[hibernate-issues] [Hibernate-JIRA] Commented: (HV-171) JSR-303 must specify how to run in environments that use a SecurityManager

Emmanuel Bernard (JIRA) noreply at atlassian.com
Mon Jun 29 08:44:15 EDT 2009 

    [ http://opensource.atlassian.com/projects/hibernate/browse/HV-171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33490#action_33490 ] 

Emmanuel Bernard commented on HV-171:
-------------------------------------

I don't think this should be mentioned in the spec. For example, JPA does not mention security managers.
In a way, how a Bean Validation provider / persistence provider access properties is implementation specific.
In the case of Hibernate Validator, one has to accept org.hibernate.validation and sub packages to use reflection (just like Hibernate Core needs it BTW).

We could mention it in the HV documentation though. I leave the bug open for that reason.

> JSR-303 must specify how to run in environments that use a SecurityManager
> --------------------------------------------------------------------------
>
>                 Key: HV-171
>                 URL: http://opensource.atlassian.com/projects/hibernate/browse/HV-171
>             Project: Hibernate Validator
>          Issue Type: Improvement
>          Components: documentation
>    Affects Versions: 4.0.0.Beta1
>         Environment: Glassfish V3 with Security Manager Enabled
>            Reporter: Ed Burns
>         Attachments: message.txt
>
>
> When running the JSR-303 Impl that is Hibernate Validator 4.0.0.Beta1 on a container with a SecurityManager, such as Glassfishv3 with the SecurityManager enabled, calling simple validator code such as:
>         Set<ConstraintViolation<Person>> violations = 
>             beanValidator.validate(person);
> Will cause an AccessControlException, as shown in the following stack trace:
>  [#|2009-06-19T11:22:20.347-0400|SEVERE|glassfish|javax.enterprise.system.container.web.com.sun.enterprise.web|_ThreadID=17;_ThreadName=Thread-1;|StandardWrapperValve[SimpleBVServlet]: PWC1406: Servlet.service() for servlet SimpleBVServlet threw exception
> java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> 	at java.security.AccessController.checkPermission(AccessController.java:546)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> 	at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
> 	at org.hibernate.validation.util.ReflectionHelper.setAccessibility(ReflectionHelper.java:195)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.initFieldConstraints(BeanMetaDataImpl.java:233)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.initClass(BeanMetaDataImpl.java:207)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.createMetaData(BeanMetaDataImpl.java:179)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:106)
> 	at org.hibernate.validation.engine.BeanMetaDataImpl.<init>(BeanMetaDataImpl.java:96)
> 	at org.hibernate.validation.engine.ValidatorImpl.getBeanMetaData(ValidatorImpl.java:559)
> 	at org.hibernate.validation.engine.ValidatorImpl.validateConstraints(ValidatorImpl.java:225)
> 	at org.hibernate.validation.engine.ValidatorImpl.validateInContext(ValidatorImpl.java:189)
> 	at org.hibernate.validation.engine.ValidatorImpl.validate(ValidatorImpl.java:110)
> 	at simple_bv_servlet.SimpleBVServlet.doGet(SimpleBVServlet.java:76)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:734)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> 	at java.lang.reflect.Method.invoke(Method.java:597)
> 	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:319)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> 	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:352)
> 	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:209)
> 	at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1499)
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:293)
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:187)
> 	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
> 	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
> 	at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
> 	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:353)
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:249)
> 	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:147)
> 	at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:746)
> 	at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:655)
> 	at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:905)
> 	at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:161)
> 	at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:136)
> 	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:103)
> 	at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:89)
> 	at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
> 	at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
> 	at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
> 	at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
> 	at java.lang.Thread.run(Thread.java:637)
> Some remedies include:
> 1. Explicitly accounting for SecurityManager considerations in the JSR-303 Java API
> 2. Mentioning in the spec prose what a caller that wishes to use SecurityManager must do to enable JSR-303 to work without throwing security related exceptions.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the hibernate-issues mailing list