EclipseLink 2.7.0 and JPA API 2.2.0 - signature mismatch

让人想犯罪 __ 提交于 2019-11-27 13:52:20

Thanks Stéphane - the edit at the end of your question helped me "fix" the same problem. For anyone else who hits this as well - here is an expanded answer. This is what you need to "fix" things in your pom (until Eclipse fix things properly):

<!-- See https://stackoverflow.com/q/45870753 -->
<dependency>   
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>eclipselink</artifactId>
    <version>2.7.0</version>
    <exclusions>
        <exclusion>
            <groupId>org.eclipse.persistence</groupId>
            <artifactId>javax.persistence</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>javax.persistence</artifactId>
    <version>2.1.1</version>
</dependency>

This pulls in eclipselink but excludes the javax.persistence dependency that it tries to pull in and replaces it with an earlier version of javax.persistence that doesn't have the signing issue.

Aside: javax.persistence version 2.2.0 is explicitly pulled in, in the pom fragment shown in the original question, despite already being a transitive dependency of eclipselink.

Explanation

Summary - the eclipselink artifact depends on javax.persistence and both contain classes that are in the package javax.persistence. However the javax.persistence jar is signed while the eclipselink one is not. So the Java runtime will complain, when loading a class from the package javax.persistence in the eclipselink jar, that it's lack of signing doesn't match with classes already loaded from the same package in the javax.persistence jar.

Details - if I put a breakpoint in java.util.concurrent.ConcurrentHashMap.putIfAbsent(K, V) with condition "javax.persistence".equals(arg0) then I see that javax.persistence is mapped to the following CodeSource value:

(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/javax.persistence/2.2.0/javax.persistence-2.2.0.jar [
[
  Version: V3
  Subject: CN="Eclipse Foundation, Inc.", OU=IT, O="Eclipse Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
  ...

I.e. javax.persistence-2.2.0.jar is signed by the Eclipse Foundation and contains classes in the package javax.persistence. This jar is pulled in when some part of my application (actually something deep in Spring logic) tries to load javax.persistence.EntityManagerFactory.

If I then put a breakpoint in java.lang.ClassLoader.checkCerts(String, CodeSource) on the throw new SecurityException line I then see that it hits this line when the passed in CodeSource is:

(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/eclipselink/2.7.0/eclipselink-2.7.0.jar <no signer certificates>)

I.e. eclipselink-2.7.0.jar also contain classes that are in the javax.persistence package but it is unsigned so a clash occurs that results in a SecurityException being thrown. This happens when something (also deep in Spring logic) tries to load javax.persistence.PersistenceUtil.

If I look at the output of mvn dependency:tree I see that this mismatch seems to be down to eclipselink itself - it is pulling in org.eclipse.persistence:javax.persistence:jar:2.2.0 itself. I.e. it isn't some clash with some other dependency:

[INFO] |  \- org.eclipse.persistence:eclipselink:jar:2.7.0:compile
[INFO] |     +- org.eclipse.persistence:javax.persistence:jar:2.2.0:compile
[INFO] |     +- org.eclipse.persistence:commonj.sdo:jar:2.1.1:compile
[INFO] |     +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |     \- org.glassfish:javax.json:jar:1.0.4:compile

I've logged this now at bugs.eclipse.org - see bug 525457.

To fix this issue, put in the correct JPA 2.2 compliant dependency for EclipseLink 2.7.x, in your maven pom file, as:

<dependency>
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>org.eclipse.persistence.jpa</artifactId>
    <version>2.7.1</version>
</dependency>

eclipselink.jar as such is designed as all-in-one bundle, not osgi enabled jar containing all partsof eclipselink project (ie sdo, oracle db specific stuff, dbws, nosql..) with ability to run with jpa api 2.0 on the classpath - at least in 2.x versions. In many cases this is not needed and proper components can be used instead, such as org.eclipse.persistence.jpa, org.eclipse.persistence.oracle etc. For the full list see ie: http://search.maven.org/#search%7Cga%7C1%7Corg.eclipse.persistence

I fixed this by switching the order in which the jars appear in the classpath. In my case, I'm using Tomcat and had to modify catalina.properties to put javax before eclipselink.

Obinna's answer is correct; I guess that there was an issue with eclipselink 2.7.x –as George indicated. I had a similar issue when upgrading eclipselink, but it was just wrong artefacts. The initially described issue seems to be a result of externally referencing javax.persistence level - it is definitely not necessary.

Proper maven configuration can be found in eclipselink wiki: https://wiki.eclipse.org/EclipseLink/Maven

This strange situation still seems to exist, in my case not using Maven, just trying to get a simple JPA example to run (and it is really frustrating if you need hours just to achieve that).

With 2.7.4 from January, this error occurs if you put the eclipselink.jar and jakarta.persistence_2.2.2.jar from the zip on the classpath.

In the end solution was to change order on the classpath: first the jakarta-persistence and only after that the eclipselink-jar. So all javax.persistence classes are taken from jakarta-jar and not partly of the eclipselink-jar (if included there).

So I really wonder various things.

The eclipselink package should be all-in-one? But it is not. Some javax.persistence classes are contained. Others not - basic classes to be used in JPA code like EntityManager. Of course, together with the jakarta-jar included in the zip it is complete - but you may not use the two jars together with the "wrong" order on the classpath!? I really consider this a bug - or at least there should be a HUGE hint about this in the package then.

What is the org.eclipse.persistence.jpa-2.7.4.jar from Maven that is suggested here? It does not have the problems of the eclipselink.jar yes, not this error message. But then it also just seems not to include the Eclipselink JPA implementation, at least running with it I got error that persistence-unit referenced in code does not exist (same persistence.xml working with eclipselink.jar).

Strange situation.

My project was working on JDK-8, but stopped to work when I upgraded it to openJDK-11. I solved it excluding the jpa-persistence module, and adding again on the version 2.2:

   dependencies.create('org.eclipse.persistence:eclipselink:2.7.4') {
      exclude module: "javax.persistence"
   },
   'javax.persistence:javax.persistence-api:2.2', //add it again, manually
   'org.eclipse.persistence:org.eclipse.persistence.asm:2.7.4',
   'org.eclipse.persistence:org.eclipse.persistence.antlr:2.7.4',
   'org.eclipse.persistence:org.eclipse.persistence.moxy:2.7.4',
   'org.eclipse.persistence:org.eclipse.persistence.core:2.7.4'

I also run into this problem, with my case being a bit different, in that I am not using Maven. However, I place an answer here, as it might give people an idea about how to deal with this in their own situation. After all, the title is about this mismatch, in general, one sub-case being when using Maven.

I am using eclipselink in a NetBeans project. Initially, I was placing both the the eclipselink jar file (eclipselink-2.7.0.jar) and the needed org.eclipse.persistence jar files as external libraries to my project. Comments by Sergey and entreprenr above are what actually lead me to solve my problem. What I had to do was create a new library (Tools->Libraries->New Library...) which does not contain the eclipselink jar file (i.e. eclipselink-2.7.0.jar is not added in the library), only the specific org.eclipse.persistence jar files that are necessary for the project, e.g. org.eclipse.persistence.antlr-2.7.0.jar, org.eclipse.persistence.asm-2.7.0.jar, org.eclipse.persistence.core-2.7.0.jar, org.eclipse.persistence.jpa.modelgen.processor-2.7.0.jar, org.eclipse.persistence.jpa-2.7.0.jar, etc. I then added this library to my project and the exception vanished.

Of course, I also had to replace all org.eclipse.persistence jar files on my server with their 2.7.0 version and also replace the javax.persistence.jar with its 2.2.0 version (I use payara, so these are located under <payara_home>\glassfish\modules).

I'm using gradle in my project build and to solve the OP's problem, which I had as well, I finally used the following working setup.

dependencies {

    testImplementation(group: 'org.eclipse.persistence', name: 'eclipselink', version: '2.7.4') {
        exclude group: 'javax.validation', module: 'validation-api'
        exclude group: 'org.eclipse.persistence', module: 'javax.persistence'
        exclude group: 'org.eclipse.persistence', module: 'commonj.sdo'
        exclude group: 'org.eclipse.persistence', module: 'jakarta.persistence'
    }

    testImplementation(group: 'org.eclipse.persistence', name: 'org.eclipse.persistence.jpa', version: '2.7.4') {
        exclude group: 'org.eclipse.persistence', module: 'jakarta.persistence'
    }

}

Instead of "testImplementation" you can of course use any dependency type you want or need.

After reading Sergey's comment I've improved this by just using:

dependencies {
    testImplementation group: 'org.eclipse.persistence', name: 'org.eclipse.persistence.jpa', version: '2.7.4'
}

I think the last one is the best solution.

Because I could not find an answer for this problem when only using a Tomcat and this thread is often linked with this problem, I am going to post my solution here:

Since the signature is in the MANIFEST.MF you can change the signatures in the .jar files using 7zip or WinRAR to open them or simply delete them from the META-INF files of both .jar's and then import the changed files to your IDE.

A useful thread for the Signature-Mismatch-Problem is this thread: Java SecurityException: signer information does not match

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!