Skip to content

Spring 5.1.7 application with enabled SecurityManager on Java 11 wont start #23261

New issue
New issue
Closed as not planned
Closed as not planned
Spring 5.1.7 application with enabled SecurityManager on Java 11 wont start#23261
Labels
in: coreIssues in core modules (aop, beans, core, context, expression)status: declinedA suggestion or change that we don't feel we should currently apply
@horca

Description

@horca
horca
opened on Jul 9, 2019

When using the Spring 5.1.7 application with enabled Java SecurityManager on Java 11, the application wont start - on Java 8 everything works.

The problem is how class ZipFile changed from 8 to 11. When loading class resource from jar file and using security manager, JDK checks the jar LOC header.

static JarFile checkJar(JarFile jar) throws IOException {
            if (System.getSecurityManager() != null && 
                !DISABLE_JAR_CHECKING && 
                !zipAccess.startsWithLocHeader(jar) <------
               ) {
                IOException x = new IOException("Invalid Jar file");
                try {
                    jar.close();
                ....

On Java 8 this information is stored as boolean field directly on ZipFile class, but on 11 this field has moved to the inner static class Source of another inner static class CleanableResource.

// Java 8
// https://github.com/bpupadhyaya/openjdk-8/blob/master/jdk/src/share/classes/java/util/zip/ZipFile.java
public
class ZipFile implements ZipConstants, Closeable {
    ...
    private final boolean locsig; <--------
    ...
}
// Java 11
// https://github.com/openjdk/jdk/blob/master/src/java.base/share/classes/java/util/zip/ZipFile.java
public class ZipFile implements ZipConstants, Closeable {
    private final String name;     // zip file name
    ...
    private final @Stable CleanableResource res; <--------
    ...
    private static class CleanableResource implements Runnable {
       final Set<InputStream> istreams;
       ...
       Source zsrc; <-------
       ...
       private static class Source {
           private final Key key;               // the key in files
           ...
           private final boolean startsWithLoc; <--------
           ...
       }
    }
}

Now for some reason, when Spring looks for a jar resource via class PathMatchingResourcePatternResolver and method doFindPathMatchingJarResources it closes that jar in finally block, which dereferences the zsrc (Source) field on CleanableResource - https://github.com/openjdk/jdk/blob/3c214ff134e5b8b922eaf695a2a113c829ef74a1/src/java.base/share/classes/java/util/zip/ZipFile.java#L800

Afterwards, when JDK is checking for LOC header during class resource loading, the NPE is thrown, class is not loaded and the whole application crashes.

Im not really sure if this is even Spring bug, but would like to hear an opinion of a Spring developer.

Metadata

Metadata

Assignees

No one assigned

    Labels

    in: coreIssues in core modules (aop, beans, core, context, expression)status: declinedA suggestion or change that we don't feel we should currently apply

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions