Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

HibernateMethodLookupDispatcher - Issue with Security Manager

Description

I guess i found a little bug which was introduced by the usage of byte buddy as a byte code enhancer.
The issue can be fixed quite simply, but it's very crutial since hibernate does not work if a security manager is in place.

let me try to explain my discovery:

Within the class HibernateMethodLookupDispatcher is a static property authorizedClasses.
This is nice, since i see that all my Byte Buddy Enhanced Beans are in there.

ch.carnet.bo.xxx$HibernateProxy$KMjF1hvl
ch.carnet.bo.yyy$HibernateProxy$N7p0Y4Ea
ch.carnet.bo.zzz$HibernateProxy$f9HFlBtl
... (a lot more)

Later while processing, my debugger hit's the line 74:

if ( !authorizedClasses.contains( callerClass.getName() ) ) { throw new SecurityException( "Unauthorized call by class " + callerClass ); }

with that line all my beans can no longer be processed.
this is resulting in a missleading Error:

ERROR org.hibernate.proxy.pojo.bytebuddy.ByteBuddyProxyFactory - HHH000142: Bytecode enhancement failed: ch.carnet.bo.xxx

Since i do not know hibernate to the very last detail, i'm not sure if
1. the stacketrace index call from the line 178 is not always the same.

private static class SecurityActions extends SecurityManager { private Class<?> getCallerClass() { return getClassContext()[7]; } }

So my basic question here is now:
Can you imagine a case where the effective calling Class is not on Position 8?

in my case, the proxy was at position 8:

  • 0 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$SecurityActions

  • 1 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$SecurityActions

  • 2 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$5

  • 3 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher$5

  • 4 class java.security.AccessController

  • 5 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher

  • 6 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher

  • 7 class org.hibernate.bytecode.internal.bytebuddy.HibernateMethodLookupDispatcher

  • 8 class ch.carnet.cfms.q2o.bo.Q2OCostCategoryValues$HibernateProxy$vzJDtOEj

  • 9 class java.lang.reflect.Constructor

I will check if the stacktrace is different sometimes and if so, why this would be the case.
Otherwise it's maybe just a small bug, since one did not think about the class java.security.AccessController on position 4 or something else.

Best Regards, Synto

Activity

Show:

Former user April 19, 2019 at 7:29 AM

Fixed in 5.3 branch as well.

Guillaume Smet March 4, 2019 at 9:28 AM

OK, thanks for the feedback. We'll try to release 5.4.2.Final soon.

Tobias Lanz February 25, 2019 at 9:34 AM

Hi Guillaume

I was able to run my affected json endpoints with version 5.3.8.Final.
The Bug i was encountering was not present there.

Anyways, the good news besides that is that i was able to test out your fix provided within pull request #2792

works like a charm after your refactoring.
Best Regards, Synto

Tobias Lanz February 22, 2019 at 8:36 AM

Hi guillaume
Previously i was running 5.3.7 and everything worked like a charm.
I can test with 5.3.8 if the bug was introduced with that version i'll let you know.
I will be able to do that next week.

Am 22.02.2019 00:31 schrieb "Guillaume Smet (JIRA)" <jira@hibernate.atlassian.net>:

[1]Guillaume Smet commented on [2]HHH-13277

 

[3]Re: HibernateMethodLookupDispatcher - Issue with Security Manager

[4]Tobias Lanz could you try this patch, please?

[5]https://github.com/hibernate/hibernate-orm/pull/2792

It should be less fragile.

I see you are using IBM JVM, you did run that one before with 5.3.7?

(still interested if you can test 5.3.8)

[6] [7]Add Comment
 

Get Jira notifications on your phone! Download the Jira Cloud app for [8]Android or [9]iOS
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100098-sha1:6c43ad8)

---------------------------------------------------------------------------------------- [1] https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A71e31052-f0d7-46e3-a9d7-8b9acd6998d8
[2] https://hibernate.atlassian.net/browse/HHH-13277?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[3] https://hibernate.atlassian.net/browse/HHH-13277?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[4] https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058:43edbfc5-44d3-481d-9581-8fc52fa66a2b
[5] https://github.com/hibernate/hibernate-orm/pull/2792
[6] https://hibernate.atlassian.net/browse/HHH-13277#add-comment?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[7] https://hibernate.atlassian.net/browse/HHH-13277#add-comment?atlOrigin=eyJpIjoiZGEyOTdiYTU0NTcyNDk0NDhhYTJhOTEzMTBhMmJhZjciLCJwIjoiaiJ9
[8] https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
[9] https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8

Guillaume Smet February 21, 2019 at 11:31 PM

could you try this patch, please?

https://github.com/hibernate/hibernate-orm/pull/2792

It should be less fragile.

I see you are using IBM JVM, you did run that one before with 5.3.7?

(still interested if you can test 5.3.8)

Fixed

Details

Assignee

Reporter

Labels

Worked in

Original estimate

Time tracking

No time logged1h remaining

Components

Fix versions

Affects versions

Priority

Created February 19, 2019 at 3:24 PM
Updated April 19, 2019 at 7:29 AM
Resolved April 19, 2019 at 7:29 AM
Configure