Signed jars + CGLIB = SecurityException
843811Apr 21 2005 — edited Feb 5 2007Good Day!
I have the following problem:
My project uses a number of JARs signed with a jarsigner tool from JAVA distribution package including hibernate2.jar (the jar with all the hibernate stuff), spring.jar and cglib.jar (I think, exact names doesn't matter). All this jars are signed off course for security reasons.
Then, I have my project working with Hibernate, and it uses lazy-initialized ORM-classes, so Hibernate tries to generate a proxy via CGLIB for these classes. But during initialization of Hibernate SessionFactoryImpl I'm getting a java.lang.SecurityException:
java.lang.SecurityException: class "cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9"'s signer information does not match signer information of other classes in the same package
cern.spsea.hibernatebeans.BeamFileHibernateBean is one of my ORM-classes and all my classes are not signed because they are in development (they are not in jar, so they can not be signed).
I think it happens because signed code (from hibernate.jar and cglib.jar) tries to generate another signed code (cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9) but relate it to my unsigned package (cern.spsea.hibernatebeans).
So, I have a couple of questions:
1. Does signed code generates also signed code?
2. If so, what can I do for development? I really need to avoid this problem only at development, because at release my classes will be also in the signed jars. Can I force CGLIB to generate not signed classes? Is it some options in JVM start command to skip security checking? May be something else?
Any help is appreciated!
Thanks a lot in advance!
Roman