[jboss-jira] [JBoss JIRA] Commented: (JBVFS-176) CertificateReaderInputStream can result in eager loading of certificate information, causing SecurityException

Kevin Conner (JIRA) jira-events at lists.jboss.org
Tue Aug 9 11:42:26 EDT 2011 

    [ https://issues.jboss.org/browse/JBVFS-176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12619720#comment-12619720 ] 

Kevin Conner commented on JBVFS-176:
------------------------------------

Just installed the fixed jar into a version of SOA and am no longer seeing the SecurityException.

> CertificateReaderInputStream can result in eager loading of certificate information, causing SecurityException
> --------------------------------------------------------------------------------------------------------------
>
>                 Key: JBVFS-176
>                 URL: https://issues.jboss.org/browse/JBVFS-176
>             Project: JBoss VFS
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Release
>    Affects Versions:  2.2.0.GA
>            Reporter: Kevin Conner
>            Assignee: Ales Justin
>            Priority: Critical
>         Attachments: JBVFS-176.diff
>
>
> The version in question is 2.2.0.SP1
> CertificateReaderInputStream can cause the certificate information within EntryInfo to be initialised before the JarVerifier has had the opportunity to initialise the certificates associated with its JarEntry, resulting in this information being ignored.  This is a particular problem if the entry represents a class file as any subsequent attempt to define the class will not be associated with the correct certificate/signers, causing a SecurityException to be raised if classes from the same package have already been loaded.
> The SecurityException will be similar to the following
> java.lang.SecurityException: class "org.drools.spi.CompiledInvoker"'s signer information does not match signer information of other classes in the same package

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list