[hibernate-issues] [Hibernate-JIRA] Commented: (HV-171) Hibernate Validator must specify how to run in environments that use a SecurityManager

Ed Burns (JIRA) noreply at atlassian.com
Wed Aug 12 20:50:12 EDT 2009 

    [ http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33750#action_33750 ] 

Ed Burns commented on HV-171:
-----------------------------

Earlier in the process you stated that you don't think the SecurityManager consideration should be mentioned in the spec.  Do you still feel that way, or do you want to put it in there and raise the security of the industry as a whole?

> Hibernate Validator must specify how to run in environments that use a SecurityManager
> --------------------------------------------------------------------------------------
>
>                 Key: HV-171
>                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
>             Project: Hibernate Validator
>          Issue Type: Improvement
>          Components: documentation
>    Affects Versions: 4.0.0.Beta1
>         Environment: Glassfish V3 with Security Manager Enabled
>            Reporter: Ed Burns
>             Fix For: 4.0.0.Beta3
>
>         Attachments: message.txt
>
>
> When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple validator code such as:
>         Set<ConstraintViolation<Person>> violations = 
>             beanValidator.validate(person);
> Will cause an AccessControlException, as shown in the following stack trace:
>  [#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
> java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> 	at java.security.AccessController.checkPermission(AccessController.java:546)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> 	at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
> 	at org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
> 	at org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
> 	at org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
> 	at org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
> 	at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
> 	at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> 	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
> 	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
> 	at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
> 	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
> 	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
> 	at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
> 	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
> 	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
> 	at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
> 	at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
> 	at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
> 	at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
> 	at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
> 	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
> 	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
> 	at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
> 	at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
> 	at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
> 	at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> 	at java.lang.Thread.run(Thread.java:637)
> Some remedies include:
> 1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
> 2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do to enable JSR-303 to work without throwing security related exceptions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the hibernate-issues mailing list