Jar startup fails on JDK 11 with a SecurityManager enabled

[sascha-kaufmann]

We currently have a problem, similar to #17796, concerning the start of fat jars with JDK11 and SecurityManager enabled. The same application runs fine on JDK8 with SecurityManager enabled.
We get the following exception (where AbcApplication is the main class, annotated as SpringBootApplication) when starting the jar using command java -Djava.security.manager -Djava.security.policy=security.policy -jar "build\libs\abc-application.jar":

Exception in thread "main" java.lang.ClassNotFoundException: abc.def.AbcApplication
        at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:471)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
        at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:92)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:46)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52)

I created a small sample application with spring-boot 2.2.9.RELEASE (see Gist) with the following setup:

• Gradle (6.0.1) Build, using the spring-boot gradle plugin
• OpenJDK 11.0.10.9
• Developing on a windows machine

[wilkinsona]

Thanks for creating an issue, @sascha-kaufmann. I've reproduced the problem:

$ java -Djava.security.manager -Djava.security.policy=security.policy -jar build/libs/abc-application.jar 
Exception in thread "main" java.lang.ClassNotFoundException: abc.def.AbcApplication
	at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:471)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
	at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:151)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:398)
	at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:46)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
	at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)

As with #17796, the problem does not occur when jar checking is disabled:

$ java -Djava.security.manager -Djava.security.policy=security.policy -Dsun.misc.URLClassPath.disableJarChecking=true -jar build/libs/abc-application.jar

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.3.9.RELEASE)

2021-03-08 14:54:34.696  INFO 39143 --- [           main] abc.def.AbcApplication                   : Starting AbcApplication on wilkinsona-a01.vmware.com with PID 39143 (/Users/awilkinson/Downloads/c342dd56104a75d5ca110b80941a76bb-a5184d96b42701175c491dee0a5a051f61b413be/build/libs/abc-application.jar started by awilkinson in /Users/awilkinson/Downloads/c342dd56104a75d5ca110b80941a76bb-a5184d96b42701175c491dee0a5a051f61b413be)
2021-03-08 14:54:34.700  INFO 39143 --- [           main] abc.def.AbcApplication                   : No active profile set, falling back to default profiles: default
2021-03-08 14:54:35.772  INFO 39143 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat initialized with port(s): 8080 (http)
2021-03-08 14:54:35.787  INFO 39143 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
2021-03-08 14:54:35.788  INFO 39143 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.43]
2021-03-08 14:54:35.890  INFO 39143 --- [           main] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2021-03-08 14:54:35.891  INFO 39143 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1118 ms
2021-03-08 14:54:36.094  INFO 39143 --- [           main] o.s.s.concurrent.ThreadPoolTaskExecutor  : Initializing ExecutorService 'applicationTaskExecutor'
2021-03-08 14:54:36.294  INFO 39143 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8080 (http) with context path ''
2021-03-08 14:54:36.304  INFO 39143 --- [           main] abc.def.AbcApplication                   : Started AbcApplication in 2.091 seconds (JVM running for 2.614)

Note that I'm using Spring Boot 2.3.x here as Spring Boot 2.2.x has been out of support since October 2020. The same -Dsun.misc.URLClassPath.disableJarChecking=true should also work with 2.2.x but you should upgrade if at all possible as any fix we make for this issue will only be available in 2.3.x and later.

[wilkinsona]

It looks like the fix for #17796 may not have had the intended effect. It was made in 2.2.7.RELEASE. The sample supplied with this issue fails with symptoms similar to those in #17796 with 2.2.6 and then fails to load abc.def.AbcApplication with 2.2.7 and later. I'm seeing the same behaviour on both macOS and Windows.

[sascha-kaufmann]

Thx a lot for the quick response. We are using the workaround (disable jar checking) in the meantime. The update to 2.3.x / 2.4.x should not be a problem for us (as far as I could see), haven't planned it yet though.

[philwebb]

I think #21126 is causing the problem. We now call close() early which cleans up the resource and ultimately causes:

java.lang.NullPointerException
	at java.base/java.util.zip.ZipFile$1.startsWithLocHeader(ZipFile.java:1117)
	at java.base/jdk.internal.loader.URLClassPath$JarLoader.checkJar(URLClassPath.java:792)
	at java.base/jdk.internal.loader.URLClassPath$Loader.getResource(URLClassPath.java:650)
	at java.base/jdk.internal.loader.URLClassPath.getResource(URLClassPath.java:314)
	at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:455)
	at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:452)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:451)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
	at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:151)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at java.base/java.lang.Class.forName0(Native Method)
	at java.base/java.lang.Class.forName(Class.java:398)
	at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:46)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
	at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
	at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)

[philwebb]

I've applied a "band-aid fix" in 2.3.x, 2.4.x and 2.5.x but ideally we'd do something different. I've opened #26745 to look at refactoring our JarFile class in 2.6.x.