Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
rsa-1.16.1
-
None
-
None
-
Aries RSA 1.16.1, bug discovered while running in Karaf 4.4.3, OpenJDK 11 on Linux.
Description
The TCP provider uses BasicObjectInputStream to deserialize objects such as method parameters passed to the remote service. This class overrides the resolveClass method to use the service bundle's classloader to load classes. However, it fails to account for transitive references: if a service method parameter is an object of class A in package 'a' (imported by the service), but contains a field of class B from package 'b' (imported by class A but not directly by the service), then a ClassNotFoundException is thrown stating that the service's classloader can't find class B (which it indeed does not import).
I think the resolveClass method should not use only the service's top-level classloader to load all classes, but should also save the bundle classloaders of the loaded classes it encounters and try using them to load transitive class references. Perhaps something likeĀ suggested in https://stackoverflow.com/a/13876075 (with added validation and error handling).
Attachments
Issue Links
- links to