[Hibernate-JIRA] Created: (HV-171) JSR-303 must specify how to run in environments that use a SecurityManager
8:32 p.m.
JSR-303 must specify how to run in environments that use a SecurityManager
--------------------------------------------------------------------------
Key: HV-171
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
Project: Hibernate Validator
Issue Type: Improvement
Components: documentation
Affects Versions: 4.0.0.Beta1
Environment: Glassfish V3 with Security Manager Enabled
Reporter: Ed Burns
When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with
a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple
validator code such as:
Set<ConstraintViolation<Person>> violations =
beanValidator.validate(person);
Will cause an AccessControlException, as shown in the following stack trace:
[#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]:
PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission
suppressAccessChecks)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
at
org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
at org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
at
org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
at org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
at
org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
at
org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:637)
Some remedies include:
1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do
to enable JSR-303 to work without throwing security related exceptions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:38 p.m.
New subject: [Hibernate-JIRA] Updated: (HV-171) JSR-303 must specify how to run in environments that use a SecurityManager
[
http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com...
]
Ed Burns updated HV-171:
------------------------
Attachment: message.txt
the domain.xml given to Ed Burns by Ron Monzillo that turns on better logging of security
related exceptions.
Running the SimpleBVServlet on GlassfishV3 with SecurityManager enabled, and with this
domain.xml in place, will show what kinds of grant statements need to be added to the
server.policy file to enable JSR-303 to work without security exceptions being thrown.
The process of discovering what kind of grant statements will likely be iterative, with
each iteration looking like
1. run the BV servlet test
2. study the log to see what kinds of grant statements are needed
3. add the grants to the server.policy
Once the grant statements are decided, then we need to craft some common code that all
callers who wish to use JSR-303 within a SecurityManager enabled container must place
around their calls to whatever JSR-303 calls need the security. This will likely be
couched in a AccessController.doPrivledged() call.
JSR-303 must specify how to run in environments that use a
SecurityManager
--------------------------------------------------------------------------
Key: HV-171
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
Project: Hibernate Validator
Issue Type: Improvement
Components: documentation
Affects Versions: 4.0.0.Beta1
Environment: Glassfish V3 with Security Manager Enabled
Reporter: Ed Burns
Attachments: message.txt
When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with
a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple
validator code such as:
Set<ConstraintViolation<Person>> violations =
beanValidator.validate(person);
Will cause an AccessControlException, as shown in the following stack trace:
[#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]:
PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission
suppressAccessChecks)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
at
org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
at
org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
at
org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
at
org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
at
org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:637)
Some remedies include:
1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do
to enable JSR-303 to work without throwing security related exceptions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:44 p.m.
New subject: [Hibernate-JIRA] Commented: (HV-171) JSR-303 must specify how to run in environments that use a SecurityManager
[
http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com...
]
Emmanuel Bernard commented on HV-171:
-------------------------------------
I don't think this should be mentioned in the spec. For example, JPA does not mention
security managers.
In a way, how a Bean Validation provider / persistence provider access properties is
implementation specific.
In the case of Hibernate Validator, one has to accept org.hibernate.validation and sub
packages to use reflection (just like Hibernate Core needs it BTW).
We could mention it in the HV documentation though. I leave the bug open for that reason.
JSR-303 must specify how to run in environments that use a
SecurityManager
--------------------------------------------------------------------------
Key: HV-171
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
Project: Hibernate Validator
Issue Type: Improvement
Components: documentation
Affects Versions: 4.0.0.Beta1
Environment: Glassfish V3 with Security Manager Enabled
Reporter: Ed Burns
Attachments: message.txt
When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with
a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple
validator code such as:
Set<ConstraintViolation<Person>> violations =
beanValidator.validate(person);
Will cause an AccessControlException, as shown in the following stack trace:
[#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]:
PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission
suppressAccessChecks)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
at
org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
at
org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
at
org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
at
org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
at
org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:637)
Some remedies include:
1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do
to enable JSR-303 to work without throwing security related exceptions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:30 p.m.
New subject: [Hibernate-JIRA] Updated: (HV-171) Hibernate Validator must specify how to run in environments that use a SecurityManager
[
http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com...
]
Emmanuel Bernard updated HV-171:
--------------------------------
Summary: Hibernate Validator must specify how to run in environments that use a
SecurityManager (was: JSR-303 must specify how to run in environments that use a
SecurityManager)
Hibernate Validator must specify how to run in environments that use
a SecurityManager
--------------------------------------------------------------------------------------
Key: HV-171
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
Project: Hibernate Validator
Issue Type: Improvement
Components: documentation
Affects Versions: 4.0.0.Beta1
Environment: Glassfish V3 with Security Manager Enabled
Reporter: Ed Burns
Attachments: message.txt
When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with
a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple
validator code such as:
Set<ConstraintViolation<Person>> violations =
beanValidator.validate(person);
Will cause an AccessControlException, as shown in the following stack trace:
[#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]:
PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission
suppressAccessChecks)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
at
org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
at
org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
at
org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
at
org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
at
org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:637)
Some remedies include:
1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do
to enable JSR-303 to work without throwing security related exceptions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:14 p.m.
New subject: [Hibernate-JIRA] Resolved: (HV-171) Hibernate Validator must specify how to run in environments that use a SecurityManager
[
http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com...
]
Emmanuel Bernard resolved HV-171.
---------------------------------
Resolution: Fixed
Fix Version/s: 4.0.0.CR1
Hibernate Validator must specify how to run in environments that use
a SecurityManager
--------------------------------------------------------------------------------------
Key: HV-171
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
Project: Hibernate Validator
Issue Type: Improvement
Components: documentation
Affects Versions: 4.0.0.Beta1
Environment: Glassfish V3 with Security Manager Enabled
Reporter: Ed Burns
Fix For: 4.0.0.CR1
Attachments: message.txt
When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with
a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple
validator code such as:
Set<ConstraintViolation<Person>> violations =
beanValidator.validate(person);
Will cause an AccessControlException, as shown in the following stack trace:
[#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]:
PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission
suppressAccessChecks)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
at
org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
at
org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
at
org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
at
org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
at
org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:637)
Some remedies include:
1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do
to enable JSR-303 to work without throwing security related exceptions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
2:50 a.m.
New subject: [Hibernate-JIRA] Commented: (HV-171) Hibernate Validator must specify how to run in environments that use a SecurityManager
[
http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com...
]
Ed Burns commented on HV-171:
-----------------------------
Earlier in the process you stated that you don't think the SecurityManager
consideration should be mentioned in the spec. Do you still feel that way, or do you want
to put it in there and raise the security of the industry as a whole?
Hibernate Validator must specify how to run in environments that use
a SecurityManager
--------------------------------------------------------------------------------------
Key: HV-171
URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
Project: Hibernate Validator
Issue Type: Improvement
Components: documentation
Affects Versions: 4.0.0.Beta1
Environment: Glassfish V3 with Security Manager Enabled
Reporter: Ed Burns
Fix For: 4.0.0.Beta3
Attachments: message.txt
When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with
a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple
validator code such as:
Set<ConstraintViolation<Person>> violations =
beanValidator.validate(person);
Will cause an AccessControlException, as shown in the following stack trace:
[#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]:
PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission
suppressAccessChecks)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
at
org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
at
org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
at
org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
at
org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
at
org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
at
org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
at
org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
at
com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
at
com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
at
com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:637)
Some remedies include:
1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do
to enable JSR-303 to work without throwing security related exceptions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators....
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5436
days inactive
5491
days old
hibernate-issues@lists.jboss.org
5 comments
2 participants
participants (2)
-
Ed Burns (JIRA) -
Emmanuel Bernard (JIRA)