My Oracle Support Banner

[Java SE] Java WebStart and JNLP Apps Get 'SecurityException - class does not match trust level (or signer information) of other classes in the same package' (Doc ID 2168729.1)

Last updated on OCTOBER 13, 2018

Applies to:

Java SE JDK and JRE - Version 7 to 8
Information in this document applies to any platform.

Symptoms

After installing a recent Java SE 7 or 8 patch update on a Windows system, Java WebStart (JNLP) applications fail to start with the following error and stack trace: 

caused by: java.lang.SecurityException: class "org.apache.log4j.spi.RootLogger" does not match trust level of other classes in the same package
at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)

 

The problem can also appear as a signing issue with the below error and stack trace under the following conditions:

  1. A JNLP application uses a signed jar that contains a MANIFEST.MF with the property "Import-Package" which refers to other packages outside of that jar, and
  2. The JNLP class loader loads a class from that jar.
caused by: java.lang.SecurityException: class "org.apache.log4j.spi.RootLogger"'s signer information does not match signer information of other classes in the same package
at java.lang.ClassLoader.checkCerts(Unknown Source)
at java.lang.ClassLoader.preDefineClass(Unknown Source)
at java.lang.ClassLoader.defineClass(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$100(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at com.sun.jnlp.JNLPClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)

 

Note: In the above examples, a class from a log4j jar file was used to exploit the particular exceptions for illustrative purposes.  However, this is not an issue limited to log4j classes. 

  

Changes

The described issues occur only in the following Java releases:

Java SE 8:

Java SE 7

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.