EclipseLink 2.7.0 和 JPA API 2.2.0 - 签名不匹配 [英] EclipseLink 2.7.0 and JPA API 2.2.0 - signature mismatch
问题描述
运行由 maven 构建的具有以下依赖项的项目时:
When running a project built by maven with the following dependencies:
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>javax.persistence</artifactId>
<version>2.2.0</version>
</dependency>
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>eclipselink</artifactId>
<version>2.7.0</version>
</dependency>
我在运行时收到以下错误:
I get the following error at runtime:
java.lang.SecurityException: class "javax.persistence.Cacheable"'s signer information does not match signer information of other classes in the same package
javax.persistence-2.2.0 工件已签名并包含 javax.persistence.Cacheable.class 批注,而 eclipselink-2.7.0 工件未签名并包含相同的 java类注释.
The javax.persistence-2.2.0 artifact is signed and contains the javax.persistence.Cacheable.class annotation, while the eclipselink-2.7.0 artifact is not signed and also contains the same java class annotation.
如何解决这个问题?
编辑
用 2.1.1 版本替换 javax.persistence 工件版本 2.2.0 解决了这个问题(这个没有签名),但我不确定这是正常情况.
Replacing the javax.persistence artifact version 2.2.0 by the version 2.1.1 fixes the problem (this one is not signed), but I'm not sure it's a normal situation.
推荐答案
谢谢 Stéphane - 您问题末尾的编辑帮助我解决"了同样的问题.对于也遇到此问题的任何其他人 - 这是一个扩展的答案.这是你需要在你的 pom 中修复"东西(直到 Eclipse 正确修复):
Thanks Stéphane - the edit at the end of your question helped me "fix" the same problem. For anyone else who hits this as well - here is an expanded answer. This is what you need to "fix" things in your pom (until Eclipse fix things properly):
<!-- See https://stackoverflow.com/q/45870753 -->
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>eclipselink</artifactId>
<version>2.7.0</version>
<exclusions>
<exclusion>
<groupId>org.eclipse.persistence</groupId>
<artifactId>javax.persistence</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.eclipse.persistence</groupId>
<artifactId>javax.persistence</artifactId>
<version>2.1.1</version>
</dependency>
这会引入 eclipselink 但排除了它试图引入的 javax.persistence 依赖项,并将其替换为早期版本的 javax.persistence没有签名问题.
This pulls in eclipselink but excludes the javax.persistence dependency that it tries to pull in and replaces it with an earlier version of javax.persistence that doesn't have the signing issue.
旁白:javax.persistence 版本 2.2.0 被明确拉入,在原始问题中显示的 pom 片段中,尽管已经是 eclipselink.
Aside: javax.persistence version 2.2.0 is explicitly pulled in, in the pom fragment shown in the original question, despite already being a transitive dependency of eclipselink.
总结 - eclipselink 工件依赖于 javax.persistence 并且都包含 javax.persistence 包中的类.但是,javax.persistence jar 已签名,而 eclipselink 未签名.因此,Java 运行时会抱怨,当从 eclipselink jar 中的包 javax.persistence 加载类时,它缺少签名与已加载的类不匹配javax.persistence jar 中的相同包.
Summary - the eclipselink artifact depends on javax.persistence and both contain classes that are in the package javax.persistence. However the javax.persistence jar is signed while the eclipselink one is not. So the Java runtime will complain, when loading a class from the package javax.persistence in the eclipselink jar, that it's lack of signing doesn't match with classes already loaded from the same package in the javax.persistence jar.
详细信息 - 如果我在 java.util.concurrent.ConcurrentHashMap.putIfAbsent(K, V) 中放置一个断点,条件为 "javax.persistence".equals(arg0) 然后我看到 javax.persistence 被映射到以下 CodeSource 值:
Details - if I put a breakpoint in java.util.concurrent.ConcurrentHashMap.putIfAbsent(K, V) with condition "javax.persistence".equals(arg0) then I see that javax.persistence is mapped to the following CodeSource value:
(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/javax.persistence/2.2.0/javax.persistence-2.2.0.jar [
[
Version: V3
Subject: CN="Eclipse Foundation, Inc.", OU=IT, O="Eclipse Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
...
即javax.persistence-2.2.0.jar 由 Eclipse Foundation 签名并包含 javax.persistence 包中的类.当我的应用程序的某些部分(实际上是 Spring 逻辑中的某些部分)尝试加载 javax.persistence.EntityManagerFactory 时,会拉入这个 jar.
I.e. javax.persistence-2.2.0.jar is signed by the Eclipse Foundation and contains classes in the package javax.persistence. This jar is pulled in when some part of my application (actually something deep in Spring logic) tries to load javax.persistence.EntityManagerFactory.
如果我在 java.lang.ClassLoader.checkCerts(String, CodeSource) 的 throw new SecurityException 行中放置一个断点,然后我看到它命中了这一行当传入的 CodeSource 是:
If I then put a breakpoint in java.lang.ClassLoader.checkCerts(String, CodeSource) on the throw new SecurityException line I then see that it hits this line when the passed in CodeSource is:
(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/eclipselink/2.7.0/eclipselink-2.7.0.jar <no signer certificates>)
即eclipselink-2.7.0.jar 还包含 javax.persistence 包中的类,但它是未签名的,因此发生冲突导致 SecurityException被抛出.当某些东西(也在 Spring 逻辑中很深)尝试加载 javax.persistence.PersistenceUtil 时会发生这种情况.
I.e. eclipselink-2.7.0.jar also contain classes that are in the javax.persistence package but it is unsigned so a clash occurs that results in a SecurityException being thrown. This happens when something (also deep in Spring logic) tries to load javax.persistence.PersistenceUtil.
如果我查看 mvn dependency:tree 的输出,我发现这种不匹配似乎归结为 eclipselink 本身 - 它正在拉入 org.eclipse.persistence:javax.persistence:jar:2.2.0 本身.IE.它与其他一些依赖关系没有冲突:
If I look at the output of mvn dependency:tree I see that this mismatch seems to be down to eclipselink itself - it is pulling in org.eclipse.persistence:javax.persistence:jar:2.2.0 itself. I.e. it isn't some clash with some other dependency:
[INFO] | - org.eclipse.persistence:eclipselink:jar:2.7.0:compile
[INFO] | +- org.eclipse.persistence:javax.persistence:jar:2.2.0:compile
[INFO] | +- org.eclipse.persistence:commonj.sdo:jar:2.1.1:compile
[INFO] | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | - org.glassfish:javax.json:jar:1.0.4:compile
我现在已经在 bugs.eclipse.org 上记录了这个 - 参见 bug 525457.
I've logged this now at bugs.eclipse.org - see bug 525457.
这篇关于EclipseLink 2.7.0 和 JPA API 2.2.0 - 签名不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
