1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

Illegal reflection reported on the nimbus project

Issue #448 resolved
Bart Beton created an issue

Hi,

We get these messages:

2021-11-10T13:06:01.52+0100 [APP/PROC/WEB/1] ERR WARNING: An illegal reflective access operation has occurred
2021-11-10T13:06:01.52+0100 [APP/PROC/WEB/1] ERR WARNING: Illegal reflective access by com.nimbusds.jose.shaded.asm.DynamicClassLoader (file:xxxxxx/app/BOOT-INF/lib/nimbus-jose-jwt-9.10.1.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int)
2021-11-10T13:06:01.52+0100 [APP/PROC/WEB/1] ERR WARNING: Please consider reporting this to the maintainers of com.nimbusds.jose.shaded.asm.DynamicClassLoader

Is this a known issue?

Running on jdk 11, linux in a Spring Boot application.

Regards,

Bart

Comments (8)

  3. Yavor Vasilev
    • changed status to open

    Hello Bart,

    This issue appears to come from the shaded JOSE library.

    Could you upgrade to version 9.21.1 (2022-04-21) or later, and report if it is still appearing?

  4. Bart Beton reporter

    Yes, it’s still there (on version: 9.23)

    [ERROR] WARNING: An illegal reflective access operation has occurred
[ERROR] WARNING: Illegal reflective access by com.nimbusds.jose.shaded.asm.DynamicClassLoader (file:/Users/#######/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.23/nimbus-jose-jwt-9.23.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int)
[ERROR] WARNING: Please consider reporting this to the maintainers of com.nimbusds.jose.shaded.asm.DynamicClassLoader
[ERROR] WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
[ERROR] WARNING: All illegal access operations will be denied in a future release

  6. Yavor Vasilev

    Hi Bart,

    It looks like we’ll need to change the underlying JSON lib, because JSON Smart is no longer being actively maintained, to remove such reflection warnings.

    The primary candidate is Gson for now.

    There was also a proposal to add an SPI to enable dynamic plugging of JSON libs for the serialisation and parsing.

  7. Bart Beton reporter

    That would be nice. I think Gson is a good choice. it’s very common in usage right now and in benchmark tests usually the fastest. Alternatively you could use Jackson, which is default in Spring Boot.

  9. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Milestone
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!