I am using template Spring Boot application with servlets. When I add to the application latest Jersey (for jax-rs) and then add Groovy framework to the application (only for testing) I start having problems running the application from within IntelliJ.
It seems that some libraries on the Groovy classpath collide with the libraries coming from Jersey (servlet-api and ASM) but I am not yet 100% sure this is the problem. For sure the classpath IntelliJ builds is different from maven's
seems to be connected to the tricks that the spring-boot maven plug-in does, but that's only a suspicion. running via java -jar fails, while running via mvn spring-boot:run works (from the command line as well from IntelliJ).
I get this exception:
Caused by: org.apache.catalina.LifecycleException: A child container failed during start
looks like part of the problem was how I set-up my gmaven.
when I set it up like in this post https://stackoverflow.com/a/19539452/672738 the problem is gone and my application happily boots with java -jar in IntelliJ
I just solve this problem.
Groovy also includes the servlet-api lib which is conflict with the lib imported by spring boot.
You can just exclude the servlet-api from groovy.
Related
I have read a lot about how bad this issue is and understand the options available to locate it within the code our company is producing and update servers that are using vulnerable versions.
What I am unable to find is if a particular server does not have Java installed i.e. if I log in as root and run java -version and get java: command not found is this server completely safe from this issue and so I can move on?
My initial instinct was: no Java - no issue. However, GitHub released an update for their Enterprise servers stating:
CRITICAL: A remote code execution vulnerability in the Log4j library, identified as CVE-2021-44228, affected all versions of GitHub Enterprise Server prior to 3.3.1. The Log4j library is used in an open-source service running on the GitHub Enterprise Server instance. This vulnerability was fixed in GitHub Enterprise Server versions 3.0.22, 3.1.14, 3.2.6, and 3.3.1. For more information, please see this post on the GitHub Blog.
And yet Java is not installed on their enterprise server.
I am guessing the offending service must be with Java running in a docker container. So I think I need to consider Java on the machine or Java running in a container.
Are there other hidden ways I have not considered in which this log4j process can be running?
log4j2 is a library that must be used by a running java process, to be vulnarable. But you are right, that checking if the java command is installed to the command line is not enough.
Here are two options (not meant to be complete), how your system could still be vulnerable without having the java command available on the command line.
Java could be downloaded into a directory without adding the java command or directory to the executable PATH. By using a .bash (or .bat) script a java process pointing to the downloaded java version could still be started. But when the directory is not added to the path, you will not find the java command enabled.
Java could be running inside of a docker container. the java command would only be available inside of your docker container but not visible from outside. I am not sure if an additional exploit would be required to break out of the container of if this is easily possible without extra effort.
I don't have a full answer yet but very definitely NO you are not safe even if Java is not installed, and Docker is not installed, and Java is not running in the process list, and Java is not in your yum/apt installed applications lists.
An obvious case I had not considered is when Java is added to an app as a JRE.
A Coverity platform server we have does not install Java but Java is running e.g. ps -ax | grep java
/home/coverity/cov_platform-2021.9.0/jre/bin/java -Djava.awt.headless=true -Djdk.tls......
Working out if a vulnerable version of Log4j is included in that JRE is much harder.
Further, just checking the process list is not enough either. In this case the process list contained java but Java may only be run when triggered by another process e.g. cron, nginx, etc
When I am using runAs inside eclipse I am always getting this error.
Error: Could not find or load main class com.xx.api.Application
How to fix this ?
It depends on your version of Eclipse, on what you have installed, on how you configured everything...
What you can do:
Install Spring Tool Suite : it's an Eclipse version with everything already set up, so you can get started quickly
Use JHipster's new Vagrant devbox which will give you a virtualized environment with everything pre-configured for you
Thanks for looking into this. I am using Spring Tool Suite. I am trying to use gradle eclipse plugin. This is where i was getting errors.
When i switched to import project as gradle project It started working. However I have generated DTO using the jhipster-uml.
This generate the mapper classes in build folder by default. Now when i run the application, It fails to find mapper classes.
I am able to make is work by generating the mapper classes into my source folder for now.
Thanks for help.
I've successfully setup a spring-boot-groovytemplates and actuator project.
However, when adding springloaded to buildscript/dependencies block, I get the following stracktrace when recompiling in IDEA
java.lang.NoSuchFieldException: classCache
at java.lang.Class.getDeclaredField(Class.java:1918)
at org.springsource.loaded.agent.SpringPlugin.clearCachedIntrospectionResults(SpringPlugin.java:162)
at org.springsource.loaded.agent.SpringPlugin.reloadEvent(SpringPlugin.java:127)
at org.springsource.loaded.TypeRegistry.fireReloadEvent(TypeRegistry.java:1767)
at org.springsource.loaded.ReloadableType.loadNewVersion(ReloadableType.java:405)
at org.springsource.loaded.TypeRegistry.loadNewVersion(TypeRegistry.java:845)
at org.springsource.loaded.agent.ReloadableFileChangeListener.fileChanged(ReloadableFileChangeListener.java:51)
at org.springsource.loaded.agent.Watcher.determineChangesSince(FileSystemWatcher.java:235)
at org.springsource.loaded.agent.Watcher.run(FileSystemWatcher.java:219)
at java.lang.Thread.run(Thread.java:695)
Any clues?
You don't mention which versions of Spring Framework or Spring Loaded you're using, but I would guess that you're trying to use Spring Loaded 1.2.0 with Spring Framework 4.1. It looks like you've hit this bug in Spring Loaded. You should upgrade to Spring Loaded 1.2.1 as it contains a change that fixes the problem and makes it compatible with Spring Framework 4.1.
I am on a Linux Mint machine where I installed the latest version of Java (HotSpot VM 1.7.0_45) and using Gradle 1.8.
I also have Groovy installed, version 1.8.6, but I think that does not matter as Gradle has its own groovy-all.jar.
My problem is that I could not compile my Groovy project using gradle because the JavaFX classes do not seem to be in the classpath. The errors are like this:
unable to resolve class javafx.scene.Node
# line 3, column 1.
import javafx.scene.Node
I finally fixed this by adding the following horrible hard-coded path into my dependencies:
compile files( "/usr/lib/jvm/java-7-oracle/jre/lib/jfxrt.jar" )
Is there a better way to add JavaFX to Gradle's compilation classpath so that it is visible to all my projects without me having to add this to each one of them??
I have tried everything I could imagine:
added the jfxrt.jar to the standard JRE (I confirmed gradle is using my standard java to run) ext folder, so that I now can compile java classes with javac and run them with java (I know that in this version of Java the JavaFX jar should be already in the JDK's classpath, but I still couldn't RUN, as opposed to compile, my Java app before doing this).
also added a soft link to the same jar in the groovy classpath, so that I can do something like shown below from the groovy shell and it works:
import javafx.application.Application as A ; println A
This also works in the Groovy Console.
It only does not work in Gradle!
Thanks for any help.
Use the JavaFX Gradle Plugin.
The JavaFX Gradle Plugin should be able to work out where the JavaFX runtime is located without you having to perform manual, environment specific configuration.
For further information on JavaFX classpath resolution (not Gradle related), see:
Compile code using JavaFX 2.0 (using command line).
Also note, if you are using Oracle Java 8 or newer, JavaFX classes are now on the default runtime classpath for an Oracle Java implementation.
Incidentally, the build system for the entire JavaFX system is based on Gradle, so there is definitely no incompatibility between JavaFX and Gradle.
Has anyone had success implementing IBM Worklight 5.0.6 Adapters using the Groovy language? Ie. Instead of calling a Java class from the JS adapter call a Groovy class. We have tried this and it seems to work most of the time but randomly we will get strange errors when invoking an adapter procedure. Ie.
Failed to create DGM method proxy : java.lang.NoSuchMethodException: org.codehaus.groovy.runtime.dgm$24.<init>(java.lang.String, org.codehaus.groovy.reflection.CachedClass, java.lang.Class, [Ljava.lang.Class;)
FWLSE0101E: Caused by: java.lang.NoSuchMethodException: org.codehaus.groovy.runtime.dgm$24.<init>(java.lang.String, org.codehaus.groovy.reflection.CachedClass, java.lang.Class, [Ljava.lang.Class;)
Unit tests executing the Groovy code run fine within Eclipse and the Groovy code seems to be compiling fine down to .class files and included in the adapter package. We're wondering if this is an issue with Groovy itself or invoking Groovy within the Worklight server container. I believe Worklight is using Rhino behind the scenes which may also be a culprit?
We are using Groovy 2.1.5 and the Eclipse plugin 2.8
did you open the .war and check if all compiled classes and libraries are actually in there?
We had the case quite often that the WL Eclipse Plugin/Build did not compile and package our Java Classes for the Adapter in the "server" folder ... they were missing in the .war file that we deployed and we got all sorts of Rhino, ClassNotFound etc. errors.
In addition to previous answer. You can always force a rebuild by selecting the project in the Enterprise Explorer or Navigator views, then select menu Project -> Clean -> Clean Projects Selected Below (the only choice should be your project).
This will clean the binaries, then rebuild your entire project.