We currently have a problem, similar to #17796, concerning the start of fat jars with JDK11 and SecurityManager enabled. The same application runs fine on JDK8 with SecurityManager enabled.
We get the following exception (where AbcApplication is the main class, annotated as SpringBootApplication) when starting the jar using command java -Djava.security.manager -Djava.security.policy=security.policy -jar "build\libs\abc-application.jar":
Exception in thread "main" java.lang.ClassNotFoundException: abc.def.AbcApplication
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:471)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:92)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:46)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52)
I created a small sample application with spring-boot 2.2.9.RELEASE (see Gist) with the following setup: * Gradle (6.0.1) Build, using the spring-boot gradle plugin * OpenJDK 11.0.10.9 * Developing on a windows machine
Comment From: wilkinsona
Thanks for creating an issue, @sascha-kaufmann. I've reproduced the problem:
$ java -Djava.security.manager -Djava.security.policy=security.policy -jar build/libs/abc-application.jar
Exception in thread "main" java.lang.ClassNotFoundException: abc.def.AbcApplication
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:471)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:151)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:398)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:46)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
As with #17796, the problem does not occur when jar checking is disabled:
$ java -Djava.security.manager -Djava.security.policy=security.policy -Dsun.misc.URLClassPath.disableJarChecking=true -jar build/libs/abc-application.jar
. ____ _ __ _ _
/\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
\\/ ___)| |_)| | | | | || (_| | ) ) ) )
' |____| .__|_| |_|_| |_\__, | / / / /
=========|_|==============|___/=/_/_/_/
:: Spring Boot :: (v2.3.9.RELEASE)
2021-03-08 14:54:34.696 INFO 39143 --- [ main] abc.def.AbcApplication : Starting AbcApplication on wilkinsona-a01.vmware.com with PID 39143 (/Users/awilkinson/Downloads/c342dd56104a75d5ca110b80941a76bb-a5184d96b42701175c491dee0a5a051f61b413be/build/libs/abc-application.jar started by awilkinson in /Users/awilkinson/Downloads/c342dd56104a75d5ca110b80941a76bb-a5184d96b42701175c491dee0a5a051f61b413be)
2021-03-08 14:54:34.700 INFO 39143 --- [ main] abc.def.AbcApplication : No active profile set, falling back to default profiles: default
2021-03-08 14:54:35.772 INFO 39143 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http)
2021-03-08 14:54:35.787 INFO 39143 --- [ main] o.apache.catalina.core.StandardService : Starting service [Tomcat]
2021-03-08 14:54:35.788 INFO 39143 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.43]
2021-03-08 14:54:35.890 INFO 39143 --- [ main] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2021-03-08 14:54:35.891 INFO 39143 --- [ main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1118 ms
2021-03-08 14:54:36.094 INFO 39143 --- [ main] o.s.s.concurrent.ThreadPoolTaskExecutor : Initializing ExecutorService 'applicationTaskExecutor'
2021-03-08 14:54:36.294 INFO 39143 --- [ main] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2021-03-08 14:54:36.304 INFO 39143 --- [ main] abc.def.AbcApplication : Started AbcApplication in 2.091 seconds (JVM running for 2.614)
Note that I'm using Spring Boot 2.3.x here as Spring Boot 2.2.x has been out of support since October 2020. The same -Dsun.misc.URLClassPath.disableJarChecking=true should also work with 2.2.x but you should upgrade if at all possible as any fix we make for this issue will only be available in 2.3.x and later.
Comment From: wilkinsona
It looks like the fix for https://github.com/spring-projects/spring-boot/issues/17796 may not have had the intended effect. It was made in 2.2.7.RELEASE. The sample supplied with this issue fails with symptoms similar to those in #17796 with 2.2.6 and then fails to load abc.def.AbcApplication with 2.2.7 and later. I'm seeing the same behaviour on both macOS and Windows.
Comment From: sascha-kaufmann
Thx a lot for the quick response. We are using the workaround (disable jar checking) in the meantime. The update to 2.3.x / 2.4.x should not be a problem for us (as far as I could see), haven't planned it yet though.
Comment From: philwebb
I think #21126 is causing the problem. We now call close() early which cleans up the resource and ultimately causes:
java.lang.NullPointerException
at java.base/java.util.zip.ZipFile$1.startsWithLocHeader(ZipFile.java:1117)
at java.base/jdk.internal.loader.URLClassPath$JarLoader.checkJar(URLClassPath.java:792)
at java.base/jdk.internal.loader.URLClassPath$Loader.getResource(URLClassPath.java:650)
at java.base/jdk.internal.loader.URLClassPath.getResource(URLClassPath.java:314)
at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:455)
at java.base/java.net.URLClassLoader$1.run(URLClassLoader.java:452)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/java.net.URLClassLoader.findClass(URLClassLoader.java:451)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:589)
at org.springframework.boot.loader.LaunchedURLClassLoader.loadClass(LaunchedURLClassLoader.java:151)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at java.base/java.lang.Class.forName0(Native Method)
at java.base/java.lang.Class.forName(Class.java:398)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:46)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:107)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88)
Comment From: philwebb
I've applied a "band-aid fix" in 2.3.x, 2.4.x and 2.5.x but ideally we'd do something different. I've opened #26745 to look at refactoring our JarFile class in 2.6.x.