[jboss-dev] JBoss-5.0 GA and JBoss-5.0.1 GA incompatible?
Anil Saldhana
Anil.Saldhana at redhat.com
Tue Feb 10 15:55:54 EST 2009
Dimitris, I do not think there is an easy fix for this unless we can
can replace the security libraries in JBAS5.0.GA. I suggest that we
retain the current suid fix that we did for 5.0.1.GA which matches the
suid for 4.x
Maybe we can have a wiki page with instructions to replace jbosssx.jar
and jbosssx-client.jar in 5.0.0.GA if someone encounters the
serialization incompatibility.
Anil Saldhana wrote:
> The compatibility tests we ran before AS5.0.GA release should have
> caught this. It did not.
> One way to fix this is:
> If the loading platform is non-JBAS 5.x, then use the longer suid.
> If the loading platform is JBAS5.x, then suid = 1L. This way versions
> 5.xGA onwards will be fine.
>
> Dimitris Andreadis wrote:
>> Well Jaikiran really means that changing the serialVersionUID for
>> SimplePrincipal breaks serialization compatibility with AS 5.0.1.GA
>> https://jira.jboss.org/jira/browse/SECURITY-341
>>
>> But I understand what is fixed here is having serialVersionUID
>> compatibility with older 4.2.x releases. The only way to have both is
>> using special flags to switch IDs at load time, there is no other way.
>>
>> Obviously the mistake was that serialVersionUID for SimplePrincipal
>> changed in AS 5.0 but I'm curious how we didn't catch this in the
>> SerialVersionUIDUnitTestCase.
>>
>> It turns out we didn't check for libs in JBOSS_HOME/lib and
>> JBOSS_HOME/server/all, so when JBOSS_HOME/common/lib was added we've
>> missed the libs in there.
>>
>> Also, shouldn't errors of this type show in some of the compatibility
>> matrix tests?
>>
>> Anil Saldhana wrote:
>>> https://jira.jboss.org/jira/browse/JBAS-6410 is fixed in
>>> Branch_5_0. That is where this was done.
>>>
>>> I still have jira issues open for 5.1 and trunk.
>>>
>>> Jaikiran Pai wrote:
>>>> While working on a unrelated issue, i noticed that the
>>>> serialVersionUID of org.jboss.security.SimplePrincipal (in
>>>> jbosssx.jar) has changed between JBossAS5.0 GA and the current 5.0
>>>> branch. The 5.0 branch uses 2.0.2.SP6 version of jbosssx.jar
>>>> whereas JBossAS5.0 GA uses 2.0.2.SP3. Between these versions, the
>>>> serialVersionUID of the SimplePrincipal class has changed from
>>>>
>>>> private static final long serialVersionUID = 1L; // In 2.0.2.SP3
>>>>
>>>> to
>>>>
>>>> private static final long serialVersionUID = 7701951188631723261L;
>>>> // In 2.0.2.SP6
>>>>
>>>> As a result JBossAS-5.0 GA clients (ex: servlets on JBossAS-5.0 GA)
>>>> fail against JBossAS-5.0.1.GA server (current 5.0 branch) when
>>>> doing the following:
>>>>
>>>> import org.jboss.security.client.SecurityClient;
>>>> import org.jboss.security.client.SecurityClientFactory;
>>>>
>>>> // psuedo code - do login
>>>> SecurityClient securityClient =
>>>> SecurityClientFactory.getSecurityClient();
>>>> securityClient.setSimple("jai", "pass");
>>>> securityClient.login();
>>>>
>>>> // lookup bean hosted on 5.0.1 GA
>>>> Properties props = new Properties();
>>>> props.put(Context.INITIAL_CONTEXT_FACTORY,
>>>> "org.jnp.interfaces.NamingContextFactory");
>>>> props.put(Context.PROVIDER_URL,"jnp://localhost:1199");
>>>> Context ctx = new InitialContext(props);
>>>>
>>>> MySecureBean bean = (MySecureBean) ctx.lookup("MySecureBean");
>>>> System.out.println("Got bean");
>>>> bean.doSomethingSecure("jai", 2);
>>>>
>>>>
>>>> 12:33:51,261 ERROR [STDERR] Caused by:
>>>> java.io.InvalidClassException: org.jboss.security.SimplePrincipal;
>>>> local class incompatible: stream classdesc serialVersionUID = 1,
>>>> local class serialVersionUID = 7701951188631723261
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectStreamClass.initNonProxy(ObjectStreamClass.java:546)
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1552)
>>>>
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1466)
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1699)
>>>>
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1305)
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:1908)
>>>>
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1832)
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1719)
>>>>
>>>> 12:33:51,261 ERROR [STDERR] at
>>>> java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1305)
>>>>
>>>> ... // trimmed most of the unrelevant logs
>>>> 12:33:51,264 ERROR [STDERR] at
>>>> org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase.invoke(ProxyInvocationHandlerBase.java:261)
>>>>
>>>> 12:33:51,264 ERROR [STDERR] at
>>>> org.jboss.ejb3.proxy.handler.session.SessionSpecProxyInvocationHandlerBase.invoke(SessionSpecProxyInvocationHandlerBase.java:101)
>>>>
>>>> 12:33:51,264 ERROR [STDERR] at $Proxy95.doSomething(Unknown
>>>> Source)
>>>> 12:33:51,264 ERROR [STDERR] at
>>>> org.myapp.servlet.SimpleServlet.doPost(SimpleServlet.java:40)
>>>>
>>>> The other way (5.0.1 GA clients against 5.0 GA server) fails too.
>>>> From SVN logs, it appears that the serialVersionUID change was
>>>> meant for compatibility with external tools like JBoss Tools. Any
>>>> way to make 5.0.1.GA and 5.0 GA compatible?
>>>>
>>>> On a related note, in the component-matrix for Branch_5_x is see
>>>> that the jbosssx package is still at 2.0.2.SP3:
>>>>
>>>> <version.org.jboss.security>2.0.2.SP3</version.org.jboss.security>
>>>>
>>>> It's only upgraded to 2.0.2.SP6 in 5.0 branch.
>>>>
>>>> regards,
>>>> -Jaikiran
More information about the jboss-development
mailing list