Improve integration with Java's security manager

Description

Currently we wrap all reflection calls in PrivilegedAction. This way Validators need the following grants in the policy file:

1 2 3 4 5 grant codeBase "file:/path/to/hibernate-validator-5.1.1.Final.jar" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; ... };

However, this also means that a user might now use ReflectionHelper to execute reflection calls which otherwise would be no allowed. To prevent this we need a Validator specific permission type. Something like this:

1 2 3 4 5 6 7 8 9 10 class ReflectionHelper { public static Field getDeclaredField(Class<?> clazz, String fieldName) { SecurityManager securityManager = System.getSecurityManager(); if ( securityManager != null ) { securityManager.checkPermission( HibernateValidatorInternalPermission.INSTANCE ); } ... } }

Environment

None

Status

Assignee

Gunnar Morling

Reporter

Hardy Ferentschik

Labels

None

Worked in

None

Feedback Requested

None

Feedback Requested By

None

backPortable

None

Community Help Wanted

None

Suitable for new contributors

None

Requires Release Note

None

Pull Request

None

backportDecision

None

backportReEvaluate

None

Components

Affects versions

5.1.1.Final
4.3.1.Final
5.1.0.Final

Priority

Major
Configure