EclipseLink 2.7.0 and JPA API 2.2.0 – signature mismatch

by

Thanks Stéphane – the edit at the end of your question helped me “fix” the same problem. For anyone else who hits this as well – here is an expanded answer. This is what you need to “fix” things in your pom (until Eclipse fix things properly):

<!-- See https://stackoverflow.com/q/45870753 -->
<dependency>   
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>eclipselink</artifactId>
    <version>2.7.0</version>
    <exclusions>
        <exclusion>
            <groupId>org.eclipse.persistence</groupId>
            <artifactId>javax.persistence</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>javax.persistence</artifactId>
    <version>2.1.1</version>
</dependency>

This pulls in eclipselink but excludes the javax.persistence dependency that it tries to pull in and replaces it with an earlier version of javax.persistence that doesn’t have the signing issue.

Aside: javax.persistence version 2.2.0 is explicitly pulled in, in the pom fragment shown in the original question, despite already being a transitive dependency of eclipselink.

Explanation

Summary – the eclipselink artifact depends on javax.persistence and both contain classes that are in the package javax.persistence. However the javax.persistence jar is signed while the eclipselink one is not. So the Java runtime will complain, when loading a class from the package javax.persistence in the eclipselink jar, that it’s lack of signing doesn’t match with classes already loaded from the same package in the javax.persistence jar.

Details – if I put a breakpoint in java.util.concurrent.ConcurrentHashMap.putIfAbsent(K, V) with condition "javax.persistence".equals(arg0) then I see that javax.persistence is mapped to the following CodeSource value:

(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/javax.persistence/2.2.0/javax.persistence-2.2.0.jar [
[
  Version: V3
  Subject: CN="Eclipse Foundation, Inc.", OU=IT, O="Eclipse Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
  ...

I.e. javax.persistence-2.2.0.jar is signed by the Eclipse Foundation and contains classes in the package javax.persistence. This jar is pulled in when some part of my application (actually something deep in Spring logic) tries to load javax.persistence.EntityManagerFactory.

If I then put a breakpoint in java.lang.ClassLoader.checkCerts(String, CodeSource) on the throw new SecurityException line I then see that it hits this line when the passed in CodeSource is:

(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/eclipselink/2.7.0/eclipselink-2.7.0.jar <no signer certificates>)

I.e. eclipselink-2.7.0.jar also contain classes that are in the javax.persistence package but it is unsigned so a clash occurs that results in a SecurityException being thrown. This happens when something (also deep in Spring logic) tries to load javax.persistence.PersistenceUtil.

If I look at the output of mvn dependency:tree I see that this mismatch seems to be down to eclipselink itself – it is pulling in org.eclipse.persistence:javax.persistence:jar:2.2.0 itself. I.e. it isn’t some clash with some other dependency:

[INFO] |  \- org.eclipse.persistence:eclipselink:jar:2.7.0:compile
[INFO] |     +- org.eclipse.persistence:javax.persistence:jar:2.2.0:compile
[INFO] |     +- org.eclipse.persistence:commonj.sdo:jar:2.1.1:compile
[INFO] |     +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |     \- org.glassfish:javax.json:jar:1.0.4:compile

I’ve logged this now at bugs.eclipse.org – see bug 525457.

More Related Contents:

  1. The JPA hashCode() / equals() dilemma
  2. Please explain about insertable=false and updatable=false in reference to the JPA @Column annotation
  3. Parameter in like clause JPQL
  4. stream on JPA lazy list
  5. Java8 Collections.sort (sometimes) does not sort JPA returned lists
  6. Disable caching in JPA (eclipselink)
  7. No operator matches the given name and argument type(s). You might need to add explicit type casts. — Netbeans, Postgresql 8.4 and Glassfish
  8. Is it possible to write a generic enum converter for JPA?
  9. JPA: JOIN in JPQL
  10. Why does this stream return no element?
  11. What is a JPA implementation?
  12. How to use Postgres JSONB datatype with JPA?
  13. having an exception when saving oracle type object in some entity
  14. How can I make a JPA OneToOne relation lazy
  15. org.hibernate.HibernateException: Access to DialectResolutionInfo cannot be null when ‘hibernate.dialect’ not set
  16. Spring Boot – Cannot determine embedded database driver class for database type NONE
  17. JPA : How to convert a native query result set to POJO class collection
  18. Why does JPA have a @Transient annotation?
  19. How to persist a property of type List in JPA?
  20. Validate JAXBElement in JPA/JAX-RS Web Service
  21. Hibernate and no PK
  22. When does the JPA set a @GeneratedValue @Id
  23. JPA @OneToOne with Shared ID — Can I do this Better?
  24. annotation to filter results of a @OneToMany association
  25. Is it possible to dynamically define column names in Hibernate / JPA?
  26. Hibernate: “Field ‘id’ doesn’t have a default value”
  27. How to use @Transactional with Spring Data?
  28. @Basic(optional = false) vs @Column(nullable = false) in JPA
  29. How to enable LockModeType.PESSIMISTIC_WRITE when looking up entities with Spring Data JPA?
  30. Spring Data + JPA with multiple datasources but only one set of Repositories

Leave a Comment