Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack #38833

Closed
lburja opened this issue Dec 15, 2023 · 1 comment
Assignees
Labels
type: regression A regression from a previous release
Milestone

Comments

@lburja
Copy link

lburja commented Dec 15, 2023

Bug report

After upgrading to Spring Boot 3.2, my application stops working, until I add the <loaderImplementation>CLASSIC</loaderImplementation> configuration to the repackage Maven goal.

The particularity of my application, is that one of the jars is a security library which is signed (the library recuperates the signature via Class::getSigners() to verify it when initializing). In previous versions of Spring Boot, requiresUnpack used to do the trick:

<plugin>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-maven-plugin</artifactId>
    <configuration>
        <requiresUnpack>
            <dependency>
                <groupId>eu.europa.ec.digit.iam.eulogin.client</groupId>
                <artifactId>eulogin-tomcat-10.0</artifactId>
            </dependency>
        </requiresUnpack>
    </configuration>
    ...
</plugin>

Now, the application only works by reverting to the CLASSIC loader implementation.

By debugging the application, I see the following differences between the two cases:

In the CLASSIC loader, the library is loaded via LaunchedURLClassLoader using the scheme file:/...
image

and the signers are correctly returned:
image

In the new loader, the library is loaded via LaunchedClassLoader using the scheme jar:file:/...
image

and the signers are lost:
image

It would be desirable that the getSigners() info of signed jars is preserved by the loader, when using the repackage Maven goal.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 15, 2023
@philwebb philwebb changed the title getSigners() info is lost for signed jars when using the new loader implementation getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack Dec 15, 2023
@philwebb philwebb added type: regression A regression from a previous release and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 15, 2023
@philwebb philwebb added this to the 3.2.x milestone Dec 15, 2023
@philwebb philwebb self-assigned this Dec 17, 2023
@philwebb
Copy link
Member

Thanks for the analysis @lburja. Hopefully fixed for the next release.

@philwebb philwebb modified the milestones: 3.2.x, 3.2.1 Dec 17, 2023
ndwnu pushed a commit to ndwnu/nls-routing-map-matcher that referenced this issue Apr 10, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [org.apache.maven.plugins:maven-surefire-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.apache.maven.plugins:maven-failsafe-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.springframework.boot:spring-boot-starter-parent](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | parent | patch | `3.2.0` -> `3.2.1` |

---

### Release Notes

<details>
<summary>spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)</summary>

### [`v3.2.1`](https://github.com/spring-projects/spring-boot/releases/tag/v3.2.1)

[Compare Source](spring-projects/spring-boot@v3.2.0...v3.2.1)

#### 🐞 Bug Fixes

-   HibernateJpaAutoConfiguration should be applied before DataSourceTransactionManagerAutoConfiguration [#&#8203;38880](spring-projects/spring-boot#38880)
-   META-INF entries are duplicated under BOOT-INF/classes causing "Conflicting persistence unit definitions" error [#&#8203;38862](spring-projects/spring-boot#38862)
-   logging.include-application-name has no effect when using log4j2 [#&#8203;38847](spring-projects/spring-boot#38847)
-   Pulsar authentication param properties cause IllegalStateException with Pulsar Client 3.1.0  [#&#8203;38839](spring-projects/spring-boot#38839)
-   Child context created with SpringApplicationBuilder runs parents runners [#&#8203;38837](spring-projects/spring-boot#38837)
-   getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack [#&#8203;38833](spring-projects/spring-boot#38833)
-   TestContainers parallel initialization doesn't work properly  [#&#8203;38831](spring-projects/spring-boot#38831)
-   Zip file closed exceptions can be thrown due to StaticResourceJars closing jars from cached connections [#&#8203;38770](spring-projects/spring-boot#38770)
-   Multi-byte filenames in zip files can cause an endless loop in ZipString.hash [#&#8203;38751](spring-projects/spring-boot#38751)
-   Gradle task "bootJar" fails with "Failed to get permissions" when using Gradle 8.6-milestone-1 [#&#8203;38741](spring-projects/spring-boot#38741)
-   Custom binding converters are ignored when working with collection types [#&#8203;38734](spring-projects/spring-boot#38734)
-   WebFlux and resource server auto-configuration may fail due to null authentication manager [#&#8203;38713](spring-projects/spring-boot#38713)
-   It is unclear that Docker Compose services have not been started as one or more is already run...
ndwlocatieservices added a commit to ndwnu/nls-routing-map-matcher that referenced this issue Apr 16, 2024
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [org.apache.maven.plugins:maven-surefire-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.apache.maven.plugins:maven-failsafe-plugin](https://maven.apache.org/surefire/) | build | patch | `3.2.2` -> `3.2.5` |
| [org.springframework.boot:spring-boot-starter-parent](https://spring.io/projects/spring-boot) ([source](https://github.com/spring-projects/spring-boot)) | parent | patch | `3.2.0` -> `3.2.1` |

---

### Release Notes

<details>
<summary>spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-parent)</summary>

### [`v3.2.1`](https://github.com/spring-projects/spring-boot/releases/tag/v3.2.1)

[Compare Source](spring-projects/spring-boot@v3.2.0...v3.2.1)

#### 🐞 Bug Fixes

-   HibernateJpaAutoConfiguration should be applied before DataSourceTransactionManagerAutoConfiguration [#&#8203;38880](spring-projects/spring-boot#38880)
-   META-INF entries are duplicated under BOOT-INF/classes causing "Conflicting persistence unit definitions" error [#&#8203;38862](spring-projects/spring-boot#38862)
-   logging.include-application-name has no effect when using log4j2 [#&#8203;38847](spring-projects/spring-boot#38847)
-   Pulsar authentication param properties cause IllegalStateException with Pulsar Client 3.1.0  [#&#8203;38839](spring-projects/spring-boot#38839)
-   Child context created with SpringApplicationBuilder runs parents runners [#&#8203;38837](spring-projects/spring-boot#38837)
-   getSigners() info is lost for signed jars when using the new loader implementation with requiresUnpack [#&#8203;38833](spring-projects/spring-boot#38833)
-   TestContainers parallel initialization doesn't work properly  [#&#8203;38831](spring-projects/spring-boot#38831)
-   Zip file closed exceptions can be thrown due to StaticResourceJars closing jars from cached connections [#&#8203;38770](spring-projects/spring-boot#38770)
-   Multi-byte filenames in zip files can cause an endless loop in ZipString.hash [#&#8203;38751](spring-projects/spring-boot#38751)
-   Gradle task "bootJar" fails with "Failed to get permissions" when using Gradle 8.6-milestone-1 [#&#8203;38741](spring-projects/spring-boot#38741)
-   Custom binding converters are ignored when working with collection types [#&#8203;38734](spring-projects/spring-boot#38734)
-   WebFlux and resource server auto-configuration may fail due to null authentication manager [#&#8203;38713](spring-projects/spring-boot#38713)
-   It is unclear that Docker Compose services have not been started as one or more is already run...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: regression A regression from a previous release
Projects
None yet
Development

No branches or pull requests

3 participants