ChemAxon 990acf0dec
16-06-2010 16:24:44
This issue arrived by email, but might be interesting for others as well:
-------
We have a J2EE enterprise web application that uses Marvin viewer
applet (v5.1.0) for rendering small molecule structures. This
application was running all good on WebLogic server 9.2 and we
currently are in the final stages of migrating this application to
JBoss application server v4.3. Now we have used the same jar files
from our previous version and we start to see a security error at
the start up. Please see the attached file for the error trace.
Some more technical info:
1. There is a start up servlet that gives this error at
application startup time.
2. Although there is a minor difference in the class loading
process between Weblogic, JBoss servers, we managed to keep
the same class hierarchy following the all J2EE standard
conventions. So the only difference I see obvious was JBoss
server seemingly stricter in security with enfocing and
validating consistency of the jar signing etc. while
weblogic just was easy on this part.
3. One other notable difference is the jdk being used as server
runtime with the two app servers. Weblogic server 9.2 runs
against jdk1.5.0_04 while JBoss runs on jdk1.6.0_u16
4. This app is an ear file with a path <EAR_ROOT>/APP-INF/lib
containing the parent classloader at ear level thus making
libraries available to the middle tier(EJB, JPA, direct JDBC
etc) and then war file under this directory
<EAR_ROOT>/smdiWeb/WebRoot/marvin containing all Marvin jar
files. The APP-INF/lib contains MarvinBeans.jar,
jmarvin.jar, marvin.jar and imageexport.jar files while they
also appear under marvin directory under web module
Questions:
1. Is there a way to get a single jar file(signed or
unsigned) that includes all the stuff scattered under marvin
directory? That way we have just one single file to manage
and I think will be easier to sign or unsign as necessary.
We see jar files at many places under marvin dir and under
/sjars etc. Please advise.
2. Obviously we see security error warning that the files we
had were not consistently signed or sth due to which server
runtime complains the consistency. Should we try unsigned
version? If so what is the best way? Any downside to using
unsigned version of all jar files. A single jar file
solution to my question 1 would simplify this as well.
3. It would be nice if we understand the functional level info
on what jar file(s) are meant for which function, etc. So
this info would help us better manage our mavin libraries
being used in application over time.