SecurityException - Class signer ?

I'm trying to learn to use JAXB..
Well.. the XML schema binding and stuff seems to go well, but when i try to use the classes (only trying to instantiate the "main" object of my XML structure), i get the following exception :
java.lang.SecurityException: class "javax.xml.namespace.NamespaceContext"'s signer information does not match signer information of other classes in the same package
I read some posts on the forums and some people (with a 'signer-problem') said that there's probably two different versions of the class that's causing the exception on the classpath..
One NamespaceContext -class seems to be in the namespaces.jar that comes with the Java Web Services Development Pack, but where is the other ?
And even if i knew where both of them are (if that's even the problem), what could i do about it ? I probably can't change the system libraries ? :)
This has been driving me nuts all day long, but i'd like to get JAXB to work, so maybe you could help me out here?
Maybe i messed something up while clicking on "next" during the installation process ? :)
And no one else seemed to have had any trouble with the NamespaceContext class !

I had the same issue trying to deploy JAXB 1.3 with WebSphere 5.1.
The problem in this case was that webservices.jar dynamically load qname.jar which contains classes in the package javax.xml.namespace. namespace.jar also contains classes in this package but the signer is different hence the exception. All I had to do to fix it was put webservices.jar after namespace.jar in the classpath. Also wrote this code to report something useful to people trying to deploy the code.
    private static String getUsefulMsg (String msg, Throwable exc)
        Throwable t = exc;
        String retMsg = msg;
        while (t != null)
            if (SecurityException.class.isAssignableFrom(t.getClass()))
                // This happens because webservices.jar dynamically loads qname.jar which has
                // classes in the same package as namespace.jar but with a different signer.
                if (t.getMessage().equals(UNHELPFUL_MESSAGE))
                    // explain how to fix this setup problem
                    retMsg = HELPFUL_MESSAGE;
                break;
            else if (t.getClass().isAssignableFrom(JAXBException.class))
                t = ((JAXBException)t).getLinkedException();
            else
                break;
        return retMsg;
    private static final String HELPFUL_MESSAGE = "webservices.jar needs to be after namespace.jar in classpath";
    private static final String UNHELPFUL_MESSAGE = "class \"javax.xml.namespace.NamespaceContext\"'s signer information does not match signer information of other classes in the same package";

Similar Messages

Two 3rd party jars share common class, signed differently

hi,
i have struck a problem where a SecurityException is thrown because two third party jars that are signed contain a class common to a package.
Jar A:
com.sun.xml.util.XmlChars
Jar B:
com.sun.xml.util.XmlChars
com.sun.xml.util.MessageCatalog
com.sun.xml.util.SomethingSomething
I can't touch Jar A, but Jar B can be edited. Since the security granularity seems to be a package level according to the error message, deleting XmlChars from Jar B doesn't work since both jars still contain classes from the same package.
Jar B does need the MessageCatalog so I can't remove it. I can only think of two options from here
1) find a Jar signed by the A people (JAXB) that contains the extra classes
2) some clever trick with classloaders - but I'm not sure what the issues are here..
any help would be deeply appreciated,
thanks,
asjf

2) some clever trick with classloaders - but I'm not sure what the issues are here..well, just loading class B and its associates in a new classloader is allowing this to work. I think this is safe too. Would be interested if anyone knows more about this area - eg. what if B needed to access something in A or vice versa, or both ways simultaneously?
thanks,
asjf

What is class signer??

i need to know also what does the method getSigners() do??
thanks a lot...

This article discusses the method and its actions.
http://www.securingjava.com/chapter-five/chapter-five-15.html
It revolves about digitally signed applets

CGLIB generation from signed classes(in signed jar) = SecurityException

Good Day!
I have the following problem:
My project uses a number of JARs signed with a jarsigner tool from JAVA distribution package including hibernate2.jar (the jar with all the hibernate stuff), spring.jar and cglib.jar (I think, exact names doesn't matter). All this jars are signed off course for security reasons.
Then, I have my project working with Hibernate, and it uses lazy-initialized ORM-classes, so Hibernate tries to generate a proxy via CGLIB for these classes. But during initialization of Hibernate SessionFactoryImpl I'm getting a java.lang.SecurityException:
java.lang.SecurityException: class "cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9"'s signer information does not match signer information of other classes in the same package
cern.spsea.hibernatebeans.BeamFileHibernateBean is one of my ORM-classes and all my classes are not signed because they are in development (they are not in jar, so they can not be signed).
I think it happens because signed code (from hibernate.jar and cglib.jar) tries to generate another signed code (cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9) but relate it to my unsigned package (cern.spsea.hibernatebeans).
So, I have a couple of questions:
1. Does signed code generates also signed code?
2. If so, what can I do for development? I really need to avoid this problem only at development, because at release my classes will be also in the signed jars. Can I force CGLIB to generate not signed classes? Is it some options in JVM start command to skip security checking? May be something else?
Any help is appreciated!
Thanks a lot in advance!
Roman

I've got the same problem, if someone could help us he'll be very helpful.
Regards,
Alx

Signing 2 different classes in the same package differently.

I have a class B in the default package.
I have another class C which is kept in a jar file without any package information. I have signed this jar file in using one alias in my keystore.
class B instantiates class C and passes its own reference to it.
When I run class B, i get an error saying,
Exception in thread "main" java.lang.SecurityException: class "C"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java:599)
at java.lang.ClassLoader.defineClass(ClassLoader.java:532)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:251)
at java.net.URLClassLoader.access$100(URLClassLoader.java:55)
at java.net.URLClassLoader$1.run(URLClassLoader.java:194)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:187)
at java.lang.ClassLoader.loadClass(ClassLoader.java:289)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:274)
at java.lang.ClassLoader.loadClass(ClassLoader.java:235)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:302)
at B.main(B.java:23)
Does this mean, I cannot have 2 classes in the same package, signed differently?
Thanks
AahRiMaaN

coupdegrace wrote:
JoachimSauer wrote:
Force1 wrote:
Do the files get automatically compiled if they are in the same package ?No, but if the class you compile depends on another that's not yet been compiled (or for which the source is newer than the .class file), then it will be compiled as well.Like,say If i add a int parameter, amethod(int i),then I will get a error,isn't it ?It actually gives a error.
Also it will compile automatically only for the first time and any changes made to any file will have to be compiled into latest .class files ?Yes.
Did compile the files under the above constraints.
So it is a smooth "run" for the first time,but not after editions to the either files.
I would appreciate if experts give some feedback on this.
Thank you.

HELP: signer info doesn't match info of other classes in the same package

I have several jars which need to be signed. They contain several applications and packages which
are split up based on which parts are needed by server vs client code. How do I get rid of this error?
I'm signing all the jars using the keytool and jar signer in java 1.3.1. I generate a certificate file.
My assumption is that each time I sign a different jar, the info is updated in the keystore and
certificate file. What might I be doing wrong when signing multiple jars?
(Yes, code from the same package may be in different jars. I don't have any controll of this,
I'm not in charge of the build and distribution of the various packages).
Exception in thread "main" java.lang.SecurityException: class
"com.ibm.ucm.bootup.UCMSysMgtConstants"'s signer information does not match signer
information of other classes in the same package
at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$100(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at com.ibm.ucm.bootup.UCMServerUpdater.<init>(Unknown Source)
at com.ibm.ucm.bootup.UCMServerUpdater.<init>(Unknown Source)
at com.ibm.ucm.bootup.UCMAdminServerUpdater.<init>(Unknown Source)
at com.ibm.ucm.bootup.UCMAdminServerUpdater.main(Unknown Source)

Where you able to solve this issue? (I'm seeing the same problem.)
Thanks,
Stacy

Signed jars + CGLIB = SecurityException

Good Day!
I have the following problem:
My project uses a number of JARs signed with a jarsigner tool from JAVA distribution package including hibernate2.jar (the jar with all the hibernate stuff), spring.jar and cglib.jar (I think, exact names doesn't matter). All this jars are signed off course for security reasons.
Then, I have my project working with Hibernate, and it uses lazy-initialized ORM-classes, so Hibernate tries to generate a proxy via CGLIB for these classes. But during initialization of Hibernate SessionFactoryImpl I'm getting a java.lang.SecurityException:
java.lang.SecurityException: class "cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9"'s signer information does not match signer information of other classes in the same package
cern.spsea.hibernatebeans.BeamFileHibernateBean is one of my ORM-classes and all my classes are not signed because they are in development (they are not in jar, so they can not be signed).
I think it happens because signed code (from hibernate.jar and cglib.jar) tries to generate another signed code (cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9) but relate it to my unsigned package (cern.spsea.hibernatebeans).
So, I have a couple of questions:
1. Does signed code generates also signed code?
2. If so, what can I do for development? I really need to avoid this problem only at development, because at release my classes will be also in the signed jars. Can I force CGLIB to generate not signed classes? Is it some options in JVM start command to skip security checking? May be something else?
Any help is appreciated!
Thanks a lot in advance!
Roman

In my jboss environment I hit the problem because I had a JWS client download war with signed versions of the jar files.
The fix was to have unsigned versions of the server-side war files (session ejbs with hibernate + pojos inside) FIRST in my application.xml file (jars enter the "classpath" in the order that they are in that file) ahead of the web app .war file for the JWS downloads.

Signer information does not match signer information of other classes in th

I am using JAXB for my application and I am getting the following runtime error:
Caused by: java.lang.SecurityException: class "com.sun.msv.datatype.xsd.WhiteSpaceProcessor$Collapse"'s signer information does not match signer information of other classes in the same package.
if somebody help me that would be great.
Thanks

The post at http://forum.java.sun.com/thread.jspa?threadID=562040&tstart=270
led in the right direction.
I had jax-qname.jar (from jwsdp-1.6) and axis-saaj-1.2.1.jar in my classpath (at one point I was planning on using axis). I only get the error when axis-saaj-1.2.1.jar comes before jax-qname.jar in my classpath. The resolution is to resolve conflicting jars.
-Gene

Signer information does not match signer information of other classes

I'm getting the exception "java.lang.SecurityException: class "javax.persistence.Cacheable"'s signer information does not match signer information of other classes in the same package". It appeared after upgrading to EclipseLink 1.2.0 - JPA 2.0 Preview. JPA 1.0 worked nicely, and I can also get the new version running by installing JPA through Eclipse. However, I want to have the JPA jar in C:\mydir\ and include it as any other jar-file. I have never signed an application before and this exception doesn't really tell me what to do next.
Any help appreciated.
SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'forgotPwdController': Autowiring of fields failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private org.daisy.pipeonline.services.UserManager org.daisy.pipeonline.web.ForgotPwdController.userMan; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userManager' defined in URL [jar:file:/C:/Users/jostein.NLB/workspaces/pipeonline/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/pipeonline-web/WEB-INF/lib/pipeonline-core.jar!/META-INF/config/services-config.xml]: Cannot resolve reference to bean 'userDao' while setting bean property 'dao'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'userDao': Injection of persistence fields failed; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'entityManagerFactory' defined in URL [jar:file:/C:/Users/jostein.NLB/workspaces/pipeonline/.metadata/.plugins/org.eclipse.wst.server.core/tmp0/wtpwebapps/pipeonline-web/WEB-INF/lib/pipeonline-core.jar!/META-INF/config/datalayer-config.xml]: Invocation of init method failed; nested exception is javax.persistence.PersistenceException: Exception [EclipseLink-28018] (Eclipse Persistence Services - 1.2.0.v20091016-r5565): org.eclipse.persistence.exceptions.EntityManagerSetupException
Exception Description: Predeployment of PersistenceUnit [jpa] failed.
Internal Exception: java.lang.SecurityException: class "javax.persistence.Cacheable"'s signer information does not match signer information of other classes in the same package
     at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessAfterInstantiation(AutowiredAnnotationBeanPostProcessor.java:243)
     at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:959)
     at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
     at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
     at java.security.AccessController.doPrivileged(Native Method)
     at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
     at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
     at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:221)
     at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
     at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
     at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
     at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429)
     at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:729)
     at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:381)
     at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
     at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199)
     at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
     at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3934)
     at org.apache.catalina.core.StandardContext.start(StandardContext.java:4429)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
     at org.apache.catalina.core.StandardHost.start(StandardHost.java:722)
     at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
     at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
     at org.apache.catalina.core.StandardService.start(StandardService.java:516)
     at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
     at org.apache.catalina.startup.Catalina.start(Catalina.java:583)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
     at java.lang.reflect.Method.invoke(Unknown Source)
     at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)

I don't know. You said that you got the problem when you upgraded "EclipseLink 1.2.0 - JPA 2.0 Preview", so it's possible that you should ask the guys who did that package.

Signing class files

Dears,
Is there any possiblity to sign the class files instead of jar files.
Esakki

Hi,
why do you want to sign the class file?
Using a jar file you'll have all the classes into one single file and you'll have all the classes signed, and then you won't need to sign every single class, you'll do once and no more.
Moreover, using the JAR type file, your classes will have smaller size and so they load up faster.
See you

Problems with signed JAR files in JWS/JRE6 environment.

Hello All,
I'm encountering a problem running our desktop application as a Java Web Start deployment in a JRE 6 environment. There were never any problems when running the same application as a JWS deployment in JRE 1.4, or 5, environments. There are also currently no problems in a JRE 6 environment when running the application as a standard desktop application.
The problem which I am having has nothing to do with launching the application. But for good measure, I verified the JNLP file with JaNeLA. A couple things we out of order, which I addressed to make JaNeLA happy, but my problem still persists. Here is my JNLP file (anonymized to protect the innocent):
TS: 2010-10-18 17:04:46
<?xml version="1.0" encoding="UTF-8"?>
<jnlp codebase="$$codebase" href="$$name">
     <information>
          <title>Acme Desktop</title>
          <vendor>Acme Corporation</vendor>
          <homepage href="http://www.acme.com/"/>
          <description>Acme Client for Acme Server</description>
          <description kind="tooltip">Acme Client for Acme Server</description>
          <icon href="desktop.gif"/>
          <offline-allowed/>
     </information>
     <security>
          <all-permissions/>
     </security>
     <resources>
          <j2se version="1.5+"/>
          <jar href="acmedesktop.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/antlr-2.7.2.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/backport-util-concurrent.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/commons-codec-1.3.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/commons-httpclient.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/commons-logging.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/acmeapi.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/HelpJavaDT.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/HelpJavaDT_es.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/jacorb.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/Multivalent.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/slf4j-api-1.5.6.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/slf4j-jdk14-1.5.6.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/snow.jar" download="lazy" version="8.00.01.00+"/>
          <jar href="lib/AcmeTMClient.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/xercesImpl.jar" download="eager" version="8.00.01.00+"/>
          <jar href="lib/xml-apis.jar" download="eager" version="8.00.01.00+"/>
          <extension name="installer" href="desktopInstaller.jnlp" />
          <extension name="Java Help" href="help.jnlp"/>
          <property name="java.library.path" value="./lib"/>
          <property name="admin" value="false"/>
          <property name="webstart" value="true"/>
          
     </resources>
     <resources os="Windows">
          <nativelib href="lib/jniWin32.jar" version="8.00.01.00+"/>
     </resources>
     <application-desc main-class="desktop"/>
</jnlp>-----
When running as a JWS deployment, on JRE 6, the application will be functioning normally for a little while, and then suddenly the following exception is thrown, and the current operation fails because the class in question cannot be accessed:
java.lang.SecurityException: class "acmeapi.communication.CDocImpl"'s signer information does not match signer information of other classes in the same package
     at java.lang.ClassLoader.checkCerts(ClassLoader.java:807)
     at java.lang.ClassLoader.preDefineClass(ClassLoader.java:488)
     at java.lang.ClassLoader.defineClassCond(ClassLoader.java:626)
     at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
     at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
     at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
     at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
     at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
     at java.security.AccessController.doPrivileged(Native Method)
     at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
     at com.sun.jnlp.JNLPClassLoader.findClass(JNLPClassLoader.java:288)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
     at acmeapi.common.CDoc.getAnnotationsInfo(CDoc.java:493)
     at acmedesktop.communication.CCommunicationManager.privateGetAnnotations(CCommunicationManager.java:1976)
     at acmedesktop.communication.CCommunicationManager.getAnnotations(CCommunicationManager.java:1828)
     at acmedesktop.annotations.CViewAnnotations.getAnnotations(CViewAnnotations.java:826)
     at acmedesktop.annotations.CViewAnnotations.createView(CViewAnnotations.java:583)
     at acmedesktop.annotations.CViewAnnotations.setData(CViewAnnotations.java:736)
     at acmedesktop.annotations.CViewAnnotations.init(CViewAnnotations.java:205)
     at acmedesktop.hitspanel.CHitsPanel.viewAnnotations(CHitsPanel.java:281)
     at acmedesktop.hitspanel.CHitsTab$3.mousePressed(CHitsTab.java:316)
     at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:263)
     at java.awt.Component.processMouseEvent(Component.java:6260)
     at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
     at java.awt.Component.processEvent(Component.java:6028)
     at java.awt.Container.processEvent(Container.java:2041)
     at java.awt.Component.dispatchEventImpl(Component.java:4630)
     at java.awt.Container.dispatchEventImpl(Container.java:2099)
     at java.awt.Component.dispatchEvent(Component.java:4460)
     at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4574)
     at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4235)
     at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4168)
     at java.awt.Container.dispatchEventImpl(Container.java:2085)
     at java.awt.Window.dispatchEventImpl(Window.java:2478)
     at java.awt.Component.dispatchEvent(Component.java:4460)
     at java.awt.EventQueue.dispatchEvent(EventQueue.java:599)
     at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
     at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
     at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
     at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)-----
The classes of our desktop product are contained within the 'acmedesktop' and 'acmeapi' packages. It requires access to the hard drive of the workstation, and therefore, all jar files included with the application are signed using the following ANT task when compiled:
<signjar keystore="resources/codesigning/keystore.pfx" storetype="pkcs12" storepass="myPassword" alias="myAlias">
     <fileset dir="${jws_dist}/app" includes="*.jar"/>
     <fileset dir="${jws_dist}/app/lib" includes="*.jar" excludes="jhall__V${dt_version}.jar"/>
</signjar>-----
Therefore, all classes, within all jar files, are signed with the same certificate (with the exception of the JavaHelp libraries, which are already signed by Sun - but the class in question attempting to be loaded here is not contained within the JavaHelp jar file anyway). So, the point being, that the exception message stating that the "signer information of the acmeapi.communication.CDocImpl class doesn't match the signer information of other classes in the same package", is simply not correct. All classes within that jar file were signed using the same certificate.
I downloaded the JRE 6 source from dev.java.net and picked through this issue with a debugger. The ClassLoader.checkCerts() method compares the certificate used to sign the current class which is attempting to be loaded, with the certificates which signed all other previously loaded classes within the same package. If they don't match, the exception above is thrown. What is causing the issue is when the checkCerts() method attempts to get the certificates which signed the currently loading class, null is returned. And obviously, comparing null, with an array of the certificates which signed the previously loaded classes, isn't going to match; therefore this exception is thrown.
The checkCerts() method gets the certificates of the currently loading class by calling the java.security.CodeSource.getCertificates() method. Tracing deeper in the debugger, the CodeSource object ultimately gets the certificates from the 'signersRef' member variable of the com.sun.deploy.cache.CachedJarFile class. signerRef is a SoftReference object and can therefore be garbage collected at some point. If it has already been garbage collected, the CachedJarFile class will attempt to retrieve it again from the loaded cache entry by calling com.sun.deploy.cache.MemoryCache.getLoadedResource().
The MemoryCache class maintains the cache entries to the jar files as MemoryCache.CachedResourceReference objects, which subclass WeakReference, and therefore these objects can be garbage collected as well. If the cache entries have also been garbage collected, this leaves the CachedJarFile class with no ability to repopulate the CachedJarFile.signerRef object. Therefore it is completely out of luck getting the certificates which signed the currently loading class, which ultimately causes the above exception.
When the com.sun.deploy.cache.Cache class attempts to retrieve a cache entry using its getCacheEntry() method, it will attempt to get the entry from the MemoryCache class, if null is returned, it will recreate the cache entry and add it back to the MemoryCache. In contrast, when the CachedJarFile class attempts to get a cache entry from the MemoryCache class, if null is returned, it just gives up.
(from com.sun.deploy.cache.CachedJarFile:244)
private CacheEntry getCacheEntry() {
     /* if it was not created by Cache do not search for entry */
     if (resourceURL == null)
          return null;
     CacheEntry ce = (CacheEntry) MemoryCache.getLoadedResource(resourceURL);
     if (ce == null) {
          //This should not happen because CacheEntry should not get collected
          // before CachedJarFile is collected.
          Trace.println("Missing CacheEntry for " + resourceURL + "\n" + ce,
               TraceLevel.CACHE);
     return ce;
When debugging, code execution falls within the code block with the comment stating "This should not happen...", but it is happening in my case.
On an interesting side note, using the jvisualvm.exe tool included with JDK 6, I was able to tell that it seems as though these objects are collected the first time that the JVM allocates more heap space, and then the issue will occur. If I set the initial heap size very large (using -Xms) this issue won't occur at all. But that is kind of a bad solution which I would rather not do, but it is interesting to note for the sake of troubleshooting this issue. The max heap size (-Xmx) is plenty big enough, so the issue is not that we are running out of memory here.
Does anyone have any insight as to what could be causing this? I've searched, and found a couple threads with similar problems but with no clear solutions. It is not just one workstation either, it happens everywhere I deploy the app as a Java Web Start application in a JRE 6 environment. I have been using version 1.6.0_18 on XP, but it seems to happen on any update version of 1.6. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?
Thank you
Jake
Edited by: jkc532 on Nov 12, 2010 10:35 AM

jkc532 wrote:
.. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? From your comprehensive investigation and report, it seems so to me.
..I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?Just after read the summary I was tired, so I have some understanding of the effort you have already invested in this (the 'wits' you have already spent). I think you should raise a bug report and seek Oracle's response.

Java.lang.SecurityException when trying to execute Workflow-Java-API from Servlet

I'm trying to call some of the Oracle Workflow-Java-API Classes/Methods from a servlet running on OC4J.
The following Code-Sample is exactly copied from the WFTest Example shipped with Oracle-Workflow:
wfDB = new WFDB(user, ident, "jdbc:oracle:thin:@", "host:1521:tnsstring");
String charset = System.getProperty("CHARSET");
if (charset == null) {
charset = "UTF8";
ctx = new WFContext(wfDB, charset);
if (ctx.getDB().getConnection() == null) {
throw new Exception ("Keine Verbindung zum Workflow");
On OC4J integrated in JDeveloper everything works fine when i run my test-servlet with this code.
On 9ias with OC4J running on a SuSE-Linux Server i get the following Error:
java.lang.SecurityException: class "oracle.apps.fnd.wf.WFContext"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java:554)
at java.lang.ClassLoader.defineClass(ClassLoader.java:482)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:106)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:243)
at java.net.URLClassLoader.access$100(URLClassLoader.java:51)
at java.net.URLClassLoader$1.run(URLClassLoader.java:190)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:183)
at java.lang.ClassLoader.loadClass(ClassLoader.java:294)
at java.lang.ClassLoader.loadClass(ClassLoader.java:250)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:310)
at oracle.apps.fnd.wf.engine.JdbcEngineAPI._sqlQueryText(JdbcEngineAPI.java)
at oracle.apps.fnd.wf.engine.EngineAPI.getItemTypes(EngineAPI.java)
at WorkflowData.doGet(WorkflowData.java:61)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:195)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:309)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
at com.evermind[Oracle9iAS (1.0.2.2.1) Containers for J2EE].server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:508)
at com.evermind[Oracle9iAS (1.0.2.2.1) Containers for J2EE].server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:177)
at com.evermind[Oracle9iAS (1.0.2.2.1) Containers for J2EE].server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:576)
at com.evermind[Oracle9iAS (1.0.2.2.1) Containers for J2EE].server.http.HttpRequestHandler.run(HttpRequestHandler.java:189)
at com.evermind[Oracle9iAS (1.0.2.2.1) Containers for J2EE].util.ThreadPoolThread.run(ThreadPoolThread.java:62)
As you can see, the first Workflow-API-Object (WFDB) gets correctly instantiated. But the second one crashes.
The java.policy and java.security files are exactly identical on both machines, my PC and the Linux-Server.
Where might be the problem ?
How can we fix this ?
thanks in advance for any help
Ralf

okay, okay,
my/our own fault.
To prevent anyone else of makeing the same mistake, a short decription:
We stored the wf????.jar files inside the $JAVA_HOME/jre/lib/ext directory.
The correct way is to let them inside $ORACLE_HOME/jlib dir of the oracle db and extend the classpath, respectively add the following lines to 'orion-application.xml' of the app.
<library path="$ORACLE_HOME/jlib/wfapi.jar" />
<library path="$ORACLE_HOME/jlib/wfjava.jar" />

Java.lang.SecurityException when loading javax.activation.MimeType

Hi all,
I'm having this problem when trying to call a WebService in my Server;
java.lang.SecurityException: class "javax.activation.MimeType"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(ClassLoader.java(Compiled Code))
at java.lang.ClassLoader.defineClass(ClassLoader.java(Compiled Code))
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java(Compiled Code))
at java.net.URLClassLoader.defineClass(URLClassLoader.java(Compiled Code))
at java.net.URLClassLoader.access$500(URLClassLoader.java(Inlined Compiled Code))
at java.net.URLClassLoader$ClassFinder.run(URLClassLoader.java(Compiled Code))
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at java.net.URLClassLoader.findClass(URLClassLoader.java(Compiled Code))
at java.lang.ClassLoader.loadClass(ClassLoader.java(Compiled Code))
at java.lang.ClassLoader.loadClass(ClassLoader.java(Compiled Code))
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java(Compiled Code))
at java.lang.ClassLoader.loadClass(ClassLoader.java(Compiled Code))
at org.apache.soap.rpc.SOAPContext.addBodyPart(SOAPContext.java:344)
at org.apache.soap.rpc.SOAPContext.setRootPart(SOAPContext.java:403)
at org.apache.soap.rpc.SOAPContext.setRootPart(SOAPContext.java:442)
at org.apache.soap.rpc.SOAPContext.setRootPart(SOAPContext.java:417)
at org.apache.soap.transport.TransportMessage.save(TransportMessage.java:351)
at oracle.soap.transport.http.OracleSOAPHTTPConnection.send(OracleSOAPHTTPConnection.java:713)
at org.apache.soap.rpc.Call.invoke(Call.java:261)
It seems to work in my local machine (running on JDeveloper10G embedded server), but i cannot make it work in production server (version 10.1.2.0.2) ...
Any idea of what is going wrong? I know what the error means, but i don't know why it is raising.

I've tried the webservice standalone (without a servlet frontend) and it seems to work, so i'll post this in the servlets forum.
Thanks.

Getting java.lang.SecurityException while sending mail

While i trying to send mail through web browser i am getting following error.But by calling same function in main method of my Mailer.java class its successful. Will anybody suggest me what am i miss .I m using Tomcat & i already put activation.jar and mail.jar in classpath.
"java.lang.SecurityException: class "javax.mail.Address";'s signer information does not match signer information of other classes in the same package"
Regards
Riaz
Edited by: Riaz_Ansari on May 2, 2008 12:44 AM

You've probably got more than one version of the javax.mail.* classes in your CLASSPATH.
Look for multiple copies of mail.jar, or perhaps a j2ee.jar or javaee.jar that duplicates those
classes.

Signed applet crashes

Hello all!
Has ever happened to someone that when using a signed applet, the browser crashes without giving an error or something?
I made an applet that had to read a file on the server, then signed it, and when trying it, after the browser asked me if to trust the signature, all freezed and nothing else happened...
I am developing an applet with NetBeans, the code in question is this:
import java.io.*;*
*import java.util.*;
public class PhotoAlbum extends javax.swing.JApplet {
    /** Initializes the applet PhotoAlbum */
    public void init()
        try
            java.awt.EventQueue.invokeAndWait(new Runnable() {
                public void run() {
                    initComponents();
        } catch (Exception ex)
            ex.printStackTrace();
    public void start()
        try
            initAlbum();
        catch (Exception e)
            error.setText(e.getLocalizedMessage()); //"error" is a textbox. I use that to write the exceptions caught runtime.
    private void initAlbum() throws Exception
      FileReader reader = new FileReader("/Foto/PhotoDB");
@SuppressWarnings("unchecked")
    // <editor-fold defaultstate="collapsed" desc="Generated Code">
    private void initComponents() {
        modLista = new javax.swing.DefaultListModel();
        jScrollPane1 = new javax.swing.JScrollPane();
        listaAlbum = new javax.swing.JList();
        jScrollPane2 = new javax.swing.JScrollPane();
        error = new javax.swing.JTextArea();
        jLabel1 = new javax.swing.JLabel();
        listaAlbum.setModel(modLista);
        listaAlbum.setVisibleRowCount(4);
        jScrollPane1.setViewportView(listaAlbum);
        error.setColumns(20);
        error.setRows(5);
        jScrollPane2.setViewportView(error);
        jLabel1.setIcon(new javax.swing.ImageIcon(getClass().getResource("/Foto/bell_urlo.png"))); // NOI18N
        jLabel1.setText("jLabel1");
        javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
        getContentPane().setLayout(layout);
        layout.setHorizontalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 547, Short.MAX_VALUE)
            .addGroup(layout.createSequentialGroup()
                .addContainerGap()
                .addComponent(jScrollPane2, javax.swing.GroupLayout.DEFAULT_SIZE, 523, Short.MAX_VALUE)
                .addContainerGap())
            .addGroup(javax.swing.GroupLayout.Alignment.TRAILING, layout.createSequentialGroup()
                .addContainerGap(117, Short.MAX_VALUE)
                .addComponent(jLabel1)
                .addGap(72, 72, 72))
        layout.setVerticalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addGroup(javax.swing.GroupLayout.Alignment.TRAILING, layout.createSequentialGroup()
                .addContainerGap()
                .addComponent(jLabel1)
                .addGap(12, 12, 12)
                .addComponent(jScrollPane2, javax.swing.GroupLayout.PREFERRED_SIZE, 218, javax.swing.GroupLayout.PREFERRED_SIZE)
                .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, 39, Short.MAX_VALUE)
                .addComponent(jScrollPane1, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE))
    }// </editor-fold>
    // Variables declaration - do not modify
    private javax.swing.JTextArea error;
    private javax.swing.JLabel jLabel1;
    private javax.swing.JScrollPane jScrollPane1;
    private javax.swing.JScrollPane jScrollPane2;
    private javax.swing.JList listaAlbum;
    private javax.swing.DefaultListModel modLista;
    // End of variables declaration
    public Album[] collection;
    public Album current;
    public int photoIndex;
}This is the basic code, I deleted all the instructions, leaving the one from where the error started (the filereader declaration)
I don't have any idea on why the browser crashes...
When the applet is unsigned, on the textbox is shown correctly the error "permission denied".
On other files the signing procedure goes ok, since I tried it on a program I found on the internet @ http://www.captain.at/programming/java/
Edited by: DrZoidberg on Sep 15, 2008 9:15 AM

are you using IE?
i use mozilla and this is what i see when i trust the certificate.
java.lang.SecurityException: class "PhotoAlbum$1"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.preDefineClass(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
at PhotoAlbum.init(PhotoAlbum.java:21)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
java.lang.NullPointerException
at PhotoAlbum.start(PhotoAlbum.java:40)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
might help you :)

SecurityException - Class signer ?

Similar Messages

Maybe you are looking for