[hibernate-issues] [Hibernate-JIRA] Resolved: (HV-171) Hibernate Validator must specify how to run in environments that use a SecurityManager

Emmanuel Bernard (JIRA) noreply at atlassian.com
Tue Aug 11 17:14:13 EDT 2009 

     [ http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Bernard resolved HV-171.
---------------------------------

       Resolution: Fixed
    Fix Version/s: 4.0.0.CR1

> Hibernate Validator must specify how to run in environments that use a SecurityManager
> --------------------------------------------------------------------------------------
>
>                 Key: HV-171
>                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
>             Project: Hibernate Validator
>          Issue Type: Improvement
>          Components: documentation
>    Affects Versions: 4.0.0.Beta1
>         Environment: Glassfish V3 with Security Manager Enabled
>            Reporter: Ed Burns
>             Fix For: 4.0.0.CR1
>
>         Attachments: message.txt
>
>
> When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple validator code such as:
>         Set<ConstraintViolation<Person>> violations = 
>             beanValidator.validate(person);
> Will cause an AccessControlException, as shown in the following stack trace:
>  [#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
> java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> 	at java.security.AccessController.checkPermission(AccessController.java:546)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> 	at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
> 	at org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
> 	at org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
> 	at org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
> 	at org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
> 	at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
> 	at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> 	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
> 	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
> 	at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
> 	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
> 	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
> 	at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
> 	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
> 	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
> 	at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
> 	at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
> 	at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
> 	at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
> 	at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
> 	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
> 	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
> 	at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
> 	at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
> 	at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
> 	at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> 	at java.lang.Thread.run(Thread.java:637)
> Some remedies include:
> 1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
> 2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do to enable JSR-303 to work without throwing security related exceptions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the hibernate-issues mailing list