We're updating the issue view to help you get more done. 

Improve integration with Java's security manager

Description

Currently we wrap all reflection calls in PrivilegedAction. This way Validators need the following grants in the policy file:

1 2 3 4 5 grant codeBase "file:/path/to/hibernate-validator-5.1.1.Final.jar" { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; ... };

However, this also means that a user might now use ReflectionHelper to execute reflection calls which otherwise would be no allowed. To prevent this we need a Validator specific permission type. Something like this:

1 2 3 4 5 6 7 8 9 10 class ReflectionHelper { public static Field getDeclaredField(Class<?> clazz, String fieldName) { SecurityManager securityManager = System.getSecurityManager(); if ( securityManager != null ) { securityManager.checkPermission( HibernateValidatorInternalPermission.INSTANCE ); } ... } }

Environment

None

Status

Assignee

Gunnar Morling

Reporter

Hardy Ferentschik

Components

Affects versions

4.3.1.Final
5.1.0.Final
5.1.1.Final

Priority

Major