-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Illegal reflective access by feign.DefaultMethodHandler in Java 11 #935
Comments
I'm pretty sure I know where this is. We manually bind any Some background: When creating a proxy for an interface, we bind every method to the proxy. As a result, we needed to manually bind My first thought would be to update the processing of the interface to ignore all methods not annotated with I'm going to mark this as an enhancement, with help-wanted and leave it open for others to think about and add to the discussion. |
I changed the module to run the jar after it's build... Locally it passes.... |
So, I was not able to reproduce this issue. @gavinws can you look at my PR and indicate what am I missing? |
@velo you need to change the package names in the |
OK, I renamed the packages and also include github tokens to my changes. Let's see how it goes |
hi @gavinws Am I running it wrong? If you can create a unit test to reproduce this issue, it would be awesome |
I'm not sure why your test isn't working for this; it doesn't seem to capture output from running the jar or it doesn't run at all (I couldn't find the relevant output, but I could be blind). Also this warning does not interrupt execution or change the return code. I just now stashed my changes, pulled master, and did a
Side note: I couldn't build the soap submodule because |
Odd, feign was built so many times, but you are right, this dependency does not exist |
by no means I'm proposing this as a fix: Did some experimentation with I can't get it working on java 11. |
* Next development version * mimepull:1.9.8 is missing from maven central #935
I figured out how you can make your integration test fail, I think, in case you were still looking at how to make tests catch this. Using the
I've also figured out that this can be worked around at runtime (hides the warning and passes the deny option above) with the
For completeness I also tested this on Java 12 and the results are the same as Java 11 (as expected). References: |
So, there is no problem?! |
I wouldn't say there's no problem just because there is currently a workaround available. This still seems like something that should eventually be addressed as JDK restricts more things in the future. |
* Next development version * mimepull:1.9.8 is missing from maven central OpenFeign#935
I've been looking into this more lately and it's something that we are going to need to, potentially, involve a larger group as it has implications on a lot of what this library does. From what I can understand, JDK 9+ module security systems prevent access to objects that are effectively outside of the callers realm. In Feign, this occurs in our
Since I'm going to assume that dropping support for Another is to forgo dynamic I'm sure there are/will be more creative options in the near future. At this point, I don't really know where to go from here. |
This will be fixed as part of our next major release. In the meantime, this will continue to happen. |
Just a note, wiht JDK 16 release, that will be in March this won't be a warning but an error (so it will break the app, unless one adds a workaround). |
Another note, JEP 403 was announced recently as a candidate. Whenever it lands (which might even be JDK 17 at this point),
|
I can confirm that this crashes by default when running under JDK 16:
|
And user won't be able to change that (at least easily) because illegal-access option is going away in JDK17 (https://blogs.oracle.com/javamagazine/java-runtime-encapsulation-internals ). It would be possible with add-opens, but those need to be published somewhere for users to find and some will be reluctant to use them. So it is a ticking bomb. |
If you don't want people to fiddle with opening/exporting packages in module-info. Just add an extra builder method that lets them specify a lookup object when they are creating a builder. a.la. Feign.builder(MethodHandles.lookup()) And use that lookup to unreflect the various methods. Using open/export statements in module-info and letting people explicitly register Lookup objects are the two primary ways for support this kind of functionality in a modular world. |
Fixed by #1393 |
* Next development version * mimepull:1.9.8 is missing from maven central #935
* Next development version * mimepull:1.9.8 is missing from maven central #935
Similar to #393
This can be reproduced on Java 11 (probably also 9 and 10) with the Github example after renaming the package to
notfeign.example.github
(or anything that isn't underfeign.*
). Can be compiled with Java 8 or 11 (the compiler doesn't complain either way).I reproduced on Zulu and Corretto 11.0.2 (all OpenJDK 11 implementations should behave the same):
Note that using the
--illegal-access=warn
JVM option just changes the warning to just the single line calling outfeign.DefaultMethodHandler
.It seems like fixing this while maintaining compatibility for older Java versions will not be fun. Refs:
https://blog.jooq.org/2018/03/28/correct-reflective-access-to-interface-default-methods-in-java-8-9-10/
https://mydailyjava.blogspot.com/2018/04/jdk-11-and-proxies-in-world-past.html
The text was updated successfully, but these errors were encountered: