN = null; + + public SafeObjectInputStream(InputStream in, ClassLoader loader) throws IOException { + super(in); + this.classloader = loader; + } + + public SafeObjectInputStream(InputStream in, ClassLoader loader, List whitelist) throws IOException { + super(in); + this.classloader = loader; + StringBuilder bld = new StringBuilder("("); + for (int i = 0; i < whitelist.size(); i++) { + bld.append(whitelist.get(i)); + if (i != whitelist.size() - 1) { + bld.append("|"); + } + } + bld.append(")"); + WHITELIST_PATTERN = Pattern.compile(bld.toString()); + } + + + /** + * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass) + */ + @Override + protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { + if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) { + throw new ClassCastException("Incompatible class: " + classDesc.getName()); + } + + return ObjectType.loadClass(classDesc.getName(), classloader); + } + + /** + * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[]) + */ + @Override + protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { + Class[] cinterfaces = new Class[interfaces.length]; + for (int i = 0; i < interfaces.length; i++) { + cinterfaces[i] = classloader.loadClass(interfaces[i]); + } + + try { + return Proxy.getProxyClass(classloader, cinterfaces); + } catch (IllegalArgumentException e) { + throw new ClassNotFoundException(null, e); + } + + } +} Propchange: ofbiz/ofbiz-frame
Re: Oracle Java release model changes and consequences for the project
+1 Jacques Le 13/02/2019 à 12:51, Jacopo Cappellato a écrit : Hi Michael, yes AdoptOpenJDK is definitely a good fit. Jacopo On Wed, Feb 13, 2019 at 12:39 PM Michael Brohl wrote: Hi Jacopo, an alternative would be https://adoptopenjdk.net/ which provides prebuild packages. The scripts for package building are Apache 2.0 licensed and they are providing Java 8 and 11 LTS versions. Seems a good fit to me. Since Java 8 is LTS there, we do not necessarily have to upgrade OFBiz for the use of Java 11. Best regards, Michael Am 13.02.19 um 11:06 schrieb Jacopo Cappellato: Considering that now Oracle JDKs are no more free for commercial use, I think that as a community we should make it a priority to suggest a different Java build in the README and other public documents. The simplest alternative (because it is the closest to Oracle JDK) is the Open JDK 11 maintained by Oracle and distributed from: https://jdk.java.net/11/ In my opinion our README should point to it rather than: http://www.oracle.com/technetwork/java/javase/downloads/index.html as it is now. However, before we can do it, we have to resolve: https://issues.apache.org/jira/browse/OFBIZ-10757 which should not be too difficult to achieve. Just my two cents, Jacopo On Wed, Oct 24, 2018 at 2:21 PM James Yong wrote: Answering my last question. From the download page for Oracle JDK 11, demo purpose is allowed. On 2018/10/24 07:38:19, James Yong wrote: Hi all, Will the release model and licensing changes impact our demos hosted with Apache Software Foundation? Regards, James On 2018/10/24 06:54:05, James Yong wrote: Hi all, OFBiz can be used as an application framework and not all business use-case justify the yearly price-tag of Oracle JDK. Given that more products(1) are moving to support OpenJDK, should OFBiz follow? Regards, James (1) See plan of Atlasians product to support OpenJDK https://community.atlassian.com/t5/Jira-discussions/Java-11-and-OpenJDK-support-for-Atlassian-Server-amp-Data-Center/m-p/872998#M4575 On 2018/07/31 06:35:46, Jacques Le Roux wrote: Hi Michael, How (by which mean) do you envision to "actively inform users about our roadmap", blog, wiki or embedded documentation? It seems the blog is not reaching all our users (needs attention). Maybe an initial statement could be used there though. The wiki is slowly deprecating in favour of the embedded documentation. So I guess we will use the embedded documentation for lasting information, right? BTW All, I want to close OFBIZ-9226 "Check that OFBiz runs and compile with Oracle JDK 9 (Java 9)" as unresolved and create a new similar issue for Java 11, what do you think? Jacques Le 28/07/2018 à 13:29, Michael Brohl a écrit : Hi Mathieu, my goal is to actively inform users about our roadmap and provide information on how the project will deal with the new Java release model. Users testing OFBiz for their needs in a professional environment also check if a project has answers to these questions so I am wrapping my mind around it. This is just to make clear that I am not eager to switch to newer Java versions just for the sake of it. Am 28.07.18 um 12:54 schrieb Mathieu Lirzin: I wonder if we should base the OFBiz 17.12 release on Java 8 or Java 11. We have no fixed release date yet so we might have time to do it. Another way would be to make a new branch which will support Java 11. What do people think? I think OFBiz should be conservative in its choices. I agree! Given the fact Java 11 is not release yet or is about to be released, Java 11 will be released as GA in Sept 18. At the same time, non-subscribed users will get no updates for Java 8 any more. OFBiz should keep compatibity with the previous LTS release meaning java 8. Of course Yes, you are right. If you focus on subscribed users, they will get Java 8 support until September 2023 (2026 for extended subscription). So following my thoughts to assume that users will subscribe, we can stay with Java 8 for a while. On the other hand, if we test Java 11 and find that we will have few issues we can easily handle, it could be a good idea to make the switch with release 17.12. I am open to both (or other) models and would like to hear more opinions about that. This does not mean that OFBiz should not be tested with more recent Java releases too. Having an extra branch has a maintenance burden that should be balanced with the benefits it provides. What benefits do you see in having a Java 11 branch? This is just an alternative to the Java 11 update of the next branch. I do not favor this because of the extra maintenance burden you mentioned. In conclusion, we can stick to Java 8, informing our users that they have to subscribe for further updates. If we do this, we should think about a roadmap/ process to change to Java 11 in the future. This could be, for example, set up during the release branch 21.x or 22.x to give us enough
Re: svn commit: r1853691 - in /ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util: ObjectInputStream.java SafeObjectInputStream.java UtilObject.java
Hi, There is a problem with this commit, I'm working on it... Jacques Le 16/02/2019 à 10:42, jler...@apache.org a écrit : Author: jleroux Date: Sat Feb 16 09:42:03 2019 New Revision: 1853691 URL: http://svn.apache.org/viewvc?rev=1853691&view=rev Log: Improved: Improve ObjectInputStream class (OFBIZ-10837) As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (with props) Removed: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/ObjectInputStream.java Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilObject.java Added: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java?rev=1853691&view=auto == --- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java (added) +++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputStream.java Sat Feb 16 09:42:03 2019 @@ -0,0 +1,86 @@ +/*** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.base.util; + +import java.io.IOException; +import java.io.InputStream; +import java.io.ObjectStreamClass; +import java.lang.reflect.Proxy; +import java.util.List; +import java.util.regex.Pattern; + +/** + * ObjectInputStream + * + */ +public class SafeObjectInputStream extends java.io.ObjectInputStream implements AutoCloseable { + +private ClassLoader classloader; +private Pattern WHITELIST_PATTERN = null; + +public SafeObjectInputStream(InputStream in, ClassLoader loader) throws IOException { +super(in); +this.classloader = loader; +} + +public SafeObjectInputStream(InputStream in, ClassLoader loader, List whitelist) throws IOException { +super(in); +this.classloader = loader; +StringBuilder bld = new StringBuilder("("); +for (int i = 0; i < whitelist.size(); i++) { +bld.append(whitelist.get(i)); +if (i != whitelist.size() - 1) { +bld.append("|"); +} +} +bld.append(")"); +WHITELIST_PATTERN = Pattern.compile(bld.toString()); +} + + +/** + * @see java.io.ObjectInputStream#resolveClass(java.io.ObjectStreamClass) + */ +@Override +protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { +if (!WHITELIST_PATTERN.matcher(classDesc.getName()).find()) { +throw new ClassCastException("Incompatible class: " + classDesc.getName()); +} + +return ObjectType.loadClass(classDesc.getName(), classloader); +} + +/** + * @see java.io.ObjectInputStream#resolveProxyClass(java.lang.String[]) + */ +@Override +protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { +Class[] cinterfaces = new Class[interfaces.length]; +for (int i = 0; i < interfaces.length; i++) { +cinterfaces[i] = classloader.loadClass(interfaces[i]); +} + +try { +return Proxy.getProxyClass(classloader, cinterfaces); +} catch (IllegalArgumentException e) { +throw new ClassNotFoundException(null, e); +} + +} +} Propchange: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/SafeObjectInputS