Currently we wrap all reflection calls in PrivilegedAction. This way Validators need the following grants in the policy file:
However, this also means that a user might now use ReflectionHelper to execute reflection calls which otherwise would be no allowed. To prevent this we need a Validator specific permission type. Something like this:
class ReflectionHelper {
public static Field getDeclaredField(Class<?> clazz, String fieldName) {
SecurityManager securityManager = System.getSecurityManager();
if ( securityManager != null ) {
securityManager.checkPermission( HibernateValidatorInternalPermission.INSTANCE );
}
...
}
}
|