Uploaded image for project: 'Hibernate Validator'
  1. HV-912

Improve integration with Java's security manager

    Details

    • Last commented by a user?:
      true
    • Sprint:

      Description

      Currently we wrap all reflection calls in PrivilegedAction. This way Validators need the following grants in the policy file:

          grant codeBase "file:/path/to/hibernate-validator-5.1.1.Final.jar" {
              permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
              permission java.lang.RuntimePermission "accessDeclaredMembers";
              ...
          };
      

      However, this also means that a user might now use ReflectionHelper to execute reflection calls which otherwise would be no allowed. To prevent this we need a Validator specific permission type. Something like this:

          class ReflectionHelper {
              public static Field getDeclaredField(Class<?> clazz, String fieldName) {
                  SecurityManager securityManager = System.getSecurityManager();
      
                  if ( securityManager != null ) {
                      securityManager.checkPermission( HibernateValidatorInternalPermission.INSTANCE );
                  }
                  ...
              }
          }
      

        Attachments

          Issue links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: