Oracle Java 8u161 regression in XML Schema Factory

[Langer, Christoph]

Thanks, Joe.

> -----Original Message-----
> From: Joe Wang [mailto:huizhe.wang at oracle.com]
> Sent: Donnerstag, 1. März 2018 20:11
> To: Langer, Christoph <christoph.langer at sap.com>
> Cc: OpenJDK Dev list <core-libs-dev at openjdk.java.net>
> Subject: Re: Oracle Java 8u161 regression in XML Schema Factory
> 
> Hi Christoph and all,
> 
> Just wanted to let you know that we're in progress to update the release
> notes for 6u181/7u171/8u161 with a doc for this change.
> 
> Thanks,
> Joe
> 
> On 2/22/2018 12:47 AM, Langer, Christoph wrote:
> > Hi Joe,
> >
> > thanks for the clarification. It would be good to have a place of
> documentation where one could refer customers to.
> >
> > Thanks
> > Christoph
> >
> >> -----Original Message-----
> >> From: Joe Wang [mailto:huizhe.wang at oracle.com]
> >> Sent: Mittwoch, 21. Februar 2018 21:50
> >> To: Langer, Christoph <christoph.langer at sap.com>
> >> Cc: Bernd <ecki at zusammenkunft.net>; OpenJDK Dev list <core-libs-
> >> dev at openjdk.java.net>
> >> Subject: Re: Oracle Java 8u161 regression in XML Schema Factory
> >>
> >>
> >>> @Joe: Is there some documentation for this change in default behavior
> >> that came with JDK8u161? I assume it is for higher security and cannot be
> >> reverted (e.g. by setting the feature default for
> >> Djdk.xml.overrideDefaultParser to true).
> >>
> >> It is indeed. It was a customer's request. Customers' complaints were
> >> that a factory created through the official API could in many cases,
> >> unknowingly to the customers, load 3rd party parsers that didn't
> >> necessarily implement the security features added since JDK7u40 and 8.
> >> For customers, this behavior was a security concern. It was particularly
> >> inconvenient to users who might have some 3rd party libraries that just
> >> happen to be in their environment.
> >>
> >> This change was not mentioned in the release notes. I'll check whether
> >> we could find a right place for a note of this change. The 8u161 release
> >> notes would have been a good place to do so.
> >>
> >> Best,
> >> Joe
> >>
> >>> Best regards
> >>> Christoph
> >>>
> >>>> -----Original Message-----
> >>>> From: core-libs-dev [mailto:core-libs-dev-bounces at openjdk.java.net]
> On
> >>>> Behalf Of Bernd
> >>>> Sent: Dienstag, 13. Februar 2018 22:55
> >>>> To: OpenJDK Dev list<core-libs-dev at openjdk.java.net>
> >>>> Subject: Re: Oracle Java 8u161 regression in XML Schema Factory
> >>>>
> >>>> Hello,
> >>>>
> >>>>
> >>>> 2018-01-25 17:41 GMT+01:00 Seán Coffey<sean.coffey at oracle.com>:
> >>>>
> >>>>> Classes nearer to those below were touched via JDK-8186080:
> Transform
> >>>> XML
> >>>>> interfaces
> >>>>> http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/cb84156d54b2
> >>>>> http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/08a44c164993
> >>>>>
> >>>>> This may be connected with some tools trying to redefine the classes
> >>>>> perhaps. Needs more investigating. Perhaps the XMLSchemaLoader
> >>>> changes are
> >>>>> a factor ?
> >>>>>
> >>>> I have ben able to extract a minimal reproducer. It is not related to
> >>>> XMLUnit, only to powermock. If it instruments com.sun but not
> javax.xml
> >>>> (and other combinations) then it fails.
> >>>>
> >>>> For details see the readme in this maven project:
> >>>>
> >>>> https://github.com/ecki/reproduce-schemaex
> >>>>
> >>>> I also found a way to make it work with both versions, so its no longer
> an
> >>>> issue for me, but there is definitely some changes (which might also be
> >>>> triggered in AppServers or OSGi containers with partially reconfigured
> >>>> implementations. Not sure if you want to investigate deeper).
> >>>>
> >>>> Gruss
> >>>> Bernd
> >>>>
> >>>>
> >>>> Here is the stacktrace anyway:
> >>>>>> com.sun.org.apache.xerces.internal.impl.dv.DVFactoryException:
> >> Schema
> >>>>>> factory class
> >>>>>>
> com.sun.org.apache.xerces.internal.impl.dv.xs.SchemaDVFactoryImpl
> >>>> does
> >>>>>> not
> >>>>>> extend from SchemaDVFactory.
> >>>>>>        at
> >>>>>> com.sun.org.apache.xerces.internal.impl.dv.SchemaDVFactory.
> >>>>>> getInstance(SchemaDVFactory.java:75)
> >>>>>>        at
> >>>>>> com.sun.org.apache.xerces.internal.impl.dv.SchemaDVFactory.
> >>>>>> getInstance(SchemaDVFactory.java:57)
> >>>>>>        at
> >>>>>> com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.
> >>>>>> reset(XMLSchemaLoader.java:1024)
> >>>>>>        at
> >>>>>> com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.
> >>>>>> loadGrammar(XMLSchemaLoader.java:556)
> >>>>>>        at
> >>>>>> com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaLoader.
> >>>>>> loadGrammar(XMLSchemaLoader.java:535)
> >>>>>>        at
> >>>>>> com.sun.org.apache.xerces.internal.jaxp.validation.XMLSchema
> >>>>>> Factory.newSchema(XMLSchemaFactory.java:254)
> >>>>>>        at
> javax.xml.validation.SchemaFactory.newSchema(SchemaFactory.
> >>>>>> java:638)
> >>>>>>        at
> javax.xml.validation.SchemaFactory.newSchema(SchemaFactory.
> >>>>>> java:654)
> >>>>>>        at
> >>>>>> com.seeburger.api.test.helpers.BuilderTestHelper.getCRSchema
> >>>>>> Validator(BuilderTestHelper.java:57)
> >>>>>>        at
> >>>>>> com.seeburger.api.test.helpers.BuilderTestHelper.validateAnd
> >>>>>> Compare(BuilderTestHelper.java:73)
> >>>>>>        at
> >>>>>> com.seeburger.api.test.KSMBuilderTest.testDeletePGP(KSMBuild
> >>>>>> erTest.java:196)
> >>>>>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> >>>>>>        at
> >>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
> >>>>>> ssorImpl.java:62)
> >>>>>>        at
> >>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> >>>>>> thodAccessorImpl.java:43)
> >>>>>>        at java.lang.reflect.Method.invoke(Method.java:498)
> >>>>>>        at
> >> org.junit.internal.runners.TestMethod.invoke(TestMethod.java:68)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit44R
> >>>>>>
> >> unnerDelegateImpl$PowerMockJUnit44MethodRunner.runTestMethod
> >>>>>> (PowerMockJUnit44RunnerDelegateImpl.java:310)
> >>>>>>        at
> org.junit.internal.runners.MethodRoadie$2.run(MethodRoadie.
> >>>>>> java:89)
> >>>>>>        at
> >>>>>> org.junit.internal.runners.MethodRoadie.runBeforesThenTestTh
> >>>>>> enAfters(MethodRoadie.java:97)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit44R
> >>>>>>
> unnerDelegateImpl$PowerMockJUnit44MethodRunner.executeTest(P
> >>>>>> owerMockJUnit44RunnerDelegateImpl.java:294)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit47R
> >>>>>>
> unnerDelegateImpl$PowerMockJUnit47MethodRunner.executeTestIn
> >>>>>> Super(PowerMockJUnit47RunnerDelegateImpl.java:127)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit47R
> >>>>>>
> unnerDelegateImpl$PowerMockJUnit47MethodRunner.executeTest(P
> >>>>>> owerMockJUnit47RunnerDelegateImpl.java:82)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit44R
> >>>>>>
> >> unnerDelegateImpl$PowerMockJUnit44MethodRunner.runBeforesThe
> >>>>>> nTestThenAfters(PowerMockJUnit44RunnerDelegateImpl.java:282)
> >>>>>>        at
> org.junit.internal.runners.MethodRoadie.runTest(MethodRoadie
> >>>>>> .java:87)
> >>>>>>        at
> >>>> org.junit.internal.runners.MethodRoadie.run(MethodRoadie.java:50)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit44R
> >>>>>> unnerDelegateImpl.invokeTestMethod(PowerMockJUni
> >>>>>> t44RunnerDelegateImpl.java:207)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit44R
> >>>>>>
> >>
> unnerDelegateImpl.runMethods(PowerMockJUnit44RunnerDelegateImpl.ja
> >>>> va:146)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit44R
> >>>>>>
> >>
> unnerDelegateImpl$1.run(PowerMockJUnit44RunnerDelegateImpl.java:120)
> >>>>>>        at
> >>>>>> org.junit.internal.runners.ClassRoadie.runUnprotected(ClassR
> >>>>>> oadie.java:34)
> >>>>>>        at
> >>>>>>
> >> org.junit.internal.runners.ClassRoadie.runProtected(ClassRoadie.java:44)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.internal.impl.PowerMockJUnit44R
> >>>>>>
> >>
> unnerDelegateImpl.run(PowerMockJUnit44RunnerDelegateImpl.java:122)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.common.internal.impl.JUnit4Test
> >>>>>> SuiteChunkerImpl.run(JUnit4TestSuiteChunkerImpl.java:106)
> >>>>>>        at
> >>>>>> org.powermock.modules.junit4.common.internal.impl.AbstractCo
> >>>>>>
> >>
> mmonPowerMockRunner.run(AbstractCommonPowerMockRunner.java:53)
> >>>>>>        at
> >>>>>>
> >>
> org.powermock.modules.junit4.PowerMockRunner.run(PowerMockRunner.
> >>>> java:59)
> >>>>>>        at
> >>>>>> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.
> >>>>>> run(JUnit4TestReference.java:86)
> >>>>>>        at
> >>>>>> org.eclipse.jdt.internal.junit.runner.TestExecution.run(
> >>>>>> TestExecution.java:38)
> >>>>>>        at
> >>>>>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTe
> >>>>>> sts(RemoteTestRunner.java:539)
> >>>>>>        at
> >>>>>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTe
> >>>>>> sts(RemoteTestRunner.java:761)
> >>>>>>        at
> >>>>>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(
> >>>>>> RemoteTestRunner.java:461)
> >>>>>>        at
> >>>>>> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(
> >>>>>> RemoteTestRunner.java:207)
> >>>>>>
> >>>>>> on the classpath jaxb-impl-2.2.5.jar but the specific packages are
> only
> >>>>>> loaded from rt.jar and redefined. I asume the later is done by
> >>>> Powermock.
> >>>>>>        Line 611: [Loaded
> >>>>>> com.sun.org.apache.xerces.internal.impl.dv.SchemaDVFactory from
> >>>>>> C:\Program
> >>>>>> Files\Java\jdk1.8.0_161\jre\lib\rt.jar]
> >>>>>>        Line 616: [Loaded
> >>>>>>
> com.sun.org.apache.xerces.internal.impl.dv.xs.BaseSchemaDVFactory
> >>>> from
> >>>>>> C:\Program Files\Java\jdk1.8.0_161\jre\lib\rt.jar]
> >>>>>>        Line 617: [Loaded
> >>>>>>
> com.sun.org.apache.xerces.internal.impl.dv.xs.SchemaDVFactoryImpl
> >>>> from
> >>>>>> C:\Program Files\Java\jdk1.8.0_161\jre\lib\rt.jar]
> >>>>>>        Line 618: [Loaded
> >>>>>> com.sun.org.apache.xerces.internal.impl.dv.SchemaDVFactory from
> >>>>>> __JVM_DefineClass__]
> >>>>>>        Line 619: [Loaded
> >>>>>>
> com.sun.org.apache.xerces.internal.impl.dv.xs.BaseSchemaDVFactory
> >>>> from
> >>>>>> __JVM_DefineClass__]
> >>>>>>        Line 620: [Loaded
> >>>>>>
> com.sun.org.apache.xerces.internal.impl.dv.xs.SchemaDVFactoryImpl
> >>>> from
> >>>>>> __JVM_DefineClass__]
> >>>>>>
> >>>>>> Is that something you are concerned?
> >>>>>>
> >>>>>> Gruss
> >>>>>> Bernd
> >>>>>>