Re: [netcdf-java] securityException while reading Grib files

Daniele,

After discussing it yesterday, we feel the best path forward is to simply
change the package name (e.g. unidata.jj2000). It's important that we use
this particular jj2000, rather than the jai_imageio one, because ours
contains fixes specifically for GRIB (for example, 1-bit images).

I'm targeting having this work done in time for the next bugfix release,
4.6.2.

Ryan

On Thu, May 21, 2015 at 5:06 AM, Daniele Romagnoli <
daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:

> Hi again,
> do you have any news or action plan about this topic?
>
> Please, let me know.
> Best Regards,
> Daniele
>
> On Thu, Apr 30, 2015 at 12:12 PM, Daniele Romagnoli <
> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>
>> Hi again,
>> For the moment, I have temporarly fixed by removing some classes from the
>> jai_imageio-1.1.jar. That's not the best solutions but it allows me to
>> proceed with my tests.
>> Is there any chance for the next NetCDF-java/grib release to have that
>> jj2k dependency (edu\ucar\jj2000\5.2) split into different jars?
>> one containing the "duplicated" part from jai_imageio and one containing
>> the "added" parts?
>> By this way, for projects leveraging on jai_imageio (such as GeoTools,
>> GeoServer, ...) one may add some "exclusions" section to the pom in order
>> to avoid using the external jj2k jar in favor of the jai_imageio one.
>>
>> Please, let me know.
>> Best Regards,
>> Daniele
>>
>>
>> ==
>> GeoServer Professional Services from the experts! Visit
>> http://goo.gl/NWWaa2 for more information.
>> ==
>>
>> Ing. Daniele Romagnoli
>> Senior Software Engineer
>>
>> GeoSolutions S.A.S.
>> Via Poggio alle Viti 1187
>> 55054  Massarosa (LU)
>> Italy
>> phone: +39 0584 962313
>> fax:      +39 0584 1660272
>>
>> http://www.geo-solutions.it
>> http://twitter.com/geosolutions_it
>>
>> -------------------------------------------------------
>>
>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>
>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>> principi dettati dal D.Lgs. 196/2003.
>>
>>
>>
>> The information in this message and/or attachments, is intended solely
>> for the attention and use of the named addressee(s) and may be confidential
>> or proprietary in nature or covered by the provisions of privacy act
>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>> copying, distribution, or either dissemination, either whole or partial, is
>> strictly forbidden except previous formal approval of the named
>> addressee(s). If you are not the intended recipient, please contact
>> immediately the sender by telephone, fax or e-mail and delete the
>> information in this message that has been received in error. The sender
>> does not give any warranty or accept liability as the content, accuracy or
>> completeness of sent messages and accepts no responsibility  for changes
>> made after they were sent or for other risks which arise as a result of
>> e-mail transmission, viruses, etc.
>>
>>
>> On Wed, Apr 22, 2015 at 10:27 AM, Daniele Romagnoli <
>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>
>>> Hi Ryan,
>>> Thanks for the reply.
>>> I have already tried this approach.
>>> However, as you say, the JAI is missing some entries, such as
>>> jj2000.j2k.util.ParameterList which is only available in the GRIB package.
>>> For the moment, I'll try the opposite approach, by working on a reduced
>>> jai-imageio.jar without the whole jj2000 package.
>>>
>>> Cheers,
>>> Daniele
>>>
>>>
>>>
>>> ==
>>> GeoServer Professional Services from the experts! Visit
>>> http://goo.gl/NWWaa2 for more information.
>>> ==
>>>
>>> Ing. Daniele Romagnoli
>>> Senior Software Engineer
>>>
>>> GeoSolutions S.A.S.
>>> Via Poggio alle Viti 1187
>>> 55054  Massarosa (LU)
>>> Italy
>>> phone: +39 0584 962313
>>> fax:      +39 0584 1660272
>>>
>>> http://www.geo-solutions.it
>>> http://twitter.com/geosolutions_it
>>>
>>> -------------------------------------------------------
>>>
>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>
>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>> principi dettati dal D.Lgs. 196/2003.
>>>
>>>
>>>
>>> The information in this message and/or attachments, is intended solely
>>> for the attention and use of the named addressee(s) and may be confidential
>>> or proprietary in nature or covered by the provisions of privacy act
>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>>> copying, distribution, or either dissemination, either whole or partial, is
>>> strictly forbidden except previous formal approval of the named
>>> addressee(s). If you are not the intended recipient, please contact
>>> immediately the sender by telephone, fax or e-mail and delete the
>>> information in this message that has been received in error. The sender
>>> does not give any warranty or accept liability as the content, accuracy or
>>> completeness of sent messages and accepts no responsibility  for changes
>>> made after they were sent or for other risks which arise as a result of
>>> e-mail transmission, viruses, etc.
>>>
>>>
>>> On Tue, Apr 21, 2015 at 9:41 PM, Ryan May <rmay@xxxxxxxx> wrote:
>>>
>>>> Daniele,
>>>>
>>>> You could unjar (or unzip) the netcdf-java jar (netcdfAll-4.5.jar ?),
>>>> remove the jj2000 directory, and re-pack it into a new jar. I have no idea,
>>>> though, if the jai version of the jj2000 code provides all of the APIs that
>>>> are used to read GRIB files.
>>>>
>>>> Ryan
>>>>
>>>> On Tue, Apr 21, 2015 at 5:07 AM, Daniele Romagnoli <
>>>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>>>
>>>>> Hi again.
>>>>> I have also found this thread:
>>>>>
>>>>> https://www.unidata.ucar.edu/mailing_lists/archives/thredds/2014/msg00233.html
>>>>>
>>>>> That's basically the problem I have.
>>>>> To summarize, I'm trying to read a grib file which uses the jj2000
>>>>> machinery and I'm having exceptions since I also have jai-imageio on my
>>>>> classpath (I can't remove jai-imageio from the classpath).
>>>>>
>>>>> Do you have any suggestions for this?
>>>>> Cheers,
>>>>> Daniele
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ==
>>>>> GeoServer Professional Services from the experts! Visit
>>>>> http://goo.gl/NWWaa2 for more information.
>>>>> ==
>>>>>
>>>>> Ing. Daniele Romagnoli
>>>>> Senior Software Engineer
>>>>>
>>>>> GeoSolutions S.A.S.
>>>>> Via Poggio alle Viti 1187
>>>>> 55054  Massarosa (LU)
>>>>> Italy
>>>>> phone: +39 0584 962313
>>>>> fax:      +39 0584 1660272
>>>>>
>>>>> http://www.geo-solutions.it
>>>>> http://twitter.com/geosolutions_it
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>>>
>>>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>>>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>>>> principi dettati dal D.Lgs. 196/2003.
>>>>>
>>>>>
>>>>>
>>>>> The information in this message and/or attachments, is intended solely
>>>>> for the attention and use of the named addressee(s) and may be 
>>>>> confidential
>>>>> or proprietary in nature or covered by the provisions of privacy act
>>>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>>>>> Code).Any use not in accord with its purpose, any disclosure, 
>>>>> reproduction,
>>>>> copying, distribution, or either dissemination, either whole or partial, 
>>>>> is
>>>>> strictly forbidden except previous formal approval of the named
>>>>> addressee(s). If you are not the intended recipient, please contact
>>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>>> information in this message that has been received in error. The sender
>>>>> does not give any warranty or accept liability as the content, accuracy or
>>>>> completeness of sent messages and accepts no responsibility  for changes
>>>>> made after they were sent or for other risks which arise as a result of
>>>>> e-mail transmission, viruses, etc.
>>>>>
>>>>>
>>>>> On Fri, Apr 17, 2015 at 3:36 PM, Daniele Romagnoli <
>>>>> daniele.romagnoli@xxxxxxxxxxxxxxxx> wrote:
>>>>>
>>>>>> Hi List,
>>>>>> I have basically the same issue reported by Akkineni Vijay.
>>>>>>
>>>>>> When reading some types of grib files I'm getting the exception
>>>>>> reported at the end of the email. I have checked a couple of similar 
>>>>>> emails
>>>>>> in the mailing list but it's not too clear to me how to resolve that .
>>>>>> Note that my project also uses jai_imageio.jar which contains Oracle
>>>>>> classes to do JAI ImageRead operations using ImageIO SPIs.
>>>>>> That jar also contains a jj2000.j2k.* packages.
>>>>>>
>>>>>> Do you have any suggestion?
>>>>>> Please, let me know.
>>>>>>
>>>>>> Best Regards,
>>>>>> Daniele
>>>>>>
>>>>>>
>>>>>>
>>>>>> java.lang.SecurityException: sealing violation: package
>>>>>> jj2000.j2k.util is sealed
>>>>>>     at
>>>>>> java.net.URLClassLoader.getAndVerifyPackage(URLClassLoader.java:388)
>>>>>>     at java.net.URLClassLoader.defineClass(URLClassLoader.java:417)
>>>>>>     at java.net.URLClassLoader.access$100(URLClassLoader.java:71)
>>>>>>     at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
>>>>>>     at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
>>>>>>     at java.security.AccessController.doPrivileged(Native Method)
>>>>>>     at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
>>>>>>     at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
>>>>>>     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
>>>>>>     at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
>>>>>>     at
>>>>>> ucar.nc2.grib.grib2.Grib2JpegDecoder.<init>(Grib2JpegDecoder.java:119)
>>>>>>     at
>>>>>> ucar.nc2.grib.grib2.Grib2DataReader2.getData40(Grib2DataReader2.java:727)
>>>>>>     at
>>>>>> ucar.nc2.grib.grib2.Grib2DataReader2.getData(Grib2DataReader2.java:109)
>>>>>>     at ucar.nc2.grib.grib2.Grib2Record.readData(Grib2Record.java:321)
>>>>>>     at ucar.nc2.grib.collection.Grib2Iosp.readData(Grib2Iosp.java:405)
>>>>>>     at
>>>>>> ucar.nc2.grib.collection.GribIosp$DataReader.read(GribIosp.java:940)
>>>>>>     at
>>>>>> ucar.nc2.grib.collection.GribIosp.readDataFromCollection(GribIosp.java:860)
>>>>>>     at ucar.nc2.grib.collection.GribIosp.readData(GribIosp.java:810)
>>>>>>     at ucar.nc2.NetcdfFile.readData(NetcdfFile.java:1986)
>>>>>>     at ucar.nc2.Variable.reallyRead(Variable.java:899)
>>>>>>     at ucar.nc2.Variable._read(Variable.java:884)
>>>>>>     at ucar.nc2.Variable.read(Variable.java:695)
>>>>>>     at ucar.nc2.dataset.VariableDS.reallyRead(VariableDS.java:557)
>>>>>>     at ucar.nc2.dataset.VariableDS._read(VariableDS.java:537)
>>>>>>     at ucar.nc2.Variable.read(Variable.java:695)
>>>>>>
>>>>>>
>>>>>>
>>>>>> ==
>>>>>> GeoServer Professional Services from the experts! Visit
>>>>>> http://goo.gl/NWWaa2 for more information.
>>>>>> ==
>>>>>>
>>>>>> Ing. Daniele Romagnoli
>>>>>> Senior Software Engineer
>>>>>>
>>>>>> GeoSolutions S.A.S.
>>>>>> Via Poggio alle Viti 1187
>>>>>> 55054  Massarosa (LU)
>>>>>> Italy
>>>>>> phone: +39 0584 962313
>>>>>> fax:      +39 0584 1660272
>>>>>>
>>>>>> http://www.geo-solutions.it
>>>>>> http://twitter.com/geosolutions_it
>>>>>>
>>>>>> -------------------------------------------------------
>>>>>>
>>>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>>>>
>>>>>> Le informazioni contenute in questo messaggio di posta elettronica
>>>>>> e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. 
>>>>>> Il
>>>>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>>>>> principi dettati dal D.Lgs. 196/2003.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The information in this message and/or attachments, is intended
>>>>>> solely for the attention and use of the named addressee(s) and may be
>>>>>> confidential or proprietary in nature or covered by the provisions of
>>>>>> privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data
>>>>>> Protection Code).Any use not in accord with its purpose, any disclosure,
>>>>>> reproduction, copying, distribution, or either dissemination, either 
>>>>>> whole
>>>>>> or partial, is strictly forbidden except previous formal approval of the
>>>>>> named addressee(s). If you are not the intended recipient, please contact
>>>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>>>> information in this message that has been received in error. The sender
>>>>>> does not give any warranty or accept liability as the content, accuracy 
>>>>>> or
>>>>>> completeness of sent messages and accepts no responsibility  for changes
>>>>>> made after they were sent or for other risks which arise as a result of
>>>>>> e-mail transmission, viruses, etc.
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> netcdf-java mailing list
>>>>> netcdf-java@xxxxxxxxxxxxxxxx
>>>>> For list information or to unsubscribe, visit:
>>>>> http://www.unidata.ucar.edu/mailing_lists/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Ryan May
>>>> Software Engineer
>>>> UCAR/Unidata
>>>> Boulder, CO
>>>>
>>>
>>>
>>
>
>
> --
> ==
> Meet us at the INSPIRE Conference in Lisbon 25-29 May 2015! Visit
> http://goo.gl/WHKDXT for more information.
> ==
>
> Ing. Daniele Romagnoli
> Senior Software Engineer
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054  Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax:      +39 0584 1660272
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
>
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
>


-- 
Ryan May
Software Engineer
UCAR/Unidata
Boulder, CO
  • 2015 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the netcdf-java archives: