When running a project built by maven with the following dependencies:
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>javax.persistence</artifactId>
<version>2.2.0</version>
</dependency>
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>eclipselink</artifactId>
<version>2.7.0</version>
</dependency>
I get the following error at runtime:
java.lang.SecurityException: class "javax.persistence.Cacheable"'s signer information does not match signer information of other classes in the same package
The javax.persistence-2.2.0 artifact is signed and contains the javax.persistence.Cacheable.class annotation, while the eclipselink-2.7.0 artifact is not signed and also contains the same java class annotation.
How can this be fixed?
Edit
Replacing the javax.persistence artifact version 2.2.0 by the version 2.1.1 fixes the problem (this one is not signed), but I'm not sure it's a normal situation.
Thanks Stéphane - the edit at the end of your question helped me "fix" the same problem. For anyone else who hits this as well - here is an expanded answer. This is what you need to "fix" things in your pom (until Eclipse fix things properly):
<!-- See https://stackoverflow.com/q/45870753 -->
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>eclipselink</artifactId>
<version>2.7.0</version>
<exclusions>
<exclusion>
<groupId>org.eclipse.persistence</groupId>
<artifactId>javax.persistence</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>javax.persistence</artifactId>
<version>2.1.1</version>
</dependency>
This pulls in eclipselink
but excludes the javax.persistence
dependency that it tries to pull in and replaces it with an earlier version of javax.persistence
that doesn't have the signing issue.
Aside: javax.persistence
version 2.2.0
is explicitly pulled in, in the pom fragment shown in the original question, despite already being a transitive dependency of eclipselink
.
Summary - the eclipselink
artifact depends on javax.persistence
and both contain classes that are in the package javax.persistence
. However the javax.persistence
jar is signed while the eclipselink
one is not. So the Java runtime will complain, when loading a class from the package javax.persistence
in the eclipselink
jar, that it's lack of signing doesn't match with classes already loaded from the same package in the javax.persistence
jar.
Details - if I put a breakpoint in java.util.concurrent.ConcurrentHashMap.putIfAbsent(K, V)
with condition "javax.persistence".equals(arg0)
then I see that javax.persistence
is mapped to the following CodeSource
value:
(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/javax.persistence/2.2.0/javax.persistence-2.2.0.jar [
[
Version: V3
Subject: CN="Eclipse Foundation, Inc.", OU=IT, O="Eclipse Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
...
I.e. javax.persistence-2.2.0.jar
is signed by the Eclipse Foundation and contains classes in the package javax.persistence
. This jar is pulled in when some part of my application (actually something deep in Spring logic) tries to load javax.persistence.EntityManagerFactory
.
If I then put a breakpoint in java.lang.ClassLoader.checkCerts(String, CodeSource)
on the throw new SecurityException
line I then see that it hits this line when the passed in CodeSource
is:
(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/eclipselink/2.7.0/eclipselink-2.7.0.jar <no signer certificates>)
I.e. eclipselink-2.7.0.jar
also contain classes that are in the javax.persistence
package but it is unsigned so a clash occurs that results in a SecurityException
being thrown. This happens when something (also deep in Spring logic) tries to load javax.persistence.PersistenceUtil
.
If I look at the output of mvn dependency:tree
I see that this mismatch seems to be down to eclipselink
itself - it is pulling in org.eclipse.persistence:javax.persistence:jar:2.2.0
itself. I.e. it isn't some clash with some other dependency:
[INFO] | \- org.eclipse.persistence:eclipselink:jar:2.7.0:compile
[INFO] | +- org.eclipse.persistence:javax.persistence:jar:2.2.0:compile
[INFO] | +- org.eclipse.persistence:commonj.sdo:jar:2.1.1:compile
[INFO] | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | \- org.glassfish:javax.json:jar:1.0.4:compile
I've logged this now at bugs.eclipse.org - see bug 525457.