ServiceLocator and Java2 Security


We are using Liquibase 2.0rc5 in Websphere with Java 2 security turned on.

When the application starts up, the JVM throws a bunch of AccessControlException that all trace back to liquibase’s Service Locator, line 79.

Lines 78 and 79 are:

  1.                 manifests = resourceAccessor.getResources(“META-INF/MANIFEST.MF”);
                    while (manifests.hasMoreElements()) {

It seems that ServiceLocator is scanning the Manifest.MF file for every jar in the class path, looking for liquibase properties. 

We can work around the issue by setting liquibase.scan.packages with the values
  1. liquibase.change,liquibase.database,liquibase.parser,liquibase.precondition,liquibase.serializer,liquibase.sqlgenerator,liquibase.executor,liquibase.snapshot,liquibase.logging,liquibase.ext

So why does ServiceLocator need to scan every jar for these properties, when they are located in liquibases’ own  By scanning every jar in the class path, when java 2 security is turned on, liquibase will try to access jar files it has no permission to access.