CGLib doesn't play nice when JARs are signed. It generates classes in the
same package as the class being enhanced. This results in a Security
Exception because the generated classes aren't signed but the rest of the
jars in the package are. The full exception text is:
java.lang.SecurityException: class
"test.dao.DaoImpl$$FastClassByGuice$$fbce6afa"'s signer information does
not match signer information of other classes in the same package
It would be good if we could make it possible to at least use the
Dependency Injection parts of GUICE without causing this problem. This
could be done by generating the classes in a different package (the
attached patch causes them to be generated in a package with $ prepended).
Alternatively a flag to turn off CGLib enhancement along with some of the
more advanced functionality (like method interceptor) would allow the basic
dependency injection functions to be used.
A third alternative would be to only generate the CGLib classes when
they're required by such advanced functionality, but I haven't investigated
the code base enough to know if this is feasible or not.
Original issue reported on code.google.com by edward.c...@orionhealth.com on 6 Sep 2007 at 3:42
Generating in a separate package will break overriding package private methods
for
method interceptors, etc.
We should just provide a version of Guice which doesn't use cglib.
Original comment by crazybob...@gmail.com on 9 Sep 2007 at 9:21
Original issue reported on code.google.com by
edward.c...@orionhealth.com
on 6 Sep 2007 at 3:42Attachments: