Re: [netcdf-java] securityException while reading Grib files

Hi Daniele,

This has been fixed [1][2]. The solution will appear in 4.6.2 (hopefully
released this week).

Cheers,
Christian

[1]
https://github.com/Unidata/jj2000/commit/d340a840d6ed947332b77aede5c845148812767c
[2]
https://github.com/Unidata/thredds/commit/594fddcd1f1aa95e8b6028caf4561602554893a3

On Fri, May 22, 2015 at 3:41 PM, Curtis Rueden <ctrueden@xxxxxxxx> wrote:

> Hi Ryan,
>
> > we feel the best path forward is to simply
> > change the package name (e.g. unidata.jj2000)
>
> You may find the maven-shade-plugin rather useful for this.
> https://maven.apache.org/plugins/maven-shade-plugin/
>
> E.g., I created a shaded version of the Jython library to avoid conflicts
> with bundled dependencies; see:
> https://github.com/scijava/jython-shaded
>
> Maybe it helps as a starting point.
>
> Regards,
> Curtis
>
> On Fri, May 22, 2015 at 4:36 PM, Ryan May <rmay@xxxxxxxx> wrote:
>
>> Daniele,
>>
>> After discussing it yesterday, we feel the best path forward is to simply
>> change the package name (e.g. unidata.jj2000). It's important that we use
>> this particular jj2000, rather than the jai_imageio one, because ours
>> contains fixes specifically for GRIB (for example, 1-bit images).
>>
>> I'm targeting having this work done in time for the next bugfix release,
>> 4.6.2.
>>
>> Ryan
>>
>> On Thu, May 21, 2015 at 5:06 AM, Daniele Romagnoli <
>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>
>>> Hi again,
>>> do you have any news or action plan about this topic?
>>>
>>> Please, let me know.
>>> Best Regards,
>>> Daniele
>>>
>>> On Thu, Apr 30, 2015 at 12:12 PM, Daniele Romagnoli <
>>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>>
>>>> Hi again,
>>>> For the moment, I have temporarly fixed by removing some classes from
>>>> the jai_imageio-1.1.jar. That's not the best solutions but it allows me to
>>>> proceed with my tests.
>>>> Is there any chance for the next NetCDF-java/grib release to have that
>>>> jj2k dependency (edu\ucar\jj2000\5.2) split into different jars?
>>>> one containing the "duplicated" part from jai_imageio and one
>>>> containing the "added" parts?
>>>> By this way, for projects leveraging on jai_imageio (such as GeoTools,
>>>> GeoServer, ...) one may add some "exclusions" section to the pom in order
>>>> to avoid using the external jj2k jar in favor of the jai_imageio one.
>>>>
>>>> Please, let me know.
>>>> Best Regards,
>>>> Daniele
>>>>
>>>>
>>>> ==
>>>> GeoServer Professional Services from the experts! Visit
>>>> http://goo.gl/NWWaa2 for more information.
>>>> ==
>>>>
>>>> Ing. Daniele Romagnoli
>>>> Senior Software Engineer
>>>>
>>>> GeoSolutions S.A.S.
>>>> Via Poggio alle Viti 1187
>>>> 55054  Massarosa (LU)
>>>> Italy
>>>> phone: +39 0584 962313
>>>> fax:      +39 0584 1660272
>>>>
>>>> http://www.geo-solutions.it
>>>> http://twitter.com/geosolutions_it
>>>>
>>>> -------------------------------------------------------
>>>>
>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>>
>>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>>> principi dettati dal D.Lgs. 196/2003.
>>>>
>>>>
>>>>
>>>> The information in this message and/or attachments, is intended solely
>>>> for the attention and use of the named addressee(s) and may be confidential
>>>> or proprietary in nature or covered by the provisions of privacy act
>>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>>>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>>>> copying, distribution, or either dissemination, either whole or partial, is
>>>> strictly forbidden except previous formal approval of the named
>>>> addressee(s). If you are not the intended recipient, please contact
>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>> information in this message that has been received in error. The sender
>>>> does not give any warranty or accept liability as the content, accuracy or
>>>> completeness of sent messages and accepts no responsibility  for changes
>>>> made after they were sent or for other risks which arise as a result of
>>>> e-mail transmission, viruses, etc.
>>>>
>>>>
>>>> On Wed, Apr 22, 2015 at 10:27 AM, Daniele Romagnoli <
>>>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>>>
>>>>> Hi Ryan,
>>>>> Thanks for the reply.
>>>>> I have already tried this approach.
>>>>> However, as you say, the JAI is missing some entries, such as
>>>>> jj2000.j2k.util.ParameterList which is only available in the GRIB package.
>>>>> For the moment, I'll try the opposite approach, by working on a
>>>>> reduced jai-imageio.jar without the whole jj2000 package.
>>>>>
>>>>> Cheers,
>>>>> Daniele
>>>>>
>>>>>
>>>>>
>>>>> ==
>>>>> GeoServer Professional Services from the experts! Visit
>>>>> http://goo.gl/NWWaa2 for more information.
>>>>> ==
>>>>>
>>>>> Ing. Daniele Romagnoli
>>>>> Senior Software Engineer
>>>>>
>>>>> GeoSolutions S.A.S.
>>>>> Via Poggio alle Viti 1187
>>>>> 55054  Massarosa (LU)
>>>>> Italy
>>>>> phone: +39 0584 962313
>>>>> fax:      +39 0584 1660272
>>>>>
>>>>> http://www.geo-solutions.it
>>>>> http://twitter.com/geosolutions_it
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>>>
>>>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>>>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>>>> principi dettati dal D.Lgs. 196/2003.
>>>>>
>>>>>
>>>>>
>>>>> The information in this message and/or attachments, is intended solely
>>>>> for the attention and use of the named addressee(s) and may be 
>>>>> confidential
>>>>> or proprietary in nature or covered by the provisions of privacy act
>>>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>>>>> Code).Any use not in accord with its purpose, any disclosure, 
>>>>> reproduction,
>>>>> copying, distribution, or either dissemination, either whole or partial, 
>>>>> is
>>>>> strictly forbidden except previous formal approval of the named
>>>>> addressee(s). If you are not the intended recipient, please contact
>>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>>> information in this message that has been received in error. The sender
>>>>> does not give any warranty or accept liability as the content, accuracy or
>>>>> completeness of sent messages and accepts no responsibility  for changes
>>>>> made after they were sent or for other risks which arise as a result of
>>>>> e-mail transmission, viruses, etc.
>>>>>
>>>>>
>>>>> On Tue, Apr 21, 2015 at 9:41 PM, Ryan May <rmay@xxxxxxxx> wrote:
>>>>>
>>>>>> Daniele,
>>>>>>
>>>>>> You could unjar (or unzip) the netcdf-java jar (netcdfAll-4.5.jar ?),
>>>>>> remove the jj2000 directory, and re-pack it into a new jar. I have no 
>>>>>> idea,
>>>>>> though, if the jai version of the jj2000 code provides all of the APIs 
>>>>>> that
>>>>>> are used to read GRIB files.
>>>>>>
>>>>>> Ryan
>>>>>>
>>>>>> On Tue, Apr 21, 2015 at 5:07 AM, Daniele Romagnoli <
>>>>>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>>>>>
>>>>>>> Hi again.
>>>>>>> I have also found this thread:
>>>>>>>
>>>>>>> https://www.unidata.ucar.edu/mailing_lists/archives/thredds/2014/msg00233.html
>>>>>>>
>>>>>>> That's basically the problem I have.
>>>>>>> To summarize, I'm trying to read a grib file which uses the jj2000
>>>>>>> machinery and I'm having exceptions since I also have jai-imageio on my
>>>>>>> classpath (I can't remove jai-imageio from the classpath).
>>>>>>>
>>>>>>> Do you have any suggestions for this?
>>>>>>> Cheers,
>>>>>>> Daniele
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ==
>>>>>>> GeoServer Professional Services from the experts! Visit
>>>>>>> http://goo.gl/NWWaa2 for more information.
>>>>>>> ==
>>>>>>>
>>>>>>> Ing. Daniele Romagnoli
>>>>>>> Senior Software Engineer
>>>>>>>
>>>>>>> GeoSolutions S.A.S.
>>>>>>> Via Poggio alle Viti 1187
>>>>>>> 55054  Massarosa (LU)
>>>>>>> Italy
>>>>>>> phone: +39 0584 962313
>>>>>>> fax:      +39 0584 1660272
>>>>>>>
>>>>>>> http://www.geo-solutions.it
>>>>>>> http://twitter.com/geosolutions_it
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>>
>>>>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>>>>>
>>>>>>> Le informazioni contenute in questo messaggio di posta elettronica
>>>>>>> e/o nel/i file/s allegato/i sono da considerarsi strettamente 
>>>>>>> riservate. Il
>>>>>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>>>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>>>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>>>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio 
>>>>>>> stesso,
>>>>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>>>>>> principi dettati dal D.Lgs. 196/2003.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The information in this message and/or attachments, is intended
>>>>>>> solely for the attention and use of the named addressee(s) and may be
>>>>>>> confidential or proprietary in nature or covered by the provisions of
>>>>>>> privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data
>>>>>>> Protection Code).Any use not in accord with its purpose, any disclosure,
>>>>>>> reproduction, copying, distribution, or either dissemination, either 
>>>>>>> whole
>>>>>>> or partial, is strictly forbidden except previous formal approval of the
>>>>>>> named addressee(s). If you are not the intended recipient, please 
>>>>>>> contact
>>>>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>>>>> information in this message that has been received in error. The sender
>>>>>>> does not give any warranty or accept liability as the content, accuracy 
>>>>>>> or
>>>>>>> completeness of sent messages and accepts no responsibility  for changes
>>>>>>> made after they were sent or for other risks which arise as a result of
>>>>>>> e-mail transmission, viruses, etc.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Apr 17, 2015 at 3:36 PM, Daniele Romagnoli <
>>>>>>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>>>>>>
>>>>>>>> Hi List,
>>>>>>>> I have basically the same issue reported by Akkineni Vijay.
>>>>>>>>
>>>>>>>> When reading some types of grib files I'm getting the exception
>>>>>>>> reported at the end of the email. I have checked a couple of similar 
>>>>>>>> emails
>>>>>>>> in the mailing list but it's not too clear to me how to resolve that.
>>>>>>>> Note that my project also uses jai_imageio.jar which contains
>>>>>>>> Oracle classes to do JAI ImageRead operations using ImageIO SPIs.
>>>>>>>> That jar also contains a jj2000.j2k.* packages.
>>>>>>>>
>>>>>>>> Do you have any suggestion?
>>>>>>>> Please, let me know.
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>> Daniele
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> java.lang.SecurityException: sealing violation: package
>>>>>>>> jj2000.j2k.util is sealed
>>>>>>>>     at
>>>>>>>> java.net.URLClassLoader.getAndVerifyPackage(URLClassLoader.java:388)
>>>>>>>>     at java.net.URLClassLoader.defineClass(URLClassLoader.java:417)
>>>>>>>>     at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
>>>>>>>>     at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
>>>>>>>>     at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>>>>>>>>     at java.security.AccessController.doPrivileged(Native Method)
>>>>>>>>     at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>>>>>>>>     at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>>>>>>>>     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
>>>>>>>>     at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>>>>>>>>     at
>>>>>>>> ucar.nc2.grib.grib2.Grib2JpegDecoder.<init>(Grib2JpegDecoder.java:119)
>>>>>>>>     at
>>>>>>>> ucar.nc2.grib.grib2.Grib2DataReader2.getData40(Grib2DataReader2.java:727)
>>>>>>>>     at
>>>>>>>> ucar.nc2.grib.grib2.Grib2DataReader2.getData(Grib2DataReader2.java:109)
>>>>>>>>     at
>>>>>>>> ucar.nc2.grib.grib2.Grib2Record.readData(Grib2Record.java:321)
>>>>>>>>     at
>>>>>>>> ucar.nc2.grib.collection.Grib2Iosp.readData(Grib2Iosp.java:405)
>>>>>>>>     at
>>>>>>>> ucar.nc2.grib.collection.GribIosp$DataReader.read(GribIosp.java:940)
>>>>>>>>     at
>>>>>>>> ucar.nc2.grib.collection.GribIosp.readDataFromCollection(GribIosp.java:860)
>>>>>>>>     at ucar.nc2.grib.collection.GribIosp.readData(GribIosp.java:810)
>>>>>>>>     at ucar.nc2.NetcdfFile.readData(NetcdfFile.java:1986)
>>>>>>>>     at ucar.nc2.Variable.reallyRead(Variable.java:899)
>>>>>>>>     at ucar.nc2.Variable._read(Variable.java:884)
>>>>>>>>     at ucar.nc2.Variable.read(Variable.java:695)
>>>>>>>>     at ucar.nc2.dataset.VariableDS.reallyRead(VariableDS.java:557)
>>>>>>>>     at ucar.nc2.dataset.VariableDS._read(VariableDS.java:537)
>>>>>>>>     at ucar.nc2.Variable.read(Variable.java:695)
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ==
>>>>>>>> GeoServer Professional Services from the experts! Visit
>>>>>>>> http://goo.gl/NWWaa2 for more information.
>>>>>>>> ==
>>>>>>>>
>>>>>>>> Ing. Daniele Romagnoli
>>>>>>>> Senior Software Engineer
>>>>>>>>
>>>>>>>> GeoSolutions S.A.S.
>>>>>>>> Via Poggio alle Viti 1187
>>>>>>>> 55054  Massarosa (LU)
>>>>>>>> Italy
>>>>>>>> phone: +39 0584 962313
>>>>>>>> fax:      +39 0584 1660272
>>>>>>>>
>>>>>>>> http://www.geo-solutions.it
>>>>>>>> http://twitter.com/geosolutions_it
>>>>>>>>
>>>>>>>> -------------------------------------------------------
>>>>>>>>
>>>>>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>>>>>>
>>>>>>>> Le informazioni contenute in questo messaggio di posta elettronica
>>>>>>>> e/o nel/i file/s allegato/i sono da considerarsi strettamente 
>>>>>>>> riservate. Il
>>>>>>>> loro utilizzo è consentito esclusivamente al destinatario del 
>>>>>>>> messaggio,
>>>>>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>>>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>>>>>> darcene notizia via e-mail e di procedere alla distruzione del 
>>>>>>>> messaggio
>>>>>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio 
>>>>>>>> stesso,
>>>>>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>>>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario 
>>>>>>>> ai
>>>>>>>> principi dettati dal D.Lgs. 196/2003.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The information in this message and/or attachments, is intended
>>>>>>>> solely for the attention and use of the named addressee(s) and may be
>>>>>>>> confidential or proprietary in nature or covered by the provisions of
>>>>>>>> privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New 
>>>>>>>> Data
>>>>>>>> Protection Code).Any use not in accord with its purpose, any 
>>>>>>>> disclosure,
>>>>>>>> reproduction, copying, distribution, or either dissemination, either 
>>>>>>>> whole
>>>>>>>> or partial, is strictly forbidden except previous formal approval of 
>>>>>>>> the
>>>>>>>> named addressee(s). If you are not the intended recipient, please 
>>>>>>>> contact
>>>>>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>>>>>> information in this message that has been received in error. The sender
>>>>>>>> does not give any warranty or accept liability as the content, 
>>>>>>>> accuracy or
>>>>>>>> completeness of sent messages and accepts no responsibility  for 
>>>>>>>> changes
>>>>>>>> made after they were sent or for other risks which arise as a result of
>>>>>>>> e-mail transmission, viruses, etc.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> netcdf-java mailing list
>>>>>>> netcdf-java@xxxxxxxxxxxxxxxx
>>>>>>> For list information or to unsubscribe, visit:
>>>>>>> http://www.unidata.ucar.edu/mailing_lists/
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ryan May
>>>>>> Software Engineer
>>>>>> UCAR/Unidata
>>>>>> Boulder, CO
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> ==
>>> Meet us at the INSPIRE Conference in Lisbon 25-29 May 2015! Visit
>>> http://goo.gl/WHKDXT for more information.
>>> ==
>>>
>>> Ing. Daniele Romagnoli
>>> Senior Software Engineer
>>>
>>> GeoSolutions S.A.S.
>>> Via Poggio alle Viti 1187
>>> 55054  Massarosa (LU)
>>> Italy
>>> phone: +39 0584 962313
>>> fax:      +39 0584 1660272
>>>
>>> http://www.geo-solutions.it
>>> http://twitter.com/geosolutions_it
>>>
>>> -------------------------------------------------------
>>>
>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>
>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>> principi dettati dal D.Lgs. 196/2003.
>>>
>>>
>>>
>>> The information in this message and/or attachments, is intended solely
>>> for the attention and use of the named addressee(s) and may be confidential
>>> or proprietary in nature or covered by the provisions of privacy act
>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>>> copying, distribution, or either dissemination, either whole or partial, is
>>> strictly forbidden except previous formal approval of the named
>>> addressee(s). If you are not the intended recipient, please contact
>>> immediately the sender by telephone, fax or e-mail and delete the
>>> information in this message that has been received in error. The sender
>>> does not give any warranty or accept liability as the content, accuracy or
>>> completeness of sent messages and accepts no responsibility  for changes
>>> made after they were sent or for other risks which arise as a result of
>>> e-mail transmission, viruses, etc.
>>>
>>>
>>
>>
>> --
>> Ryan May
>> Software Engineer
>> UCAR/Unidata
>> Boulder, CO
>>
>> _______________________________________________
>> netcdf-java mailing list
>> netcdf-java@xxxxxxxxxxxxxxxx
>> For list information or to unsubscribe, visit:
>> http://www.unidata.ucar.edu/mailing_lists/
>>
>>
>
> _______________________________________________
> netcdf-java mailing list
> netcdf-java@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
> http://www.unidata.ucar.edu/mailing_lists/
>
  • 2015 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the netcdf-java archives: