Author: epbernard Date: 2009-08-10 21:01:18 -0400 (Mon, 10 Aug 2009) New Revision: 17261 Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/ContainsMethod.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetAnnotationParameter.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetConstructor.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethod.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethodFromPropertyName.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethods.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/NewInstance.java Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/ConstraintValidatorFactoryImpl.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/resolver/DefaultTraversableResolver.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintDescriptorImpl.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintHelper.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/ReflectionHelper.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/annotationfactory/AnnotationFactory.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/ValidationXmlParser.java validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/XmlMappingParser.java Log: HV-171 partial implementation adding due doPriviledge when needed Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/ConstraintValidatorFactoryImpl.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/ConstraintValidatorFactoryImpl.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/ConstraintValidatorFactoryImpl.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -17,10 +17,13 @@ */ package org.hibernate.validation.engine; +import java.security.AccessController; import javax.validation.ConstraintValidator; import javax.validation.ConstraintValidatorFactory; import javax.validation.ValidationException; +import org.hibernate.validation.util.priviledgedactions.NewInstance; + /** * Default <code>ConstraintValidatorFactory</code> using a no-arg constructor. * @@ -30,17 +33,12 @@ public class ConstraintValidatorFactoryImpl implements ConstraintValidatorFactory { public <T extends ConstraintValidator<?, ?>> T getInstance(Class<T> key) { - try { - return key.newInstance(); + NewInstance<T> newInstance = NewInstance.action( key, "" ); + if ( System.getSecurityManager() != null ) { + return AccessController.doPrivileged( newInstance ); } - catch ( InstantiationException e ) { - throw new ValidationException( "Unable to instanciate " + key, e ); + else { + return newInstance.run(); } - catch ( IllegalAccessException e ) { - throw new ValidationException( "Unable to instanciate " + key, e ); - } - catch ( RuntimeException e ) { - throw new ValidationException( "Unable to instanciate " + key, e ); - } } } Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/resolver/DefaultTraversableResolver.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/resolver/DefaultTraversableResolver.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/engine/resolver/DefaultTraversableResolver.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -1,13 +1,16 @@ package org.hibernate.validation.engine.resolver; import java.lang.annotation.ElementType; +import java.security.AccessController; import javax.validation.Path; import javax.validation.TraversableResolver; +import javax.validation.ValidationException; import org.slf4j.Logger; import org.hibernate.validation.util.LoggerFactory; import org.hibernate.validation.util.ReflectionHelper; +import org.hibernate.validation.util.priviledgedactions.NewInstance; /** * A JPA 2 aware <code>TraversableResolver</code>. @@ -56,10 +59,16 @@ } try { - Class jpaAwareResolverClass = ReflectionHelper.classForName( - JPA_AWARE_TRAVERSABLE_RESOLVER_CLASS_NAME, this.getClass() - ); - jpaTraversableResolver = ( TraversableResolver ) jpaAwareResolverClass.newInstance(); + @SuppressWarnings( "unchecked" ) + Class<? extends TraversableResolver> jpaAwareResolverClass = (Class<? extends TraversableResolver>) + ReflectionHelper.classForName(JPA_AWARE_TRAVERSABLE_RESOLVER_CLASS_NAME, this.getClass() ); + NewInstance<? extends TraversableResolver> newInstance = NewInstance.action( jpaAwareResolverClass, "" ); + if ( System.getSecurityManager() != null ) { + jpaTraversableResolver = AccessController.doPrivileged( newInstance ); + } + else { + jpaTraversableResolver = newInstance.run(); + } log.info( "Instantiated an instance of {}.", JPA_AWARE_TRAVERSABLE_RESOLVER_CLASS_NAME ); @@ -70,18 +79,12 @@ JPA_AWARE_TRAVERSABLE_RESOLVER_CLASS_NAME ); } - catch ( IllegalAccessException e ) { + catch ( ValidationException e ) { log.info( "Unable to instantiate JPA aware resolver {}. All properties will per default be traversable.", JPA_AWARE_TRAVERSABLE_RESOLVER_CLASS_NAME ); } - catch ( InstantiationException e ) { - log.info( - "Unable to instantiate JPA aware resolver {}. All properties will per default be traversable.", - JPA_AWARE_TRAVERSABLE_RESOLVER_CLASS_NAME - ); - } } public boolean isReachable(Object traversableObject, Path.Node traversableProperty, Class<?> rootBeanType, Path pathToTraversableObject, ElementType elementType) { Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintDescriptorImpl.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintDescriptorImpl.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintDescriptorImpl.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -28,6 +28,8 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.security.AccessController; +import java.security.PrivilegedAction; import javax.validation.Constraint; import javax.validation.ConstraintDefinitionException; import javax.validation.ConstraintPayload; @@ -42,6 +44,9 @@ import org.hibernate.validation.util.LoggerFactory; import org.hibernate.validation.util.ReflectionHelper; +import org.hibernate.validation.util.priviledgedactions.GetMethods; +import org.hibernate.validation.util.priviledgedactions.GetMethod; +import org.hibernate.validation.util.priviledgedactions.GetAnnotationParameter; import org.hibernate.validation.util.annotationfactory.AnnotationDescriptor; import org.hibernate.validation.util.annotationfactory.AnnotationFactory; @@ -121,12 +126,13 @@ Class<ConstraintPayload>[] payloadFromAnnotation; try { //TODO be extra safe and make sure this is an array of ConstraintPayload - @SuppressWarnings("unchecked") - Class<ConstraintPayload>[] unsafePayloadFromAnnotation = ( Class<ConstraintPayload>[] ) - ReflectionHelper.getAnnotationParameter( - annotation, PAYLOAD, Class[].class - ); - payloadFromAnnotation = unsafePayloadFromAnnotation; + GetAnnotationParameter<Class[]> action = GetAnnotationParameter.action( annotation, PAYLOAD, Class[].class ); + if (System.getSecurityManager() != null) { + payloadFromAnnotation = AccessController.doPrivileged( action ); + } + else { + payloadFromAnnotation = action.run(); + } } catch ( ValidationException e ) { //ignore people not defining payloads @@ -140,9 +146,14 @@ private Set<Class<?>> buildGroupSet(Class<?> implicitGroup) { Set<Class<?>> groupSet = new HashSet<Class<?>>(); - Class<?>[] groupsFromAnnotation = ReflectionHelper.getAnnotationParameter( - annotation, GROUPS, Class[].class - ); + final Class<?>[] groupsFromAnnotation; + GetAnnotationParameter<Class[]> action = GetAnnotationParameter.action( annotation, GROUPS, Class[].class ); + if (System.getSecurityManager() != null) { + groupsFromAnnotation = AccessController.doPrivileged( action ); + } + else { + groupsFromAnnotation = action.run(); + } if ( groupsFromAnnotation.length == 0 ) { groupSet.add( Default.class ); } @@ -270,7 +281,16 @@ private Map<ClassIndexWrapper, Map<String, Object>> parseOverrideParameters() { Map<ClassIndexWrapper, Map<String, Object>> overrideParameters = new HashMap<ClassIndexWrapper, Map<String, Object>>(); - for ( Method m : annotation.annotationType().getMethods() ) { + final Method[] methods; + final GetMethods getMethods = GetMethods.action( annotation.annotationType() ); + if ( System.getSecurityManager() != null ) { + methods = AccessController.doPrivileged( getMethods ); + } + else { + methods = getMethods.run(); + } + + for ( Method m : methods ) { if ( m.getAnnotation( OverridesAttribute.class ) != null ) { addOverrideAttributes( overrideParameters, m, m.getAnnotation( OverridesAttribute.class ) @@ -306,21 +326,25 @@ } private void ensureAttributeIsOverridable(Method m, OverridesAttribute overridesAttribute) { - try { - Class<?> returnTypeOfOverridenConstraint = overridesAttribute.constraint() - .getMethod( overridesAttribute.name() ) - .getReturnType(); - if ( !returnTypeOfOverridenConstraint.equals( m.getReturnType() ) ) { - String message = "The overiding type of a composite constraint must be identical to the overwridden one. Expected " + returnTypeOfOverridenConstraint - .getName() + " found " + m.getReturnType(); - throw new ConstraintDefinitionException( message ); - } + final GetMethod getMethod = GetMethod.action( overridesAttribute.constraint(), overridesAttribute.name() ); + final Method method; + if ( System.getSecurityManager() != null ) { + method = AccessController.doPrivileged( getMethod ); } - catch ( NoSuchMethodException nsme ) { + else { + method = getMethod.run(); + } + if (method == null) { throw new ConstraintDefinitionException( "Overriden constraint does not define an attribute with name " + overridesAttribute.name() ); } + Class<?> returnTypeOfOverridenConstraint = method.getReturnType(); + if ( !returnTypeOfOverridenConstraint.equals( m.getReturnType() ) ) { + String message = "The overiding type of a composite constraint must be identical to the overwridden one. Expected " + returnTypeOfOverridenConstraint + .getName() + " found " + m.getReturnType(); + throw new ConstraintDefinitionException( message ); + } } private Set<ConstraintDescriptor<?>> parseComposingConstraints() { Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintHelper.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintHelper.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/metadata/ConstraintHelper.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -23,6 +23,7 @@ import java.util.ArrayList; import java.util.List; import java.util.concurrent.ConcurrentHashMap; +import java.security.AccessController; import javax.validation.Constraint; import javax.validation.ConstraintDefinitionException; import javax.validation.ConstraintValidator; @@ -72,6 +73,9 @@ import org.hibernate.validation.constraints.impl.SizeValidatorForMap; import org.hibernate.validation.constraints.impl.SizeValidatorForString; import org.hibernate.validation.util.ReflectionHelper; +import org.hibernate.validation.util.priviledgedactions.GetMethods; +import org.hibernate.validation.util.priviledgedactions.GetMethod; +import org.hibernate.validation.util.priviledgedactions.GetAnnotationParameter; /** * Keeps track of builtin constraints and their validator implementations, as well as already resolved validator definitions. @@ -193,24 +197,30 @@ public boolean isMultiValueConstraint(Annotation annotation) { boolean isMultiValueConstraint = false; try { - Method m = annotation.getClass().getMethod( "value" ); - Class returnType = m.getReturnType(); - if ( returnType.isArray() && returnType.getComponentType().isAnnotation() ) { - Annotation[] annotations = ( Annotation[] ) m.invoke( annotation ); - for ( Annotation a : annotations ) { - if ( isConstraintAnnotation( a ) || isBuiltinConstraint( a.annotationType() ) ) { - isMultiValueConstraint = true; + final GetMethod getMethod = GetMethod.action( annotation.getClass(), "value" ); + final Method method; + if ( System.getSecurityManager() != null ) { + method = AccessController.doPrivileged( getMethod ); + } + else { + method = getMethod.run(); + } + if (method != null) { + Class returnType = method.getReturnType(); + if ( returnType.isArray() && returnType.getComponentType().isAnnotation() ) { + Annotation[] annotations = ( Annotation[] ) method.invoke( annotation ); + for ( Annotation a : annotations ) { + if ( isConstraintAnnotation( a ) || isBuiltinConstraint( a.annotationType() ) ) { + isMultiValueConstraint = true; + } + else { + isMultiValueConstraint = false; + break; + } } - else { - isMultiValueConstraint = false; - break; - } } } } - catch ( NoSuchMethodException nsme ) { - // ignore - } catch ( IllegalAccessException iae ) { // ignore } @@ -232,20 +242,26 @@ public <A extends Annotation> List<Annotation> getMultiValueConstraints(A annotation) { List<Annotation> annotationList = new ArrayList<Annotation>(); try { - Method m = annotation.getClass().getMethod( "value" ); - Class returnType = m.getReturnType(); - if ( returnType.isArray() && returnType.getComponentType().isAnnotation() ) { - Annotation[] annotations = ( Annotation[] ) m.invoke( annotation ); - for ( Annotation a : annotations ) { - if ( isConstraintAnnotation( a ) || isBuiltinConstraint( a.annotationType() ) ) { - annotationList.add( a ); + final GetMethod getMethod = GetMethod.action( annotation.getClass(), "value" ); + final Method method; + if ( System.getSecurityManager() != null ) { + method = AccessController.doPrivileged( getMethod ); + } + else { + method = getMethod.run(); + } + if (method != null) { + Class returnType = method.getReturnType(); + if ( returnType.isArray() && returnType.getComponentType().isAnnotation() ) { + Annotation[] annotations = ( Annotation[] ) method.invoke( annotation ); + for ( Annotation a : annotations ) { + if ( isConstraintAnnotation( a ) || isBuiltinConstraint( a.annotationType() ) ) { + annotationList.add( a ); + } } } } } - catch ( NoSuchMethodException nsme ) { - // ignore - } catch ( IllegalAccessException iae ) { // ignore } @@ -287,7 +303,14 @@ } private void assertNoParameterStartsWithValid(Annotation annotation) { - Method[] methods = annotation.getClass().getMethods(); + final Method[] methods; + final GetMethods getMethods = GetMethods.action( annotation.annotationType() ); + if ( System.getSecurityManager() != null ) { + methods = AccessController.doPrivileged( getMethods ); + } + else { + methods = getMethods.run(); + } for ( Method m : methods ) { if ( m.getName().startsWith( "valid" ) ) { String msg = "Parameters starting with 'valid' are not allowed in a constraint."; @@ -298,9 +321,20 @@ private void assertPayloadParameterExists(Annotation annotation) { try { - Class<?>[] defaultPayload = ( Class<?>[] ) annotation.annotationType() - .getMethod( "payload" ) - .getDefaultValue(); + final GetMethod getMethod = GetMethod.action( annotation.annotationType(), "payload" ); + final Method method; + if ( System.getSecurityManager() != null ) { + method = AccessController.doPrivileged( getMethod ); + } + else { + method = getMethod.run(); + } + if (method == null) { + String msg = annotation.annotationType().getName() + " contains Constraint annotation, but does " + + "not contain a payload parameter."; + throw new ConstraintDefinitionException( msg ); + } + Class<?>[] defaultPayload = ( Class<?>[] ) method.getDefaultValue(); if ( defaultPayload.length != 0 ) { String msg = annotation.annotationType() .getName() + " contains Constraint annotation, but the payload " + @@ -313,18 +347,24 @@ "payload parameter is of wrong type."; throw new ConstraintDefinitionException( msg ); } - catch ( NoSuchMethodException nsme ) { - String msg = annotation.annotationType().getName() + " contains Constraint annotation, but does " + - "not contain a payload parameter."; - throw new ConstraintDefinitionException( msg ); - } } private void assertGroupsParameterExists(Annotation annotation) { try { - Class<?>[] defaultGroups = ( Class<?>[] ) annotation.annotationType() - .getMethod( "groups" ) - .getDefaultValue(); + final GetMethod getMethod = GetMethod.action( annotation.annotationType(), "groups" ); + final Method method; + if ( System.getSecurityManager() != null ) { + method = AccessController.doPrivileged( getMethod ); + } + else { + method = getMethod.run(); + } + if (method == null) { + String msg = annotation.annotationType().getName() + " contains Constraint annotation, but does " + + "not contain a groups parameter."; + throw new ConstraintDefinitionException( msg ); + } + Class<?>[] defaultGroups = ( Class<?>[] ) method.getDefaultValue(); if ( defaultGroups.length != 0 ) { String msg = annotation.annotationType() .getName() + " contains Constraint annotation, but the groups " + @@ -337,16 +377,17 @@ "groups parameter is of wrong type."; throw new ConstraintDefinitionException( msg ); } - catch ( NoSuchMethodException nsme ) { - String msg = annotation.annotationType().getName() + " contains Constraint annotation, but does " + - "not contain a groups parameter."; - throw new ConstraintDefinitionException( msg ); - } } private void assertMessageParameterExists(Annotation annotation) { try { - ReflectionHelper.getAnnotationParameter( annotation, "message", String.class ); + GetAnnotationParameter<?> action = GetAnnotationParameter.action( annotation, "message", String.class ); + if (System.getSecurityManager() != null) { + AccessController.doPrivileged( action ); + } + else { + action.run(); + } } catch ( Exception e ) { String msg = annotation.annotationType().getName() + " contains Constraint annotation, but does " + Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/ReflectionHelper.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/ReflectionHelper.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/ReflectionHelper.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -50,6 +50,7 @@ private ReflectionHelper() { } + //run client in priviledge block @SuppressWarnings("unchecked") public static <T> T getAnnotationParameter(Annotation annotation, String parameterName, Class<T> type) { try { @@ -355,19 +356,6 @@ } /** - * Checks whether the specified class contains a field or property matching the given name. - * - * @param clazz The class to check. - * @param property The property name. - * - * @return Returns <code>true</code> if the cass contains a field or member for the specified property, <code> - * false</code> otherwise. - */ - public static boolean containsMember(Class<?> clazz, String property) { - return containsField( clazz, property ) || containsMethod( clazz, property ); - } - - /** * Checks whether the specified class contains a field matching the specified name. * * @param clazz The class to check. Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/annotationfactory/AnnotationFactory.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/annotationfactory/AnnotationFactory.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/annotationfactory/AnnotationFactory.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -22,8 +22,11 @@ import java.lang.reflect.InvocationHandler; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Proxy; +import java.security.AccessController; +import org.hibernate.validation.util.priviledgedactions.GetConstructor; + /** * Creates live annotations (actually <code>AnnotationProxies</code>) from <code>AnnotationDescriptors</code>. * @@ -53,7 +56,14 @@ private static <T extends Annotation> T getProxyInstance(Class<T> proxyClass, InvocationHandler handler) throws SecurityException, NoSuchMethodException, IllegalArgumentException, InstantiationException, IllegalAccessException, InvocationTargetException { - Constructor<T> constructor = proxyClass.getConstructor( new Class[]{InvocationHandler.class} ); + GetConstructor<T> action = GetConstructor.action( proxyClass, InvocationHandler.class ); + final Constructor<T> constructor; + if ( System.getSecurityManager() != null ) { + constructor = AccessController.doPrivileged( action ); + } + else { + constructor = action.run(); + } return constructor.newInstance( new Object[]{handler} ); } } Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/ContainsMethod.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/ContainsMethod.java (rev 0) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/ContainsMethod.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -0,0 +1,27 @@ +package org.hibernate.validation.util.priviledgedactions; + +import java.lang.reflect.Method; +import java.security.PrivilegedAction; + +import org.hibernate.validation.util.ReflectionHelper; + +/** + * @author Emmanuel Bernard + */ +public class ContainsMethod implements PrivilegedAction<Boolean> { + private final Class<?> clazz; + private final String property; + + public static ContainsMethod action(Class<?> clazz, String property) { + return new ContainsMethod( clazz, property ); + } + + private ContainsMethod(Class<?> clazz, String property) { + this.clazz = clazz; + this.property = property; + } + + public Boolean run() { + return ReflectionHelper.containsMethod( clazz, property ); + } +} \ No newline at end of file Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetAnnotationParameter.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetAnnotationParameter.java (rev 0) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetAnnotationParameter.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -0,0 +1,31 @@ +package org.hibernate.validation.util.priviledgedactions; + +import java.lang.reflect.Method; +import java.lang.annotation.Annotation; +import java.security.PrivilegedAction; + +import org.hibernate.validation.util.ReflectionHelper; + +/** + * @author Emmanuel Bernard + */ +public class GetAnnotationParameter<T> implements PrivilegedAction<T> { + private final Annotation annotation; + private final String parameterName; + private final Class<T> type; + + + public static <T> GetAnnotationParameter<T> action(Annotation annotation, String parameterName, Class<T> type) { + return new GetAnnotationParameter<T>( annotation, parameterName, type ); + } + + private GetAnnotationParameter(Annotation annotation, String parameterName, Class<T> type) { + this.annotation = annotation; + this.parameterName = parameterName; + this.type = type; + } + + public T run() { + return ReflectionHelper.getAnnotationParameter( annotation, parameterName, type ); + } +} Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetConstructor.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetConstructor.java (rev 0) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetConstructor.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -0,0 +1,31 @@ +package org.hibernate.validation.util.priviledgedactions; + +import java.lang.reflect.Method; +import java.lang.reflect.Constructor; +import java.security.PrivilegedAction; + +/** + * @author Emmanuel Bernard + */ +public class GetConstructor<T> implements PrivilegedAction<Constructor<T>> { + private final Class<T> clazz; + private final Class<?>[] params; + + public static <T> GetConstructor<T> action(Class<T> clazz, Class<?>... params) { + return new GetConstructor<T>( clazz, params ); + } + + private GetConstructor(Class<T> clazz, Class<?>... params) { + this.clazz = clazz; + this.params = params; + } + + public Constructor<T> run() { + try { + return clazz.getConstructor(params); + } + catch ( NoSuchMethodException e ) { + return null; + } + } +} \ No newline at end of file Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethod.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethod.java (rev 0) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethod.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -0,0 +1,30 @@ +package org.hibernate.validation.util.priviledgedactions; + +import java.lang.reflect.Method; +import java.security.PrivilegedAction; + +/** + * @author Emmanuel Bernard + */ +public class GetMethod implements PrivilegedAction<Method> { + private final Class<?> clazz; + private final String methodName; + + public static GetMethod action(Class<?> clazz, String methodName) { + return new GetMethod( clazz, methodName ); + } + + private GetMethod(Class<?> clazz, String methodName) { + this.clazz = clazz; + this.methodName = methodName; + } + + public Method run() { + try { + return clazz.getMethod(methodName); + } + catch ( NoSuchMethodException e ) { + return null; + } + } +} Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethodFromPropertyName.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethodFromPropertyName.java (rev 0) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethodFromPropertyName.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -0,0 +1,27 @@ +package org.hibernate.validation.util.priviledgedactions; + +import java.lang.reflect.Method; +import java.security.PrivilegedAction; + +import org.hibernate.validation.util.ReflectionHelper; + +/** + * @author Emmanuel Bernard + */ +public class GetMethodFromPropertyName implements PrivilegedAction<Method> { + private final Class<?> clazz; + private final String property; + + public static GetMethodFromPropertyName action(Class<?> clazz, String property) { + return new GetMethodFromPropertyName( clazz, property ); + } + + private GetMethodFromPropertyName(Class<?> clazz, String property) { + this.clazz = clazz; + this.property = property; + } + + public Method run() { + return ReflectionHelper.getMethod( clazz, property ); + } +} \ No newline at end of file Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethods.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethods.java (rev 0) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/GetMethods.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -0,0 +1,23 @@ +package org.hibernate.validation.util.priviledgedactions; + +import java.security.PrivilegedAction; +import java.lang.reflect.Method; + +/** + * @author Emmanuel Bernard + */ +public class GetMethods implements PrivilegedAction<Method[]> { + private final Class<?> clazz; + + public static GetMethods action(Class<?> clazz) { + return new GetMethods( clazz ); + } + + private GetMethods(Class<?> clazz) { + this.clazz = clazz; + } + + public Method[] run() { + return clazz.getMethods(); + } +} Added: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/NewInstance.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/NewInstance.java (rev 0) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/util/priviledgedactions/NewInstance.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -0,0 +1,37 @@ +package org.hibernate.validation.util.priviledgedactions; + +import java.lang.reflect.Method; +import java.security.PrivilegedAction; +import javax.validation.ValidationException; + +/** + * @author Emmanuel Bernard + */ +public class NewInstance<T> implements PrivilegedAction<T> { + private final Class<T> clazz; + private final String message; + + public static <T> NewInstance<T> action(Class<T> clazz, String message) { + return new NewInstance<T>( clazz, message ); + } + + private NewInstance(Class<T> clazz, String message) { + this.clazz = clazz; + this.message = message; + } + + public T run() { + try { + return clazz.newInstance(); + } + catch ( InstantiationException e ) { + throw new ValidationException( "Unable to instanciate " + message + ": " + clazz, e ); + } + catch ( IllegalAccessException e ) { + throw new ValidationException( "Unable to instanciate " + clazz, e ); + } + catch ( RuntimeException e ) { + throw new ValidationException( "Unable to instanciate " + clazz, e ); + } + } +} Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/ValidationXmlParser.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/ValidationXmlParser.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/ValidationXmlParser.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -19,6 +19,7 @@ import java.io.InputStream; import java.net.URL; +import java.security.AccessController; import javax.validation.ConstraintValidatorFactory; import javax.validation.MessageInterpolator; import javax.validation.TraversableResolver; @@ -37,6 +38,7 @@ import org.hibernate.validation.util.LoggerFactory; import org.hibernate.validation.util.ReflectionHelper; +import org.hibernate.validation.util.priviledgedactions.NewInstance; import org.hibernate.validation.xml.PropertyType; import org.hibernate.validation.xml.ValidationConfigType; @@ -80,7 +82,13 @@ Class<ConstraintValidatorFactory> clazz = ( Class<ConstraintValidatorFactory> ) ReflectionHelper.classForName( constraintFactoryClass, this.getClass() ); - xmlParameters.constraintValidatorFactory = clazz.newInstance(); + NewInstance<ConstraintValidatorFactory> newInstance = NewInstance.action( clazz, "constraint factory class" ); + if ( System.getSecurityManager() != null ) { + xmlParameters.constraintValidatorFactory = AccessController.doPrivileged( newInstance ); + } + else { + xmlParameters.constraintValidatorFactory = newInstance.run(); + } log.info( "Using {} as constraint factory.", constraintFactoryClass ); } catch ( ClassNotFoundException e ) { @@ -88,16 +96,6 @@ "Unable to instantiate constraint factory class " + constraintFactoryClass + ".", e ); } - catch ( InstantiationException e ) { - throw new ValidationException( - "Unable to instantiate constraint factory class " + constraintFactoryClass + ".", e - ); - } - catch ( IllegalAccessException e ) { - throw new ValidationException( - "Unable to instantiate constraint factory class " + constraintFactoryClass + ".", e - ); - } } } Modified: validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/XmlMappingParser.java =================================================================== --- validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/XmlMappingParser.java 2009-08-11 00:53:08 UTC (rev 17260) +++ validator/trunk/hibernate-validator/src/main/java/org/hibernate/validation/xml/XmlMappingParser.java 2009-08-11 01:01:18 UTC (rev 17261) @@ -33,6 +33,7 @@ import java.util.List; import java.util.Map; import java.util.Set; +import java.security.AccessController; import javax.validation.Constraint; import javax.validation.ConstraintValidator; import javax.validation.ValidationException; @@ -53,6 +54,9 @@ import org.hibernate.validation.metadata.AnnotationIgnores; import org.hibernate.validation.util.LoggerFactory; import org.hibernate.validation.util.ReflectionHelper; +import org.hibernate.validation.util.priviledgedactions.GetMethodFromPropertyName; +import org.hibernate.validation.util.priviledgedactions.ContainsMethod; +import org.hibernate.validation.util.priviledgedactions.GetMethod; import org.hibernate.validation.util.annotationfactory.AnnotationDescriptor; import org.hibernate.validation.util.annotationfactory.AnnotationFactory; import org.hibernate.validation.xml.AnnotationType; @@ -267,10 +271,25 @@ private void parsePropertyLevelOverrides(List<GetterType> getters, Class<?> beanClass, String defaultPackage) { for ( GetterType getterType : getters ) { String getterName = getterType.getName(); - if ( !ReflectionHelper.containsMethod( beanClass, getterName ) ) { + ContainsMethod cmAction = ContainsMethod.action( beanClass, getterName ); + boolean containsMethod; + if ( System.getSecurityManager() != null ) { + containsMethod = AccessController.doPrivileged( cmAction ); + } + else { + containsMethod = cmAction.run(); + } + if ( !containsMethod ) { throw new ValidationException( beanClass.getName() + " does not contain the property " + getterName ); } - Method method = ReflectionHelper.getMethod( beanClass, getterName ); + final Method method; + GetMethodFromPropertyName action = GetMethodFromPropertyName.action( beanClass, getterName ); + if ( System.getSecurityManager() != null ) { + method = AccessController.doPrivileged( action ); + } + else { + method = action.run(); + } // ignore annotations boolean ignoreGetterAnnotation = getterType.isIgnoreAnnotations() == null ? false : getterType.isIgnoreAnnotations(); @@ -383,10 +402,15 @@ private <A extends Annotation> Class<?> getAnnotationParamterType(Class<A> annotationClass, String name) { Method m; - try { - m = annotationClass.getMethod( name ); + GetMethod action = GetMethod.action( annotationClass, name ); + if ( System.getSecurityManager() != null ) { + m = AccessController.doPrivileged( action ); } - catch ( NoSuchMethodException e ) { + else { + m = action.run(); + } + + if ( m == null ) { throw new ValidationException( "Annotation of type " + annotationClass.getName() + " does not contain a paramter " + name + "." ); } return m.getReturnType();