MethodHandles.Lookup.defineClass for CGLIB class definition purposes [SPR-15859]

[spring-projects-issues]

Juergen Hoeller opened SPR-15859 and commented

As discussed in cglib/cglib@d6fe1d8 and in #20245 comments, there is currently a defineClass warning triggered by CGLIB when running on JDK 9 in classpath mode. While there are workarounds for it ("illegal-access=deny" or "add-opens java.base/java.lang=ALL-UNNAMED"), suppressing that warning at runtime, it'd be nice to avoid the warning completely when running on JDK 9, possibly through a specific check for JDK 9 which skips the ClassLoader.defineClass access attempt completely, always going with the Unsafe.defineClass fallback right away in such a scenario. We have yet to see whether this can be patched in CGLIB itself or just in Spring's CGLIB fork.

UPDATE: Since JDK 11 won't have Unsafe.defineClass at all anymore, we need to use MethodHandles.Lookup.defineClass as our primary mechanism, avoiding a ClassLoader.defineClass warning on the classpath and providing compatibility with the module path on JDK 11.

---

Affects: 5.0 RC3

Reference URL: cglib/cglib@d6fe1d8

Issue Links:

• Compatibility with JDK 11 [SPR-16391] #20937 Compatibility with JDK 11 ("is depended on by")
• An illegal reflective access operation has occurred [SPR-16777] #21317 An illegal reflective access operation has occurred ("duplicates")
• Running an app with @Configuration using Java 9 prints ugly illegal access warnings [SPR-15939] #20493 Running an app with @Configuration using Java 9 prints ugly illegal access warnings ("is duplicated by")
• ReflectUtils produces Warning in Spring Boot 2.0.0.M6 and Java 9.0.1 [SPR-16236] #20783 ReflectUtils produces Warning in Spring Boot 2.0.0.M6 and Java 9.0.1 ("is duplicated by")
• Upgrade to CGLIB 3.2.5 [SPR-15147] #19713 Upgrade to CGLIB 3.2.5
• DATACMNS-1376 Assure JDK 11 compatibility for DefaultMethodInvokingMethodInterceptor
• i'm new with spring and from the start i found this warning while executing [SPR-17380] #21913 i'm new with spring and from the start i found this warning while executing
• Spring Boot DevTools on 5.1 fails with java.lang.LinkageError: loader attempted duplicate class definition [SPR-16902] #21441 Spring Boot DevTools on 5.1 fails with java.lang.LinkageError: loader attempted duplicate class definition
• Illegal reflective access operation warning for toString() on CGLIB proxies [SPR-17500] #22032 Illegal reflective access operation warning for toString() on CGLIB proxies
• DATACMNS-1401 Warning about illegal reflective access in Spring Data Commons / MongoDB

Referenced from: commits 6a34ca2, 61c3db0

17 votes, 40 watchers

[spring-projects-issues]

Alan Bateman commented

Look up java.lang.invoke.MethodHandles.Lookup.defineClass, it's the supported way to inject classes into the same runtime package as another class. It is new in Java SE 9 so it means using a MR JAR or using reflective if you are compiling to an older release. Also note that Unsafe.defineClass is deprecated (forRemoval=true) so it will likely be removed at some point.

[spring-projects-issues]

Juergen Hoeller commented

AlanBateman, the MethodHandles.Lookup.defineClass option has been a topic with Rafael Winterhalter already... but supporting that approach in CGLIB proper seems to be out of scope, also due to the underlying MethodHandles facility being JDK 7+ to begin with.

From my perspective, the ClassLoader.defineClass technique is still the best compromise for CGLIB by default. Along those lines, the similarly structured (and JDK 6 compatible) Unsafe.defineClass is ok as a fallback for the time being, in particular for older applications and frameworks (including Spring Framework 4.3.x) to have a chance of running on JDK 9's module path.

However, for Spring Framework 5.0+, we could enforce a different default policy. In particular, we could ship a JDK 8/9 oriented CGLIB fork that uses MethodHandles.Lookup.defineClass on JDK 9 (even in classpath mode) and falls back to CGLIB's regular policy otherwise.

[spring-projects-issues]

Rafael Winterhalter commented

The problem that we face in cglib is not the requirement to use MethodHandles.Lookup::defineClass - this can be solved by using reflection conditionally on the availablility of this class - but the API implications of this change. Via a lookup, it is only possible - by design - to define a class in the package in which the lookup was created. However, most proxies are today created in the package of the instrumented class to allow proxying package-private methods or to subclass package-private types. By using MethodHandles.Lookup, we would need end-users to provide an appropriate lookup instance for each class's definition or we would need to define proxy classes in a cglib-owned package which would change the nature of those proxies.

cglib has existed since Java 1.1 and has a large use-base. At the same time, it is no longer under active development what led to people finding work-arounds for bugs. As a consequence, it is almost impossible to change anything without breaking things for many users which is why I am hesistant to apply such changes.

In Byte Buddy, users can supply a ClassLoadingStrategy where I implemented a new strategy for using a MethodHandles.Lookup. But as mentioned, this is insufficient for most use cases. For example, in Mockito, we really need to allow proxying package-private types as users often want to test internal API in their unit tests. If we wanted to use lookup instance, we would need to change the Mockito API to:

Foo foo = mock(Foo.class, MethodHandles.lookup());

for any mock class what would destroy the API's expressiveness and make field injection impossible. Therefore, we still rely on the class definition via ClassLoader/Unsafe. A similar problem occurs in Java agents that often need to define helper classes (just as javac) which should typically live in the same package / module as the instrumented class. Agents can however work around any problem by redefining the JVM's module to open certain packages even if the jdk.unsupported package disappeared.

As for now: I could add a system property to cglib that allows always using sun.misc.Unsafe which Spring could set before loading its first cglib-related class. Would this solve your problem? If you shade cglib, you automatically shade the property's name space such that this should be invisible to the outside.

[spring-projects-issues]

Alan Bateman commented

If Spring could use Lookup.defineClass then it would avoid cglib needing to know about Lookup objects.

[spring-projects-issues]

Rafael Winterhalter commented

Typically, Spring defines a proxy in the same package as a user class to access package-private methods. This would require getting hold of a lookup object provided by the user which would require an API change on Spring's side to get hold of such a lookup with the right privileges.

[spring-projects-issues]

Alan Bateman commented

If the user module opens the package to Spring then Spring should be able obtain a full power Lookup with MethodHandles.privateLookupIn.

[spring-projects-issues]

Rafael Winterhalter commented

That is true for bean classes that are defined and controlled by the user but not for classes that are provided by third-parties that do not neccessarily open their packages to Spring. This would require a command-line opening of those modules. That said, using a method handle will most likely work out for many cases but it is not a drop-in replacement.

[spring-projects-issues]

Alan Bateman commented

If the developer of a library chooses to encapsulate its internals then that should be respected. If Spring is dependent on breaking into that library then it should work with the maintainer of the library to come up with a solution.

[spring-projects-issues]

Juergen Hoeller commented

To be clear, what Rafael is referring to here is not that Spring is trying to break into any particular library but rather that Spring's generic AOP facilities can be used to create class-based proxies for arbitrary target classes... So some users may have chosen to apply AOP to third-party classes that are not fully opened, with the framework just doing its usual generic stuff about it.

That said, I don't see this as a major problem. It's the user's responsibility to make sure that everything is properly opened in a module arrangement, according to the purposes of that particular application setup. And in most cases, all that really matters in AOP setup is the public API surface of that particular class, so even a public lookup handle should be sufficient.

Beyond AOP, we're using defineClass for a few other features as well, not least of it all for @Configuration classes. It's definitely more common there to declare non-public artifacts but at least such classes are usually in the user's own codebase. I'll experiment a bit with a custom CGLIB ReflectUtils variant that uses Lookup.defineClass; let's see how it goes.

[spring-projects-issues]

Juergen Hoeller commented

Hmm, I see that Lookup.defineClass requires PACKAGE access in any case... So I suppose a public lookup won't be sufficient, even if the resulting class effectively just propagates public API calls.

[spring-projects-issues]

Mark Mielke commented

If the developer of a library chooses to encapsulate its internals then that should be respected. If Spring is dependent on breaking into that library then it should work with the maintainer of the library to come up with a solution.

From my perspective... The difficulty here is that modules didn't exist prior to Java 9, and the concept of "developer of a library chooses to encapsulate its internals" was only a recommendation as it could not be enforced. We don't actually know who intended for the modules to be usable with Spring in the ways they might be used at present, and who didn't. All we really know, is that over several years certain the class and method access qualifiers, and the Spring implementation have evolved to a current state. Then, Java 9 came along and made modules restricted by default. This effectively broke compatibility, and requires the use of the "-add-opens" and other flags to restore elements of the previous long-standing behaviour.

I don't disagree with modules themselves, but I think we should be looking at this problem as "now that compatibility has been broken, and things must be more explicit... which libraries need to change to enable their use in Java 9?" Spring is one of them. But, all these third party libraries are also a concern. And getting them all to open themselves up to Spring, or other AOP frameworks, is either going to be a chore, or a severe frustration which will result in "-add-opens" and other such flags being long-standing new best practices, or the module system relaxed in some way.

It's a good opportunity to re-evaluate. However, the practical element may mean that even if everybody agrees that something should be done, it is still very difficult or impossible to do it (for example, third party libraries where the original authors are not willing to support Java 9 yet or ever?).

But... that all said... when I read the Spring documentation around these topics, and the ability to use it against third party code, I remember having spider sensations on the back of my neck and thinking this didn't sound wise, and was likely to bite us. So, I believe in my case, we have never done this. I can't think of a single place in our code where we couldn't enable Spring to have access. I think this makes us lucky, though, and we have to consider those who read the same documentation, and thought it sounded like a great idea to take advantage of, and design their architecture around...

[spring-projects-issues]

Alan Bateman commented

I don't understand the last comment. If existing libraries are used as modules then they work as automatic modules, no encapsulation. In any case, this issue is about Spring+CGLIB using the protected ClassLoader.defineClass method from the wrong context and seeing if the the Lookup.defineClass method can be used instead.

Juergen - yes, it needs PACKAGE access because the resulting class will get package access. If the application has opened the package to spring then you can use privateLookupIn to get a full-power Lookup that includes PACKAGE access.

[spring-projects-issues]

Juergen Hoeller commented

AlanBateman, Rafael Winterhalter, this sounds almost like the CGLIB ReflectUtils implementation could try MethodHandles.privateLookupIn first (when on JDK 9), falling back to ClassLoader.defineClass (on JDK 8 or when there was a lookup exception before), then finally to Unsafe.defineClass. Not necessarily saying that CGLIB's default implementation has to do this; we could replace it with a custom variant in Spring's CGLIB fork (which only really has to work for Spring's particular purposes).

[spring-projects-issues]

Mark Mielke commented

@AlanBateman : I might have misunderstood. But, after investigating several issues in our builds with Java 9, one path lead here, and several paths lead to needing -add-open, where the same build and code runs without warnings on Java 8.

I'm trying to say that it isn't like people have spent years deciding exactly where the module boundaries should be and they are definitely where they should be. The module boundaries have been approximate up until now, because there was no way to enforce them prior. With Java 9, they are now enforced, and this causes a requirement for re-evaluation on both consumer and producer side, and it will take some time to reach a stable state again where everybody agrees on where the boundaries should be.

Back to your statement:

If the developer of a library chooses to encapsulate its internals then that should be respected. If Spring is dependent on breaking into that library then it should work with the maintainer of the library to come up with a solution.

I don't think most people have carefully and meticulous chose with full awareness of impact. Java 9 is a surprise for most people still - both producer and consumer. And even if they did spend 5 minutes thinking about it when they published their module info, I don't think we're at a final resting point here where what the producer says is what goes. We're still at evaluating impact phase. :-(

Anyways... I don't mean to distract from the CGLIB discussion. I just want to make sure we're not presuming some deeper well-developed thought on the part of the producers here. We all have a problem to solve here, and that is understanding how Java modules affect us now that they are finally here.

[spring-projects-issues]

Rafael Winterhalter commented

I experienced the same problem with Mockito and the prototype I came up with requires users to register a lookup in a global mockito registry or falls back to a public lookup if no such instance is available. This is of course rather unsatisfactory as it requires more work to do less and we decidedto retain use of Unsafe, also since we need Objenesis for instantiation.

Another issue comes with load time weaving where one often needs to define helper classes what can be done with lookups only when the classes are defined by the instrumented class as the Java agent is not provided a lookup for the instrumented class's package what I could image is also a problem for Spring when being used with AspectJ.

[spring-projects-issues]

Philippe Marschall commented

Oracle just removed Unsafe.defineClass from JDK 11, see JDK-8199699.

[spring-projects-issues]

Juergen Hoeller commented

Indeed, this escalates the issue. While things will still work on the classpath (as long as illegal reflection access is still permitted there - either by default or by a command-line flag), this totally prevents use on the module path, so we'll definitely do something about it in the Spring Framework 5.1 timeframe (GA before JDK 11).

[spring-projects-issues]

Juergen Hoeller commented

I've patched our CGLIB fork accordingly, passing a contextClass (e.g. the proxy superclass) through to ReflectUtils.defineClass for delegating to MethodHandles.Lookup.defineClass eventually, against a privateLookupIn(contextClass) lookup context. We do that reflectively on JDK 9+, meant to happen by default as of Spring Framework 5.1 (GA in time for JDK 11).

This seems to work fine so far, in particular getting rid of the warnings on the classpath. It has some limitations in that it can't enforce creation of the proxy class in a sub ClassLoader and can't proxy non-opened classes (in particular not JDK core classes as we do in our test suite in a few places), so we keep our ClassLoader.defineClass fallback in place if Lookup.defineClass rejects the attempt with an IllegalArgumentException. So effectively the lookup limitations are enforced on the module path, while on the classpath a fallback remains as long as illegal access is permitted according to the JVM bootstrap settings.

[spring-projects-issues]

Rafael Winterhalter commented

On a side note, this solution does not really work for cglib as a library if the library is not shaded. Using this loading strategy in a modularized would require the user to explicitly privilege cglib (https://mydailyjava.blogspot.no/2018/04/jdk-11-and-proxies-in-world-past.html) what breaks module encapsulation if the use of the library is an implementation detail.

I do not think that developing cglib any further makes sense at this point, especially with some rather fundamental changes in the near future to adjust to the new byte codes for value types etc. Cglib has been dormant for a while and this has been communicated and I think that this is a good moment to discontinue development. If you want to continue using it, I understand that but you would need to maintain the library by yourself from here.

[spring-projects-issues]

Steven Pearce commented

I'm unsure whether I should log this here or under #20937, 

but I'm still seeing a variety of this error in 5.1.0.BUILD-SNAPSHOT taken on the 16th August, against JDK 11.

Stack trace with --illegal-access=debug is below

WARNING: Illegal reflective access by org.springframework.util.ReflectionUtils (file:/usr/local/share/apache-tomcat-9.0.10/webapps/floodlight/WEB-INF/lib/spring-core-5.1.0.BUILD-SNAPSHOT.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class)WARNING: Illegal reflective access by org.springframework.util.ReflectionUtils (file:/usr/local/share/apache-tomcat-9.0.10/webapps/floodlight/WEB-INF/lib/spring-core-5.1.0.BUILD-SNAPSHOT.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class) at org.springframework.util.ReflectionUtils.makeAccessible(ReflectionUtils.java:509) at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor$MethodHandleLookup.getLookupConstructor(DefaultMethodInvokingMethodInterceptor.java:198) at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor$MethodHandleLookup.access$100(DefaultMethodInvokingMethodInterceptor.java:86) at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor$MethodHandleLookup$1.<init>(DefaultMethodInvokingMethodInterceptor.java:94) at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor$MethodHandleLookup.<clinit>(DefaultMethodInvokingMethodInterceptor.java:92) at org.springframework.data.projection.DefaultMethodInvokingMethodInterceptor.<init>(DefaultMethodInvokingMethodInterceptor.java:45)

[spring-projects-issues]

Juergen Hoeller commented

That's a class from Spring Data triggering this, so please report it there. They got DATACMNS-1373 already, not sure it's meant to cover this case as well.

[spring-projects-issues]

Steven Pearce commented

Thanks, have logged it there now.

https://jira.spring.io/browse/DATACMNS-1373?focusedCommentId=161633&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-161633

[spring-projects-issues]

Josh Long commented

I'm still seeing this issue in my Java 11 application (openjdk version "11" 2018-09-25; OpenJDK Runtime Environment 18.9 (build 11+28); OpenJDK 64-Bit Server VM 18.9 (build 11+28, mixed mode)) and I don't have Spring Data on the classpath. Here's the error: 

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.springframework.util.ReflectionUtils (jar:file:/Users/joshlong/code/twi/roundup-generator/target/roundup-generator.jar!/BOOT-INF/lib/spring-core-5.1.0.RELEASE.jar!/) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.springframework.util.ReflectionUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

[INFO] Scanning for projects...
Downloading from central: https://cloudnativejava.artifactoryonline.com/cloudnativejava/plugins-release/org/jooq/jooq-codegen-maven/3.11.5/jooq-codegen-maven-3.11.5.pom
Progress (1): 3.5 kB

Downloaded from central: https://cloudnativejava.artifactoryonline.com/cloudnativejava/plugins-release/org/jooq/jooq-codegen-maven/3.11.5/jooq-codegen-maven-3.11.5.pom (3.5 kB at 6.1 kB/s)
Downloading from central: https://cloudnativejava.artifactoryonline.com/cloudnativejava/plugins-release/org/jooq/jooq-parent/3.11.5/jooq-parent-3.11.5.pom
Progress (1): 4.1/11 kB
Progress (1): 7.5/11 kB
Progress (1): 11 kB

Downloaded from central: https://cloudnativejava.artifactoryonline.com/cloudnativejava/plugins-release/org/jooq/jooq-parent/3.11.5/jooq-parent-3.11.5.pom (11 kB at 61 kB/s)
Downloading from central: https://cloudnativejava.artifactoryonline.com/cloudnativejava/plugins-release/org/jooq/jooq-codegen-maven/3.11.5/jooq-codegen-maven-3.11.5.jar
Progress (1): 4.1/16 kB
Progress (1): 7.5/16 kB
Progress (1): 12/16 kB
Progress (1): 16/16 kB
Progress (1): 16 kB

Downloaded from central: https://cloudnativejava.artifactoryonline.com/cloudnativejava/plugins-release/org/jooq/jooq-codegen-maven/3.11.5/jooq-codegen-maven-3.11.5.jar (16 kB at 90 kB/s)
[INFO]
[INFO] -------------------< com.joshlong:roundup-generator >-------------------
[INFO] Building roundup-generator 0.0.1-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ roundup-generator ---
[INFO] com.joshlong:roundup-generator:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.1.0.M4:compile
[INFO] +- com.beust:jcommander:jar:1.48:compile
[INFO] +- org.springframework.shell:spring-shell-starter:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.shell:spring-shell-core:jar:2.0.0.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-validation:jar:2.1.0.M4:compile
[INFO] | | | - org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.12:compile
[INFO] | | +- org.jline:jline:jar:3.4.0:compile
[INFO] | | - org.jline:jline-terminal-jna:jar:3.4.0:runtime
[INFO] | | +- net.java.dev.jna:jna:jar:4.5.2:runtime
[INFO] | | - org.jline:jline-terminal:jar:3.4.0:runtime
[INFO] | +- org.springframework.shell:spring-shell-standard:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.shell:spring-shell-standard-commands:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.shell:spring-shell-shell1-adapter:jar:2.0.0.RELEASE:compile
[INFO] | +- org.springframework.shell:spring-shell-jcommander-adapter:jar:2.0.0.RELEASE:compile
[INFO] | - org.springframework.shell:spring-shell-table:jar:2.0.0.RELEASE:compile
[INFO] | - org.springframework:spring-beans:jar:5.1.0.RELEASE:compile
[INFO] +- commons-cli:commons-cli:jar:1.4:compile
[INFO] +- com.joshlong:pinboard-client:jar:0.0.1-SNAPSHOT:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.7:compile
[INFO] | | - com.fasterxml.jackson.core:jackson-core:jar:2.9.7:compile
[INFO] | - org.springframework:spring-web:jar:5.1.0.RELEASE:compile
[INFO] +- com.h2database:h2:jar:1.4.197:runtime
[INFO] +- org.springframework.boot:spring-boot-starter-webflux:jar:2.1.0.M4:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.1.0.M4:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:2.1.0.M4:compile
[INFO] | | | - org.springframework:spring-context:jar:5.1.0.RELEASE:compile
[INFO] | | | +- org.springframework:spring-aop:jar:5.1.0.RELEASE:compile
[INFO] | | | - org.springframework:spring-expression:jar:5.1.0.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.0.M4:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.0.M4:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | | | | - ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.1:compile
[INFO] | | | | - org.apache.logging.log4j:log4j-api:jar:2.11.1:compile
[INFO] | | | - org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] | | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] | | - org.yaml:snakeyaml:jar:1.23:runtime
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.1.0.M4:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.7:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.7:compile
[INFO] | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.7:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.1.0.M4:compile
[INFO] | | - io.projectreactor.netty:reactor-netty:jar:0.8.0.RELEASE:compile
[INFO] | | +- io.netty:netty-codec-http:jar:4.1.29.Final:compile
[INFO] | | | - io.netty:netty-codec:jar:4.1.29.Final:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.29.Final:compile
[INFO] | | +- io.netty:netty-handler:jar:4.1.29.Final:compile
[INFO] | | | +- io.netty:netty-buffer:jar:4.1.29.Final:compile
[INFO] | | | - io.netty:netty-transport:jar:4.1.29.Final:compile
[INFO] | | | - io.netty:netty-resolver:jar:4.1.29.Final:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.29.Final:compile
[INFO] | | | - io.netty:netty-codec-socks:jar:4.1.29.Final:compile
[INFO] | | - io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.29.Final:compile
[INFO] | | +- io.netty:netty-common:jar:4.1.29.Final:compile
[INFO] | | - io.netty:netty-transport-native-unix-common:jar:4.1.29.Final:compile
[INFO] | +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] | | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] | | - com.fasterxml:classmate:jar:1.4.0:compile
[INFO] | +- org.springframework:spring-webflux:jar:5.1.0.RELEASE:compile
[INFO] | - org.synchronoss.cloud:nio-multipart-parser:jar:1.1.0:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] | - org.synchronoss.cloud:nio-stream-storage:jar:1.1.3:compile
[INFO] +- com.fasterxml.jackson.module:jackson-module-kotlin:jar:2.9.7:compile
[INFO] | - com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-config:jar:2.1.0.M1:compile
[INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:2.1.0.M1:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:2.1.0.M1:compile
[INFO] | | | - org.springframework.security:spring-security-crypto:jar:5.1.0.RELEASE:compile
[INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:2.1.0.M1:compile
[INFO] | | - org.springframework.security:spring-security-rsa:jar:1.0.7.RELEASE:compile
[INFO] | | - org.bouncycastle:bcpkix-jdk15on:jar:1.60:compile
[INFO] | | - org.bouncycastle:bcprov-jdk15on:jar:1.60:compile
[INFO] | - org.springframework.cloud:spring-cloud-config-client:jar:2.1.0.M1:compile
[INFO] +- org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.2.70:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.2.70:compile
[INFO] | | +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.2.70:compile
[INFO] | | - org.jetbrains:annotations:jar:13.0:compile
[INFO] | - org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.2.70:compile
[INFO] +- org.jetbrains.kotlin:kotlin-reflect:jar:1.2.70:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.1.0.M4:test
[INFO] | +- org.springframework.boot:spring-boot-test:jar:2.1.0.M4:test
[INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.1.0.M4:test
[INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] | | - net.minidev:json-smart:jar:2.3:test
[INFO] | | - net.minidev:accessors-smart:jar:1.2:test
[INFO] | | - org.ow2.asm:asm:jar:5.0.4:test
[INFO] | +- junit:junit:jar:4.12:test
[INFO] | +- org.assertj:assertj-core:jar:3.11.1:test
[INFO] | +- org.mockito:mockito-core:jar:2.22.0:test
[INFO] | | +- net.bytebuddy:byte-buddy:jar:1.8.22:test
[INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.8.22:test
[INFO] | | - org.objenesis:objenesis:jar:2.6:test
[INFO] | +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] | +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] | +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] | +- org.springframework:spring-core:jar:5.1.0.RELEASE:compile
[INFO] | | - org.springframework:spring-jcl:jar:5.1.0.RELEASE:compile
[INFO] | +- org.springframework:spring-test:jar:5.1.0.RELEASE:test
[INFO] | - org.xmlunit:xmlunit-core:jar:2.6.2:test
[INFO] | - javax.xml.bind:jaxb-api:jar:2.3.0:test
[INFO] - io.projectreactor:reactor-test:jar:3.2.0.RELEASE:test
[INFO] - io.projectreactor:reactor-core:jar:3.2.0.RELEASE:compile
[INFO] - org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 2.468 s
[INFO] Finished at: 2018-10-02T23:15:46-07:00
[INFO] ------------------------------------------------------------------------

thank you. 

[spring-projects-issues]

Philippe Marschall commented

@Josh Long Unfortunately the stack trace is missing but from

Illegal reflective access by org.springframework.util.ReflectionUtils (jar:file:/Users/joshlong/code/twi/roundup-generator/target/roundup-generator.jar!/BOOT-INF/lib/spring-core-5.1.0.RELEASE.jar!/) to method java.lang.Object.finalize()
it is not clear to me that is caused by CGLIB class definition.

[spring-projects-issues]

Juergen Hoeller commented

Josh Long, indeed, this one doesn't seem related to CGLIB. It rather seems to be some other code trying to reflectively call a non-accessible finalize() method on some class through Spring's own ReflectionUtils helper; without a stacktrace, it's hard to tell who the actual originator is. In any case, such a warning about org.springframework.util.ReflectionUtils is misleading since it's just an intermediate tool used here, not to be blamed itself (and with the warning not to be fixed at that level).

[spring-projects-issues]

Rafael Winterhalter commented

Josh Long, you can run your JVM while setting --illegal-access=debug to get the stack trace that would reveal the caller of the method.

[spring-projects-issues]

Larkin Lowrey commented

Here's my stack trace:

WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils (file:/C:/Users/llowrey/.m2/repository/org/springframework/spring-core/5.1.0.RELEASE/spring-core-5.1.0.RELEASE.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
	at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:521)
	at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:486)
	at org.springframework.data.mapping.model.ClassGeneratingPropertyAccessorFactory$PropertyAccessorClassGenerator.generateCustomAccessorClass(ClassGeneratingPropertyAccessorFactory.java:321)
	at org.springframework.data.mapping.model.ClassGeneratingPropertyAccessorFactory.createAccessorClass(ClassGeneratingPropertyAccessorFactory.java:195)
	at org.springframework.data.mapping.model.ClassGeneratingPropertyAccessorFactory.potentiallyCreateAndRegisterPersistentPropertyAccessorClass(ClassGeneratingPropertyAccessorFactory.java:181)
	at org.springframework.data.mapping.model.ClassGeneratingPropertyAccessorFactory.getPropertyAccessor(ClassGeneratingPropertyAccessorFactory.java:91)
	at org.springframework.data.mapping.model.BasicPersistentEntity.getPropertyAccessor(BasicPersistentEntity.java:455)
	at org.springframework.data.auditing.MappingAuditableBeanWrapperFactory.lambda$null$1(MappingAuditableBeanWrapperFactory.java:86)
	at org.springframework.data.mapping.context.PersistentEntities.lambda$mapOnContext$4(PersistentEntities.java:115)
	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:195)
	at java.base/java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:177)
	at java.base/java.util.Spliterators$IteratorSpliterator.tryAdvance(Spliterators.java:1812)
	at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:127)
	at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:502)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:488)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:543)
	at org.springframework.data.mapping.context.PersistentEntities.mapOnContext(PersistentEntities.java:116)
	at org.springframework.data.auditing.MappingAuditableBeanWrapperFactory.lambda$getBeanWrapperFor$3(MappingAuditableBeanWrapperFactory.java:80)
	at java.base/java.util.Optional.flatMap(Optional.java:294)
	at org.springframework.data.auditing.MappingAuditableBeanWrapperFactory.getBeanWrapperFor(MappingAuditableBeanWrapperFactory.java:74)
	at org.springframework.data.auditing.AuditingHandler.touch(AuditingHandler.java:161)
	at org.springframework.data.auditing.AuditingHandler.markCreated(AuditingHandler.java:131)
	at org.springframework.data.jpa.domain.support.AuditingEntityListener.touchForCreate(AuditingEntityListener.java:92)
	at org.hibernate.jpa.event.internal.ListenerCallback.performCallback(ListenerCallback.java:35)
	at org.hibernate.jpa.event.internal.CallbackRegistryImpl.callback(CallbackRegistryImpl.java:97)
	at org.hibernate.jpa.event.internal.CallbackRegistryImpl.preCreate(CallbackRegistryImpl.java:57)
	at org.hibernate.event.internal.AbstractSaveEventListener.saveWithGeneratedId(AbstractSaveEventListener.java:116)
	at org.hibernate.event.internal.DefaultPersistEventListener.entityIsTransient(DefaultPersistEventListener.java:192)
	at org.hibernate.event.internal.DefaultPersistEventListener.onPersist(DefaultPersistEventListener.java:135)

[spring-projects-issues]

Oliver Drotbohm commented

Larkin Lowrey – This one in particular is being tracked in DATACMNS-1401.

[spring-projects-issues]

Marcel commented

I still get this error:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.springframework.util.ReflectionUtils (file:/some/path/WEB-INF/lib/spring-core-5.1.2.RELEASE.jar) to field java.sql.Timestamp.nanos
WARNING: Please consider reporting this to the maintainers of org.springframework.util.ReflectionUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

 

[spring-projects-issues]

Juergen Hoeller commented

L., your particular warning is not related to the ticket here. Some code uses Spring's ReflectionUtils to introspect the nanos field in a java.sql.Timestamp instance; it is not ReflectionUtils itself to blame here but rather whoever calls it (possibly Spring Data, can only really be told through the stacktrace) and therefore to be reported to the originating project.

[spring-projects-issues]

Alan Bateman commented

--illegal-access=debug should help track down who is touching Timestamp.nanos via ReflectionUtils. 

I can't think why anything would want to access that field directly as the setNanos/getNanos methods are public.

[donhuvy]

I am using JDK 12. Spring Boot 2.1.3.RELEASE is ok, but Sprin Boot 2.1.4.RELEASE and newer cause error

"C:\Program Files\Java\jdk-12\bin\java.exe" -XX:TieredStopAtLevel=1 -noverify -Dspring.output.ansi.enabled=always -Dcom.sun.management.jmxremote -Dspring.jmx.enabled=true -Dspring.liveBeansView.mbeanDomain -Dspring.application.admin.enabled=true "-javaagent:C:\Program Files\JetBrains\IntelliJ IDEA 2019.1.3\lib\idea_rt.jar=65061:C:\Program Files\JetBrains\IntelliJ IDEA 2019.1.3\bin" -Dfile.encoding=UTF-8 -classpath E:\source_code\gitlab.com\acc_sql_server\out\production\classes;E:\source_code\gitlab.com\acc_sql_server\out\production\resources;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\javax.annotation\javax.annotation-api\1.3.2\934c04d3cfef185a8008e7bf34331b79730a9d43\javax.annotation-api-1.3.2.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-core\9.0.17\aacb92c34eb2e88f38a060c9fcaaae329a79c9ca\tomcat-embed-core-9.0.17.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-tomcat\2.1.4.RELEASE\3b0c04450d86fc29c9fdad555b4555e553a4008\spring-boot-starter-tomcat-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-websocket\9.0.17\a786505cc2697f7f2d8693c0c318270cc8addd92\tomcat-embed-websocket-9.0.17.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-el\9.0.17\595fbb87426e23f27c71b267f22b6e7d2a91a2aa\tomcat-embed-el-9.0.17.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-data-jpa\2.1.4.RELEASE\d5b7a85a533cb631048a8fd161f508a9a1f69f44\spring-boot-starter-data-jpa-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\javax.xml.bind\jaxb-api\2.3.1\8531ad5ac454cc2deb9d4d32c40c4d7451939b5d\jaxb-api-2.3.1.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-actuator\2.1.4.RELEASE\3f3897febeecb4c3243e5a31bee769e4d9fd9445\spring-boot-starter-actuator-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-web\2.1.4.RELEASE\a4659d55f57421a5ef122cb670b7b544ef8190e8\spring-boot-starter-web-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-devtools\2.1.4.RELEASE\d415f0a4dbf800d4343b7662c0ea141978d93d4c\spring-boot-devtools-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-thymeleaf\2.1.4.RELEASE\631b7593129c2f8f43df783fc7fd4a0b5edce747\spring-boot-starter-thymeleaf-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-actuator-autoconfigure\2.1.4.RELEASE\c17cc820eb7c4b1a95d05aaac806c3acc784c01\spring-boot-actuator-autoconfigure-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-json\2.1.4.RELEASE\247d7c2efae986f310a29e9fef7174adc91d0835\spring-boot-starter-json-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.datatype\jackson-datatype-jdk8\2.9.8\bcd02aa9195390e23747ed40bf76be869ad3a2fb\jackson-datatype-jdk8-2.9.8.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.datatype\jackson-datatype-jsr310\2.9.8\28ad1bced632ba338e51c825a652f6e11a8e6eac\jackson-datatype-jsr310-2.9.8.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.module\jackson-module-parameter-names\2.9.8\c4eef0e6e20d60fb27af4bc4770dba7bcc3f6de6\jackson-module-parameter-names-2.9.8.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-databind\2.9.8\11283f21cc480aa86c4df7a0a3243ec508372ed2\jackson-databind-2.9.8.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.hibernate\hibernate-core\5.3.9.Final\8ec9bc0e2e7924ddc25a52ee6f9ca1780bfdae3c\hibernate-core-5.3.9.Final.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\javax.activation\javax.activation-api\1.2.0\85262acf3ca9816f9537ca47d5adeabaead7cb16\javax.activation-api-1.2.0.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-aop\2.1.4.RELEASE\39fffcbea8207ca708b7891f3b70c37a33c2dca4\spring-boot-starter-aop-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-jdbc\2.1.4.RELEASE\1e5b6ff541d77655f3295d2f1d66f90f50b58f03\spring-boot-starter-jdbc-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter\2.1.4.RELEASE\8fa436ef4e273cb476d5dc3aa73701a8837460af\spring-boot-starter-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.microsoft.sqlserver\mssql-jdbc\6.4.0.jre8\d35eaaa34e061d362977d88821bf08c0797af612\mssql-jdbc-6.4.0.jre8.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\io.micrometer\micrometer-core\1.1.4\96eabfe2343a4a4676d215b2122cbbc4d4b6af9b\micrometer-core-1.1.4.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\javax.transaction\javax.transaction-api\1.3\e006adf5cf3cca2181d16bd640ecb80148ec0fce\javax.transaction-api-1.3.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.data\spring-data-jpa\2.1.6.RELEASE\a67a0842a2ed768a92a33cdf1df1d36d1a8bf426\spring-data-jpa-2.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-aspects\5.1.6.RELEASE\c17785ecb504e026dd910facc44127db6317577a\spring-aspects-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-autoconfigure\2.1.4.RELEASE\d5f8b3f7835a23b4dfd8d1489d265c1e426e317b\spring-boot-autoconfigure-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.hibernate.validator\hibernate-validator\6.0.16.Final\ad9557c558972093c0567a2a1f224f318c00f650\hibernate-validator-6.0.16.Final.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-webmvc\5.1.6.RELEASE\cf4ea53740c93e0b8ff951ef0a3eaf154c74dbd0\spring-webmvc-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-web\5.1.6.RELEASE\4e15a24feba0581a02efd508af03a15b05570bd4\spring-web-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.thymeleaf\thymeleaf-spring5\3.0.11.RELEASE\de7bf0adf13b5e9c4811f95edf18279da193c0c6\thymeleaf-spring5-3.0.11.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.thymeleaf.extras\thymeleaf-extras-java8time\3.0.4.RELEASE\36e7175ddce36c486fff4578b5af7bb32f54f5df\thymeleaf-extras-java8time-3.0.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-core\2.9.8\f5a654e4675769c716e5b387830d19b501ca191\jackson-core-2.9.8.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-actuator\2.1.4.RELEASE\fdafe5167dc886e116cf07ef552a4229e93883af\spring-boot-actuator-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot\2.1.4.RELEASE\5ad0355a8c810b32b9221b9b92746b51c983337f\spring-boot-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.boot\spring-boot-starter-logging\2.1.4.RELEASE\2fb669a89cd65b275be20ab755c3742399395dff\spring-boot-starter-logging-2.1.4.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-context\5.1.6.RELEASE\7b9e80ab68ee91ca0462a0eb2c58a9d957788b\spring-context-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-aop\5.1.6.RELEASE\a473d4bca7295f2b90522594e413f9e19107c1d2\spring-aop-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-orm\5.1.6.RELEASE\b4ac162754b6d55215b2b5dee73eff6ec7f0b758\spring-orm-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-jdbc\5.1.6.RELEASE\6212f7015d4ffd7091558d9c0d6aadf6db8ca058\spring-jdbc-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework.data\spring-data-commons\2.1.6.RELEASE\4cc5ed71af58033c91ecb042c9c20a0f2b39407d\spring-data-commons-2.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-tx\5.1.6.RELEASE\e1c6de29a9f9b6ded22133fd0cfdc4366a431cc2\spring-tx-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-core\5.1.6.RELEASE\9329591e728ef9844911e082e399f4fc3e3ecb37\spring-core-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.hdrhistogram\HdrHistogram\2.1.9\e4631ce165eb400edecfa32e03d3f1be53dee754\HdrHistogram-2.1.9.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.latencyutils\LatencyUtils\2.0.3\769c0b82cb2421c8256300e907298a9410a2a3d3\LatencyUtils-2.0.3.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.aspectj\aspectjweaver\1.9.2\d2502817521477faf0712c49a6ee2a5388787fc7\aspectjweaver-1.9.2.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-beans\5.1.6.RELEASE\90d2f4bf7eced108de0b5bf617abb2b13a6206a3\spring-beans-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.zaxxer\HikariCP\3.2.0\6c66db1c636ee90beb4c65fe34abd8ba9396bca6\HikariCP-3.2.0.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-expression\5.1.6.RELEASE\50fe4080029e43e7612e50fb4d7c7c43e95bf03c\spring-expression-5.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.hibernate.common\hibernate-commons-annotations\5.0.4.Final\965a18fdf939ee75e41f7918532d37b3a8350535\hibernate-commons-annotations-5.0.4.Final.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.jboss.logging\jboss-logging\3.3.2.Final\3789d00e859632e6c6206adc0c71625559e6e3b0\jboss-logging-3.3.2.Final.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\javax.persistence\javax.persistence-api\2.2\25665ac8c0b62f50e6488173233239120fc52c96\javax.persistence-api-2.2.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.javassist\javassist\3.23.1-GA\c072c13dcb7f705471c40bafb1536171df850ab2\javassist-3.23.1-GA.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.yaml\snakeyaml\1.23\ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68\snakeyaml-1.23.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\net.bytebuddy\byte-buddy\1.9.12\39050dbbd36862ea87eb9a64158854b04619ccd6\byte-buddy-1.9.12.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\antlr\antlr\2.7.7\83cd2cd674a217ade95a4bb83a8a14f351f48bd0\antlr-2.7.7.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.jboss\jandex\2.0.5.Final\7060f67764565b9ee9d467e3ed0cb8a9c601b23a\jandex-2.0.5.Final.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.fasterxml\classmate\1.4.0\291658ac2ce2476256c7115943652c0accb5c857\classmate-1.4.0.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.dom4j\dom4j\2.1.1\3dce5dbb3571aa820c677fadd8349bfa8f00c199\dom4j-2.1.1.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.thymeleaf\thymeleaf\3.0.11.RELEASE\628ebb91f520053d4120b7b18bf78ff295d57461\thymeleaf-3.0.11.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\ch.qos.logback\logback-classic\1.2.3\7c4f3c474fb2c041d8028740440937705ebb473a\logback-classic-1.2.3.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-to-slf4j\2.11.2\6d37bf7b046c0ce2669f26b99365a2cfa45c4c18\log4j-to-slf4j-2.11.2.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.slf4j\jul-to-slf4j\1.7.26\8031352b2bb0a49e67818bf04c027aa92e645d5c\jul-to-slf4j-1.7.26.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.26\77100a62c2e6f04b53977b9f541044d7d722693d\slf4j-api-1.7.26.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\javax.validation\validation-api\2.0.1.Final\cb855558e6271b1b32e716d24cb85c7f583ce09e\validation-api-2.0.1.Final.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-annotations\2.9.0\7c10d545325e3a6e72e06381afe469fd40eb701\jackson-annotations-2.9.0.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.attoparser\attoparser\2.0.5.RELEASE\a93ad36df9560de3a5312c1d14f69d938099fa64\attoparser-2.0.5.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.unbescape\unbescape\1.1.6.RELEASE\7b90360afb2b860e09e8347112800d12c12b2a13\unbescape-1.1.6.RELEASE.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\ch.qos.logback\logback-core\1.2.3\864344400c3d4d92dfeb0a305dc87d953677c03c\logback-core-1.2.3.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-api\2.11.2\f5e9a2ffca496057d6891a3de65128efc636e26e\log4j-api-2.11.2.jar;C:\Users\donhuvy\.gradle\caches\modules-2\files-2.1\org.springframework\spring-jcl\5.1.6.RELEASE\a4ad3c98c7cc31357e94e12772c8e6449522bc5\spring-jcl-5.1.6.RELEASE.jar com.donhuvy.AccountingApplication
Picked up _JAVA_OPTIONS: -Xmx512M

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.1.4.RELEASE)

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils (file:/C:/Users/donhuvy/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.6.RELEASE/9329591e728ef9844911e082e399f4fc3e3ecb37/spring-core-5.1.6.RELEASE.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of org.springframework.cglib.core.ReflectUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

This is my dependencies tree https://gist.github.com/donhuvy/54d64b3abc9d29d392bbd22018ea3c66

[peterhuffer]

I am seeing this on spring boot 2.1.6.RELEASE as well in a JDK11 environment

WARNING: An illegal reflective access operation has occurred

WARNING: Illegal reflective access by org.springframework.util.ReflectionUtils (jar:file:/opt/replication/app.jar!/BOOT-INF/lib/spring-core-5.1.8.RELEASE.jar!/) to field java.beans.PropertyChangeSupport.map

WARNING: Please consider reporting this to the maintainers of org.springframework.util.ReflectionUtils

WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

[valentin-nasta]

@spring-issuemaster I'm seeing this on spring boot 2.1.7.RELEASE as well with openjdk 11.0.1

$ java --version
openjdk 11.0.1 2018-10-16
OpenJDK Runtime Environment 18.9 (build 11.0.1+13)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)

WARNING: Illegal reflective access by net.sf.cglib.core.ReflectUtils$1 (file:/Users/vmbp/.m2/repository/cglib/cglib-nodep/3.2.12/cglib-nodep-3.2.12.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
	at net.sf.cglib.core.ReflectUtils$1.run(ReflectUtils.java:61)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at net.sf.cglib.core.ReflectUtils.<clinit>(ReflectUtils.java:52)
	at net.sf.cglib.core.KeyFactory$Generator.generateClass(KeyFactory.java:243)
	at net.sf.cglib.core.DefaultGeneratorStrategy.generate(DefaultGeneratorStrategy.java:25)
	at net.sf.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:332)
	at net.sf.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:96)
	at net.sf.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:94)
	at net.sf.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at net.sf.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61)
	at net.sf.cglib.core.internal.LoadingCache.get(LoadingCache.java:34)
	at net.sf.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:119)
	at net.sf.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:294)
	at net.sf.cglib.core.KeyFactory$Generator.create(KeyFactory.java:221)
	at net.sf.cglib.core.KeyFactory.create(KeyFactory.java:174)
	at net.sf.cglib.core.KeyFactory.create(KeyFactory.java:153)
	at net.sf.cglib.proxy.Enhancer.<clinit>(Enhancer.java:73)
	at org.apache.wicket.proxy.LazyInitProxyFactory.createProxy(LazyInitProxyFactory.java:182)
	at org.apache.wicket.spring.injection.annot.AnnotProxyFieldValueFactory.getFieldValue(AnnotProxyFieldValueFactory.java:166)
	at org.apache.wicket.injection.Injector.inject(Injector.java:111)
	at org.apache.wicket.spring.injection.annot.SpringComponentInjector.inject(SpringComponentInjector.java:124)
	at org.apache.wicket.spring.injection.annot.SpringComponentInjector.onInstantiation(SpringComponentInjector.java:130)
	at org.apache.wicket.application.ComponentInstantiationListenerCollection$1.notify(ComponentInstantiationListenerCollection.java:38)
	at org.apache.wicket.application.ComponentInstantiationListenerCollection$1.notify(ComponentInstantiationListenerCollection.java:34)
	at org.apache.wicket.util.listener.ListenerCollection.notify(ListenerCollection.java:80)
	at org.apache.wicket.application.ComponentInstantiationListenerCollection.onInstantiation(ComponentInstantiationListenerCollection.java:33)
	at org.apache.wicket.Component.<init>(Component.java:681)
	at org.apache.wicket.MarkupContainer.<init>(MarkupContainer.java:179)
	at org.apache.wicket.Page.<init>(Page.java:171)
	at org.apache.wicket.Page.<init>(Page.java:135)
	at org.apache.wicket.markup.html.WebPage.<init>(WebPage.java:74)

[sbrannen]

@valentin-nasta, the stack trace you have provided shows that this is coming from Apache Wicket's direct use of CGLIB, not from Spring.

So please open an issue with the Apache Wicket team.

[valentin-nasta]

@sbrannen That's correct, I'll open an issue with the Apache Wicket team, thank you!

[Xyaren]

WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils (file:/D:/dev/Workspace/Maven/repository/org/springframework/spring-core/5.1.8.RELEASE/spring-core-5.1.8.RELEASE.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
	at org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:525)
	at org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:363)
	at org.springframework.cglib.proxy.Enhancer.generate(Enhancer.java:582)
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:110)
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:108)
	at org.springframework.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at org.springframework.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61)
	at org.springframework.cglib.core.internal.LoadingCache.get(LoadingCache.java:34)
	at org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:134)
	at org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:319)
	at org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:569)
	at org.springframework.cglib.proxy.Enhancer.createClass(Enhancer.java:416)
	at org.springframework.aop.framework.ObjenesisCglibAopProxy.createProxyClassAndInstance(ObjenesisCglibAopProxy.java:57)
	at org.springframework.aop.framework.CglibAopProxy.getProxy(CglibAopProxy.java:205)
	at org.springframework.aop.framework.ProxyFactory.getProxy(ProxyFactory.java:110)
	at org.springframework.aop.framework.AbstractAdvisingBeanPostProcessor.postProcessAfterInitialization(AbstractAdvisingBeanPostProcessor.java:92)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsAfterInitialization(AbstractAutowireCapableBeanFactory.java:429)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1782)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:593)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:515)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:318)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:277)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1251)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1171)
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:593)
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:90)
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:374)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1411)

On OpenJDK 10.0.2 using --illegal-access=debug

[azmau]

I hope this is the right place to add my comment even if the issue is closed. I have the same thing on Java 11 with Spring 5.2.3
WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils (vfs:/D:/wildfly-18.0.1/servers/abc-j11/deployments/abc.war/WEB-INF/lib/spring-core-5.2.3.RELEASE.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) at deployment.abc.war//org.springframework.cglib.core.ReflectUtils.defineClass(ReflectUtils.java:525) at deployment.abc.war//org.springframework.cglib.core.AbstractClassGenerator.generate(AbstractClassGenerator.java:363) at deployment.abc.war//org.springframework.cglib.proxy.Enhancer.generate(Enhancer.java:582) at deployment.abc.war//org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:110) at deployment.abc.war//org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData$3.apply(AbstractClassGenerator.java:108) at deployment.abc.war//org.springframework.cglib.core.internal.LoadingCache$2.call(LoadingCache.java:54) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at deployment.abc.war//org.springframework.cglib.core.internal.LoadingCache.createEntry(LoadingCache.java:61) at deployment.abc.war//org.springframework.cglib.core.internal.LoadingCache.get(LoadingCache.java:34) at deployment.abc.war//org.springframework.cglib.core.AbstractClassGenerator$ClassLoaderData.get(AbstractClassGenerator.java:134) at deployment.abc.war//org.springframework.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:319) at deployment.abc.war//org.springframework.cglib.proxy.Enhancer.createHelper(Enhancer.java:569) at deployment.abc.war//org.springframework.cglib.proxy.Enhancer.create(Enhancer.java:384)

What can I do about it?

[pablozoani]

When

return EntityModel.of(...);

With

openjdk version "14.0.1" 2020-04-14
OpenJDK Runtime Environment (build 14.0.1+7-Ubuntu-1ubuntu1)
OpenJDK 64-Bit Server VM (build 14.0.1+7-Ubuntu-1ubuntu1, mixed mode, sharing)

Then

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils (file:/home/pablo/.m2/repository/org/springframework/spring-core/5.2.8.RELEASE/spring-core-5.2.8.RELEASE.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of org.springframework.cglib.core.ReflectUtils
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release