java.lang.SecurityException: class "XYZ"'s signer information does not match signer information of other classes in the same package

Question

I have an applet which runs in a browser and is called from Javascript. There are 2 classes: PortalLauncher and ParamSplitter and these are in the default package. Javascript calls a method in PortalLauncher which in turn calls a function in ParamSplitter. The applet is in a signed jar.

This works most of the time. However, a few users have problems from time to time. At some time in the day (i.e. not on first access) the following exception is thrown:

java.lang.SecurityException: class "ParamSplitter"'s signer information does not
    match signer information of other classes in the same package
    at java.lang.ClassLoader.checkCerts(Unknown Source)
    at java.lang.ClassLoader.preDefineClass(Unknown Source)
    at java.lang.ClassLoader.defineClass(Unknown Source)
    at java.security.SecureClassLoader.defineClass(Unknown Source)
    at java.net.URLClassLoader.defineClass(Unknown Source)
    at java.net.URLClassLoader.access$000(Unknown Source)
    at java.net.URLClassLoader$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(Unknown Source)
    at sun.applet.AppletClassLoader.findClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at sun.applet.AppletClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClass(Unknown Source)
    at java.lang.ClassLoader.loadClassInternal(Unknown Source)
    at PortalLauncher.openFile(PortalLauncher.java:313)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at sun.plugin.javascript.JSInvoke.invoke(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
    at sun.plugin.com.MethodDispatcher.invoke(Unknown Source)
    at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
    at sun.plugin.com.DispatchImpl$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin.com.DispatchImpl.invoke(Unknown Source)
java.lang.Exception: java.lang.SecurityException: class "ParamSplitter"'s signer
    information does not match signer information of other classes in the same package
    at sun.plugin.com.DispatchImpl.invokeImpl(Unknown Source)
    at sun.plugin.com.DispatchImpl$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.plugin.com.DispatchImpl.invoke(Unknown Source)

Can anyone throw any light on what this exception means and what might be causing it? There are about 800 users who have this applet but only a handfull are affected and even those have the problem only occaisionally.

Answer 1

It means that inside the same JVM, there are other classes loaded from other jars that have been signed differently (or not signed maybe), also in the default package.

If I interpret your question correctly your applet itself only has one jar, so it must be a jar coming from somewhere else; that only some users have. My first thought it's maybe the jar of an applet running in another tab (that can be using the same jvm instance). But other applets should be using a separate classloader, so they shouldn't collide like that. More likely, they have a jar in the boot classpath of their jvm that also has a class in the root package.

Either way, the solution/workaround is simply not to use the default package, but your own package. That way you avoid colliding with the other jar.