6.8 : java.lang.SecurityException prevents Tomcat startup

Hello,

after update to cuba platform 6.8 we got following exception while starting tomcat:

2018-02-02 10:58:52.962 ERROR [localhost-startStop-1] com.haulmont.bpm.core.BpmAppContextListener - Exception on registering custom stencils
org.springframework.transaction.CannotCreateTransactionException: Could not open JPA EntityManager for transaction; nested exception is javax.persistence.PersistenceException: java.lang.SecurityException: class "org.eclipse.persistence.descriptors.ClassDescriptor$DeletePredicate"'s signer information does not match signer information of other classes in the same package
	at org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:431) ~[spring-orm-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	at org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:373) ~[spring-tx-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	at com.haulmont.cuba.core.sys.TransactionImpl.<init>(TransactionImpl.java:57) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.PersistenceImpl.getTransaction(PersistenceImpl.java:134) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.bpm.core.StencilSetManagerBean.findCustomStencilSetByName(StencilSetManagerBean.java:129) ~[bpm-core-6.8.0.jar:6.8.0]
	at com.haulmont.bpm.core.StencilSetManagerBean.getStencilSet(StencilSetManagerBean.java:81) ~[bpm-core-6.8.0.jar:6.8.0]
	at com.haulmont.bpm.core.StencilSetManagerBean.getStencilSet(StencilSetManagerBean.java:76) ~[bpm-core-6.8.0.jar:6.8.0]
	at com.haulmont.bpm.core.BpmAppContextListener.registerCustomStencils(BpmAppContextListener.java:59) ~[bpm-core-6.8.0.jar:6.8.0]
	at com.haulmont.bpm.core.BpmAppContextListener.applicationStarted(BpmAppContextListener.java:43) ~[bpm-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.AppContext.startContext(AppContext.java:239) [cuba-global-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.AppContext$Internals.startContext(AppContext.java:302) [cuba-global-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.AbstractWebAppContextLoader.contextInitialized(AbstractWebAppContextLoader.java:83) [cuba-global-6.8.0.jar:6.8.0]
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4745) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5207) [catalina.jar:8.5.23]
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734) [catalina.jar:8.5.23]
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1144) [catalina.jar:8.5.23]
	at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1878) [catalina.jar:8.5.23]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_144]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_144]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_144]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_144]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_144]
Caused by: javax.persistence.PersistenceException: java.lang.SecurityException: class "org.eclipse.persistence.descriptors.ClassDescriptor$DeletePredicate"'s signer information does not match signer information of other classes in the same package
	at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:815) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.getAbstractSession(EntityManagerFactoryDelegate.java:205) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.createEntityManagerImpl(EntityManagerFactoryDelegate.java:305) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManagerImpl(EntityManagerFactoryImpl.java:337) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:303) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.springframework.orm.jpa.JpaTransactionManager.createEntityManagerForTransaction(JpaTransactionManager.java:449) ~[spring-orm-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	at org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:369) ~[spring-orm-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	... 24 common frames omitted
Caused by: java.lang.SecurityException: class "org.eclipse.persistence.descriptors.ClassDescriptor$DeletePredicate"'s signer information does not match signer information of other classes in the same package
	at java.lang.ClassLoader.checkCerts(ClassLoader.java:898) ~[na:1.8.0_144]
	at java.lang.ClassLoader.preDefineClass(ClassLoader.java:668) ~[na:1.8.0_144]
	at java.lang.ClassLoader.defineClass(ClassLoader.java:761) ~[na:1.8.0_144]
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) ~[na:1.8.0_144]
	at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) ~[na:1.8.0_144]
	at java.net.URLClassLoader.access$100(URLClassLoader.java:73) ~[na:1.8.0_144]
	at java.net.URLClassLoader$1.run(URLClassLoader.java:368) ~[na:1.8.0_144]
	at java.net.URLClassLoader$1.run(URLClassLoader.java:362) ~[na:1.8.0_144]
	at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_144]
	at java.net.URLClassLoader.findClass(URLClassLoader.java:361) ~[na:1.8.0_144]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[na:1.8.0_144]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[na:1.8.0_144]
	at java.lang.Class.forName0(Native Method) ~[na:1.8.0_144]
	at java.lang.Class.forName(Class.java:348) ~[na:1.8.0_144]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1277) ~[catalina.jar:8.5.23]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119) ~[catalina.jar:8.5.23]
	at com.haulmont.cuba.core.sys.persistence.EclipseLinkSessionEventListener.preLogin(EclipseLinkSessionEventListener.java:93) ~[cuba-core-6.8.0.jar:6.8.0]
	at org.eclipse.persistence.sessions.SessionEventManager.preLogin(SessionEventManager.java:620) ~[org.eclipse.persistence.core-2.6.2.jar:na]
	at org.eclipse.persistence.internal.sessions.DatabaseSessionImpl.preConnectDatasource(DatabaseSessionImpl.java:797) ~[org.eclipse.persistence.core-2.6.2.jar:na]
	at org.eclipse.persistence.internal.sessions.DatabaseSessionImpl.login(DatabaseSessionImpl.java:773) ~[org.eclipse.persistence.core-2.6.2.jar:na]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryProvider.login(EntityManagerFactoryProvider.java:267) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:731) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	... 30 common frames omitted
2018-02-02 10:58:52.962 DEBUG [localhost-startStop-1] com.haulmont.cuba.security.auth.AnonymousSessionHolder - Initialize anonymous session
2018-02-02 10:58:52.967 ERROR [localhost-startStop-1/app-core/server] eclipselink.ejb - 
2018-02-02 10:58:52.973 ERROR [localhost-startStop-1] com.haulmont.cuba.core.sys.AbstractWebAppContextLoader - Error initializing application
org.springframework.transaction.CannotCreateTransactionException: Could not open JPA EntityManager for transaction; nested exception is javax.persistence.PersistenceException: java.lang.SecurityException: class "org.eclipse.persistence.descriptors.ClassDescriptor$DeletePredicate"'s signer information does not match signer information of other classes in the same package
	at org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:431) ~[spring-orm-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	at org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:373) ~[spring-tx-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	at com.haulmont.cuba.core.sys.TransactionImpl.<init>(TransactionImpl.java:57) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.PersistenceImpl.getTransaction(PersistenceImpl.java:134) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.security.auth.AuthenticationManagerBean.login(AuthenticationManagerBean.java:115) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.security.auth.AnonymousSessionHolder.loginAnonymous(AnonymousSessionHolder.java:75) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.security.auth.AnonymousSessionHolder.initializeAnonymousSession(AnonymousSessionHolder.java:66) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.security.auth.AnonymousSessionHolder.applicationStarted(AnonymousSessionHolder.java:45) ~[cuba-core-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.AppContext.startContext(AppContext.java:239) ~[cuba-global-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.AppContext$Internals.startContext(AppContext.java:302) ~[cuba-global-6.8.0.jar:6.8.0]
	at com.haulmont.cuba.core.sys.AbstractWebAppContextLoader.contextInitialized(AbstractWebAppContextLoader.java:83) ~[cuba-global-6.8.0.jar:6.8.0]
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4745) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5207) [catalina.jar:8.5.23]
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752) [catalina.jar:8.5.23]
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728) [catalina.jar:8.5.23]
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734) [catalina.jar:8.5.23]
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1144) [catalina.jar:8.5.23]
	at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1878) [catalina.jar:8.5.23]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_144]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_144]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_144]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_144]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_144]
Caused by: javax.persistence.PersistenceException: java.lang.SecurityException: class "org.eclipse.persistence.descriptors.ClassDescriptor$DeletePredicate"'s signer information does not match signer information of other classes in the same package
	at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:815) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.getAbstractSession(EntityManagerFactoryDelegate.java:205) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.createEntityManagerImpl(EntityManagerFactoryDelegate.java:305) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManagerImpl(EntityManagerFactoryImpl.java:337) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:303) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.springframework.orm.jpa.JpaTransactionManager.createEntityManagerForTransaction(JpaTransactionManager.java:449) ~[spring-orm-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	at org.springframework.orm.jpa.JpaTransactionManager.doBegin(JpaTransactionManager.java:369) ~[spring-orm-4.3.12.RELEASE.jar:4.3.12.RELEASE]
	... 23 common frames omitted
Caused by: java.lang.SecurityException: class "org.eclipse.persistence.descriptors.ClassDescriptor$DeletePredicate"'s signer information does not match signer information of other classes in the same package
	at java.lang.ClassLoader.checkCerts(ClassLoader.java:898) ~[na:1.8.0_144]
	at java.lang.ClassLoader.preDefineClass(ClassLoader.java:668) ~[na:1.8.0_144]
	at java.lang.ClassLoader.defineClass(ClassLoader.java:761) ~[na:1.8.0_144]
	at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) ~[na:1.8.0_144]
	at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) ~[na:1.8.0_144]
	at java.net.URLClassLoader.access$100(URLClassLoader.java:73) ~[na:1.8.0_144]
	at java.net.URLClassLoader$1.run(URLClassLoader.java:368) ~[na:1.8.0_144]
	at java.net.URLClassLoader$1.run(URLClassLoader.java:362) ~[na:1.8.0_144]
	at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_144]
	at java.net.URLClassLoader.findClass(URLClassLoader.java:361) ~[na:1.8.0_144]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[na:1.8.0_144]
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[na:1.8.0_144]
	at java.lang.Class.forName0(Native Method) ~[na:1.8.0_144]
	at java.lang.Class.forName(Class.java:348) ~[na:1.8.0_144]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1277) ~[catalina.jar:8.5.23]
	at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119) ~[catalina.jar:8.5.23]
	at com.haulmont.cuba.core.sys.persistence.EclipseLinkSessionEventListener.preLogin(EclipseLinkSessionEventListener.java:93) ~[cuba-core-6.8.0.jar:6.8.0]
	at org.eclipse.persistence.sessions.SessionEventManager.preLogin(SessionEventManager.java:620) ~[org.eclipse.persistence.core-2.6.2.jar:na]
	at org.eclipse.persistence.internal.sessions.DatabaseSessionImpl.preConnectDatasource(DatabaseSessionImpl.java:797) ~[org.eclipse.persistence.core-2.6.2.jar:na]
	at org.eclipse.persistence.internal.sessions.DatabaseSessionImpl.login(DatabaseSessionImpl.java:773) ~[org.eclipse.persistence.core-2.6.2.jar:na]
	at org.eclipse.persistence.internal.jpa.EntityManagerFactoryProvider.login(EntityManagerFactoryProvider.java:267) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:731) ~[eclipselink-2.6.2.cuba22.jar:2.6.2.cuba22]
	... 29 common frames omitted
2018-02-02 10:58:52.975 INFO  [localhost-startStop-1] com.haulmont.cuba.core.sys.CubaCoreApplicationContext - Closing com.haulmont.cuba.core.sys.CubaCoreApplicationContext@3081edc1: startup date [Fri Feb 02 10:58:28 CET 2018]; root of context hierarchy
2018-02-02 10:58:52.981 INFO  [localhost-startStop-1] com.haulmont.cuba.core.sys.CubaThreadPoolTaskScheduler - Shutting down ExecutorService 'scheduler'

Any ideas how to fix it?

Hi,

Could you print file names from deploy/tomcat/shared/lib directory and attach the list here?

Thanks,
Andrey

Hello Andrey,

Thx for your quick response, I found in the meantime the reason, there are two versions of the class ClassDescriptor

image

this happens due to our project’s dependencies which include

org.eclipse.persistence/org.eclipse.persistence.nosql=2.6.2

for the usage of a MongoDB which is dependent on

org.springframework.data/spring-data-mongodb=2.0.2.RELEASE

or

org.springframework.data/spring-data-mongodb=1.10.8.RELEASE

For which reason was eclipselink patched?

Is there a way to solve this issue?

By usage of the japi-compliance-checker I found in the compat_report.html.zip (501,7 KB)
following differences:

image

image

Mike,

EclipseLink has some fixes for soft deletion and correct attribute fetching. The fixes are located in the repository: https://github.com/cuba-platform/eclipselink

You could try to exclude org.eclipse.persistence.core artifact from your dependencies:

compile("org.eclipse.persistence:org.eclipse.persistence.nosql:2.6.2") {
   exclude(group: 'org.eclipse.persistence', module: 'org.eclipse.persistence.core')
   exclude(group: 'org.eclipse.persistence', module: 'org.eclipse.persistence.jpa.jpql')
   exclude(group: 'org.eclipse.persistence', module: 'org.eclipse.persistence.antlr')
   exclude(group: 'org.eclipse.persistence', module: 'org.eclipse.persistence.asm')
}

All excluded dependencies are packed in our eclipselink.jar.

We plan to use same jar names and same MVN group and artifact ids for our EclipseLink version. That should take care of dependency resolution.

Thanks,
Andrey

2 Likes

Hello Andrey,

thanks a lot for your help, I overlooked the obvious, of course, you can exclude libraries in Gradle, see gradle’s dependency management

Thanks for the GitHub reference for the changes to eclipselink.

As you already mentioned please change the libraries according to the eclipselink artifacts

1 Like

Mike,

We have created YouTrack issue: https://youtrack.cuba-platform.com/issue/PL-10337

Thanks