Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflective illegal access to java.lang.SecurityManager.getClassContext() #663

Closed
MR6996 opened this issue Mar 15, 2022 · 9 comments
Closed

Reflective illegal access to java.lang.SecurityManager.getClassContext() #663

MR6996 opened this issue Mar 15, 2022 · 9 comments

Comments

@MR6996
Copy link

MR6996 commented Mar 15, 2022

When running a spring-boot application i have this warning.

Running with --illegal-access=debug i found this:

WARNING: Illegal reflective access by nonapi.io.github.classgraph.classpath.CallStackReader (file:.../.m2/repository/io/github/classgraph/classgraph/4.8.138/classgraph-4.8.138.jar) to method java.lang.SecurityManager.getClassContext()
at nonapi.io.github.classgraph.classpath.CallStackReader.getCallStackViaSecurityManager(CallStackReader.java:119)
at nonapi.io.github.classgraph.classpath.CallStackReader.access$100(CallStackReader.java:44)
at nonapi.io.github.classgraph.classpath.CallStackReader$3.call(CallStackReader.java:178)
at nonapi.io.github.classgraph.classpath.CallStackReader$3.call(CallStackReader.java:175)
at nonapi.io.github.classgraph.reflection.ReflectionUtils$PrivilegedActionInvocationHandler.invoke(ReflectionUtils.java:383)
at com.sun.proxy.$Proxy139.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at nonapi.io.github.classgraph.reflection.ReflectionUtils.doPrivileged(ReflectionUtils.java:396)
at nonapi.io.github.classgraph.classpath.CallStackReader.getClassContext(CallStackReader.java:175)
at nonapi.io.github.classgraph.classpath.ClasspathFinder.(ClasspathFinder.java:163)
at io.github.classgraph.Scanner.(Scanner.java:169)
at io.github.classgraph.ClassGraph.scanAsync(ClassGraph.java:1531)
at io.github.classgraph.ClassGraph.scanAsync(ClassGraph.java:1559)
at io.github.classgraph.ClassGraph.scan(ClassGraph.java:1584)
at io.github.classgraph.ClassGraph.scan(ClassGraph.java:1623)
at io.github.classgraph.ClassGraph.scan(ClassGraph.java:1636)
at org.webjars.WebJarAssetLocator.scanForWebJars(WebJarAssetLocator.java:144)
at org.webjars.WebJarAssetLocator.(WebJarAssetLocator.java:150)
at org.springframework.web.servlet.resource.WebJarsResourceResolver.(WebJarsResourceResolver.java:61)
at org.springframework.web.servlet.config.annotation.ResourceChainRegistration.getResourceResolvers(ResourceChainRegistration.java:114)
at org.springframework.web.servlet.config.annotation.ResourceHandlerRegistration.getRequestHandler(ResourceHandlerRegistration.java:215)
at org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry.getRequestHandler(ResourceHandlerRegistry.java:178)
at org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry.getHandlerMapping(ResourceHandlerRegistry.java:168)
at org.springframework.web.servlet.config.annotation.WebMvcConfigurationSupport.resourceHandlerMapping(WebMvcConfigurationSupport.java:599)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:638)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1352)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1195)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542)
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
Do i have to worry about that?
@kelciocajueiro
Copy link

I have the same issue as well. I am using the Spring Boot v2.6.4

@MR6996
Copy link
Author

MR6996 commented Mar 15, 2022
edited

I have the same issue as well. I am using the Spring Boot v2.6.4

me too. I'm using SpringDoc also, I don't know if it's related to this

@kelciocajueiro
Copy link

I am using SpringDoc as well. I have removed the dependency of springdoc but I still can see the same stack trace as yours. :(
I don't see that issue using Spring Boot 2.5.10.

@MR6996
Copy link
Author

MR6996 commented Mar 16, 2022
edited

I'm using openjdk 11.0.2 2019-01-15. I've updated to openjdk 11.0.14.1 2022-02-08 LTS and there is no warnings

@MR6996 MR6996 closed this as completed Mar 16, 2022
@lukehutch
Copy link
Member

Thanks for the report. I'm going to reopen this because there is almost certainly a way to fix it.

ClassGraph uses several mechanisms to find the stack trace. The one that uses reflection needs to be de-prioritized in JDK9+ (other methods should be tried first).

I'll work on this, although I'm traveling currently with limited time to fix it.

@lukehutch lukehutch reopened this Mar 16, 2022
@kelciocajueiro
Copy link

Thanks, @lukehutch

@lukehutch lukehutch mentioned this issue Mar 17, 2022
Closed
lukehutch added a commit that referenced this issue Mar 17, 2022
@lukehutch
Don't use SecurityManager reflective method in JDK9+ (#663)
3e1ede6
lukehutch added a commit that referenced this issue Mar 17, 2022
@lukehutch
Also reject -ea versions before the final JVM fix (#663)
9036017
@lukehutch
Copy link
Member

I'm using openjdk 11.0.2 2019-01-15. I've updated to openjdk 11.0.14.1 2022-02-08 LTS and there is no warnings

OK, this makes sense -- StackWalker was able to crash the JVM in JDK 9, 10, 11 prior to 11.0.4, and 12 prior to 12.0.2. See #341. So ClassGraph was defaulting to using SecurityManager in affected JVMs.

Can everyone else who experienced this issue please verify whether they were running an affected JVM version?

I think this is the same bug reported in #646.

I disabled the SecurityManager method for getting the StackTrace in JDK 9+. The implications of this are:

  • In JDK 9 and 10 (both deprecated), JDK 11 version <11.0.4, and JDK 12 version <12.0.2, if there is a SecurityManager in use, only stacktraces visible to the current thread will be able to be obtained (which may mean that a classloader is not found, if its part of the stacktrace is protected by the SecurityManager).
  • In all more recent versions of the JDK, StackWalker will be used (which may restrict the visibility of some stack frames in the same way via SecurityManager in JDK versions prior to about JDK 19 or so, when SecurityManager will be removed, I believe). This may also limit the visibility of some stack frames due to strong encapsulation (I haven't tested this). Again this may mean that some classloaders are not found because the stack frame containing reference to the class loaded by the classloader is not visible. This won't be a problem for modular code, since modules are scanned using the ModuleLayer API rather than by scanning the classpath.
  • In JDK 7 and 8, the reflective method of bypassing the SecurityManager will continue to be used to fetch all stack frames.

If someone who is affected by this reflective access warning can please test the latest version of ClassGraph in git, I would appreciate it.

Thanks!

@lukehutch
Copy link
Member

PS if anyone is curious as to how the stacktrace-obtaining code works, here it is:

https://github.com/classgraph/classgraph/blob/latest/src/main/java/nonapi/io/github/classgraph/classpath/CallStackReader.java

@lukehutch
Copy link
Member

This should be fixed now, with the caveats described above. Released in 4.8.142. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukehutch @kelciocajueiro @MR6996