[HV-912] Improve integration with Java's security manager - Hibernate JIRA

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.3.1.Final, 5.1.0.Final, 5.1.1.Final
Fix Version/s: 4.2.1.Final, 4.3.2.Final, 5.1.2.Final, 5.2.0.Alpha1
Component/s: engine
Labels:
None

Last commented by a user?:
true
Sprint:

Description

Currently we wrap all reflection calls in PrivilegedAction. This way Validators need the following grants in the policy file:

    grant codeBase "file:/path/to/hibernate-validator-5.1.1.Final.jar" {
        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        ...
    };

However, this also means that a user might now use ReflectionHelper to execute reflection calls which otherwise would be no allowed. To prevent this we need a Validator specific permission type. Something like this:

    class ReflectionHelper {
        public static Field getDeclaredField(Class<?> clazz, String fieldName) {
            SecurityManager securityManager = System.getSecurityManager();

            if ( securityManager != null ) {
                securityManager.checkPermission( HibernateValidatorInternalPermission.INSTANCE );
            }
            ...
        }
    }

Attachments

Issue links

is followed up by

HV-913 Provide a way to run the test suite using a security manager

Closed

HV-914 Document permissions required to run Hibernate Validator with a security manager

Closed

Activity

People

Assignee:

Gunnar Morling

Reporter:

Hardy Ferentschik

Participants:

Emmanuel Bernard, Gunnar Morling, Hardy Ferentschik

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

15/Jul/2014 13:01 PM

Updated:

22/Oct/2014 07:50 AM

Resolved:

25/Jul/2014 02:25 AM