HibernateMethodLookupDispatcher - Issue with Security Manager


I guess i found a little bug which was introduced by the usage of byte buddy as a byte code enhancer.
The issue can be fixed quite simply, but it's very crutial since hibernate does not work if a security manager is in place.

let me try to explain my discovery:

Within the class HibernateMethodLookupDispatcher is a static property authorizedClasses.
This is nice, since i see that all my Byte Buddy Enhanced Beans are in there.

... (a lot more)

Later while processing, my debugger hit's the line 74:

with that line all my beans can no longer be processed.
this is resulting in a missleading Error:

ERROR org.hibernate.proxy.pojo.bytebuddy.ByteBuddyProxyFactory - HHH000142: Bytecode enhancement failed: ch.carnet.bo.xxx

Since i do not know hibernate to the very last detail, i'm not sure if
1. the stacketrace index call from the line 178 is not always the same.

So my basic question here is now:
Can you imagine a case where the effective calling Class is not on Position 8?

in my case, the proxy was at position 8:

  • 0 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$SecurityActions

  • 1 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$SecurityActions

  • 2 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$5

  • 3 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$5

  • 4 class java.security.AccessController

  • 5 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher

  • 6 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher

  • 7 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher

  • 8 class ch.carnet.cfms.q2o.bo.Q2OCostCategoryValues$HibernateProxy$vzJDtOEj

  • 9 class java.lang.reflect.Constructor

I will check if the stacktrace is different sometimes and if so, why this would be the case.
Otherwise it's maybe just a small bug, since one did not think about the class java.security.AccessController on position 4 or something else.

Best Regards, Synto


hibernate 5.4.1.Final , Spring 5.1.5.RELEASE, Spring Data JPA 2.1.5.RELEASE, ByteBuddy 1.9.10, IBM jvm (Java 8)


Guillaume Smet
February 21, 2019, 11:31 PM

could you try this patch, please?


It should be less fragile.

I see you are using IBM JVM, you did run that one before with 5.3.7?

(still interested if you can test 5.3.8)

Tobias Lanz
February 22, 2019, 8:36 AM

Hi guillaume
Previously i was running 5.3.7 and everything worked like a charm.
I can test with 5.3.8 if the bug was introduced with that version i'll let you know.
I will be able to do that next week.

Am 22.02.2019 00:31 schrieb "Guillaume Smet (JIRA)" <jira@hibernate.atlassian.net>:

[1]Guillaume Smet commented on [2]HHH-13277


[3]Re: HibernateMethodLookupDispatcher - Issue with Security Manager

[4]Tobias Lanz could you try this patch, please?


It should be less fragile.

I see you are using IBM JVM, you did run that one before with 5.3.7?

(still interested if you can test 5.3.8)

[6] [7]Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for [8]Android or [9]iOS
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100098-sha1:6c43ad8)

---------------------------------------------------------------------------------------- [1] https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A71e31052-f0d7-46e3-a9d7-8b9acd6998d8
[2] https://hibernate.atlassian.net/browse/HHH-13277?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[3] https://hibernate.atlassian.net/browse/HHH-13277?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[4] https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058:43edbfc5-44d3-481d-9581-8fc52fa66a2b
[5] https://github.com/hibernate/hibernate-orm/pull/2792
[6] https://hibernate.atlassian.net/browse/HHH-13277#add-comment?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[7] https://hibernate.atlassian.net/browse/HHH-13277#add-comment?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[8] https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
[9] https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8

Tobias Lanz
February 25, 2019, 9:34 AM

Hi Guillaume

I was able to run my affected json endpoints with version 5.3.8.Final.
The Bug i was encountering was not present there.

Anyways, the good news besides that is that i was able to test out your fix provided within pull request #2792

works like a charm after your refactoring.
Best Regards, Synto

Guillaume Smet
March 4, 2019, 9:28 AM

OK, thanks for the feedback. We'll try to release 5.4.2.Final soon.

Gail Badner
April 19, 2019, 7:29 AM

Fixed in 5.3 branch as well.


Guillaume Smet


Tobias Lanz

Fix versions



Suitable for new contributors


Requires Release Note


Pull Request




Worked in



Affects versions