HHH-12542 - Add necessary privileged action blocks for SecurityManager used on WildFly.

This commit is contained in:
Chris Cranford 2018-07-11 13:01:51 -04:00 committed by Guillaume Smet
parent 8df12b7d0a
commit 15a59a1a19
9 changed files with 331 additions and 154 deletions

View File

@ -12,6 +12,8 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Properties;
import org.hibernate.boot.cfgxml.spi.LoadedConfig;
@ -48,27 +50,34 @@ public class ConfigLoader {
}
public LoadedConfig loadConfigXmlResource(String cfgXmlResourceName) {
final InputStream stream = bootstrapServiceRegistry.getService( ClassLoaderService.class ).locateResourceStream( cfgXmlResourceName );
if ( stream == null ) {
throw new ConfigurationException( "Could not locate cfg.xml resource [" + cfgXmlResourceName + "]" );
}
final PrivilegedAction<JaxbCfgHibernateConfiguration> action = new PrivilegedAction<JaxbCfgHibernateConfiguration>() {
@Override
public JaxbCfgHibernateConfiguration run() {
final InputStream stream = bootstrapServiceRegistry.getService( ClassLoaderService.class ).locateResourceStream( cfgXmlResourceName );
if ( stream == null ) {
throw new ConfigurationException( "Could not locate cfg.xml resource [" + cfgXmlResourceName + "]" );
}
try {
final JaxbCfgHibernateConfiguration jaxbCfg = jaxbProcessorHolder.getValue().unmarshal(
stream,
new Origin( SourceType.RESOURCE, cfgXmlResourceName )
);
try {
return jaxbProcessorHolder.getValue().unmarshal(
stream,
new Origin( SourceType.RESOURCE, cfgXmlResourceName )
);
}
finally {
try {
stream.close();
}
catch ( IOException e ) {
log.debug( "Unable to close cfg.xml resource stream", e );
}
}
}
};
return LoadedConfig.consume( jaxbCfg );
}
finally {
try {
stream.close();
}
catch (IOException e) {
log.debug( "Unable to close cfg.xml resource stream", e );
}
}
return LoadedConfig.consume(
System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run()
);
}
public LoadedConfig loadConfigXmlFile(File cfgXmlFile) {

View File

@ -7,6 +7,9 @@
package org.hibernate.boot.jaxb.internal;
import java.io.InputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
@ -98,8 +101,15 @@ public abstract class AbstractBinder implements Binder {
private Binding doBind(XMLEventReader eventReader, Origin origin) {
try {
final StartElement rootElementStartEvent = seekRootElementStartEvent( eventReader, origin );
return doBind( eventReader, rootElementStartEvent, origin );
final PrivilegedAction<Binding> action = new PrivilegedAction<Binding>() {
@Override
public Binding run() {
final StartElement rootElementStartEvent = seekRootElementStartEvent( eventReader, origin );
return doBind( eventReader, rootElementStartEvent, origin );
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
finally {
try {

View File

@ -83,11 +83,16 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
orderedClassLoaderSet.add( ClassLoaderServiceImpl.class.getClassLoader() );
// now build the aggregated class loader...
this.aggregatedClassLoader = AccessController.doPrivileged( new PrivilegedAction<AggregatedClassLoader>() {
final PrivilegedAction<AggregatedClassLoader> action = new PrivilegedAction<AggregatedClassLoader>() {
@Override
public AggregatedClassLoader run() {
return new AggregatedClassLoader( orderedClassLoaderSet, lookupPrecedence );
}
} );
};
this.aggregatedClassLoader = System.getSecurityManager() != null
? AccessController.doPrivileged( action )
: action.run();
}
/**
@ -347,49 +352,62 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
@Override
@SuppressWarnings({"unchecked"})
public <T> Class<T> classForName(String className) {
try {
return (Class<T>) Class.forName( className, true, getAggregatedClassLoader() );
}
catch (Exception e) {
throw new ClassLoadingException( "Unable to load class [" + className + "]", e );
}
catch (LinkageError e) {
throw new ClassLoadingException( "Unable to load class [" + className + "]", e );
}
final PrivilegedAction<Class<T>> action = new PrivilegedAction<Class<T>>() {
@Override
public Class<T> run() {
try {
return (Class<T>) Class.forName( className, true, getAggregatedClassLoader() );
}
catch (Exception e) {
throw new ClassLoadingException( "Unable to load class [" + className + "]", e );
}
catch (LinkageError e) {
throw new ClassLoadingException( "Unable to load class [" + className + "]", e );
}
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
@Override
public URL locateResource(String name) {
// first we try name as a URL
try {
return new URL( name );
}
catch (Exception ignore) {
}
try {
final URL url = getAggregatedClassLoader().getResource( name );
if ( url != null ) {
return url;
}
}
catch (Exception ignore) {
}
if ( name.startsWith( "/" ) ) {
name = name.substring( 1 );
try {
final URL url = getAggregatedClassLoader().getResource( name );
if ( url != null ) {
return url;
public URL locateResource(final String name) {
final PrivilegedAction<URL> action = new PrivilegedAction<URL>() {
@Override
public URL run() {
try {
return new URL( name );
}
catch (Exception ignore) {
}
}
catch (Exception ignore) {
}
}
return null;
try {
final URL url = getAggregatedClassLoader().getResource( name );
if ( url != null ) {
return url;
}
}
catch (Exception ignore) {
}
if ( name.startsWith( "/" ) ) {
final String resourceName = name.substring( 1 );
try {
final URL url = getAggregatedClassLoader().getResource( resourceName );
if ( url != null ) {
return url;
}
}
catch (Exception ignore) {
}
}
return null;
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
@Override
@ -456,16 +474,22 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
@Override
@SuppressWarnings("unchecked")
public <S> Collection<S> loadJavaServices(Class<S> serviceContract) {
ServiceLoader<S> serviceLoader = serviceLoaders.get( serviceContract );
if ( serviceLoader == null ) {
serviceLoader = ServiceLoader.load( serviceContract, getAggregatedClassLoader() );
serviceLoaders.put( serviceContract, serviceLoader );
}
final LinkedHashSet<S> services = new LinkedHashSet<S>();
for ( S service : serviceLoader ) {
services.add( service );
}
return services;
final PrivilegedAction<Collection<S>> action = new PrivilegedAction<Collection<S>>() {
@Override
public Collection<S> run() {
ServiceLoader<S> serviceLoader = serviceLoaders.get( serviceContract );
if ( serviceLoader == null ) {
serviceLoader = ServiceLoader.load( serviceContract, getAggregatedClassLoader() );
serviceLoaders.put( serviceContract, serviceLoader );
}
final LinkedHashSet<S> services = new LinkedHashSet<S>();
for ( S service : serviceLoader ) {
services.add( service );
}
return services;
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
@Override
@ -480,7 +504,13 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
@Override
public <T> T workWithClassLoader(Work<T> work) {
return work.doWork( getAggregatedClassLoader() );
final PrivilegedAction<T> action = new PrivilegedAction<T>() {
@Override
public T run() {
return work.doWork( getAggregatedClassLoader() );
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
private ClassLoader getAggregatedClassLoader() {

View File

@ -10,6 +10,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
import org.hibernate.HibernateException;
import org.hibernate.cfg.Environment;
@ -113,28 +115,33 @@ public final class ConfigHelper {
}
public static InputStream getResourceAsStream(String resource) {
String stripped = resource.startsWith( "/" )
? resource.substring( 1 )
: resource;
final PrivilegedAction<InputStream> action = new PrivilegedAction<InputStream>() {
@Override
public InputStream run() {
String stripped = resource.startsWith( "/" )
? resource.substring( 1 )
: resource;
InputStream stream = null;
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
if ( classLoader != null ) {
stream = classLoader.getResourceAsStream( stripped );
}
if ( stream == null ) {
stream = Environment.class.getResourceAsStream( resource );
}
if ( stream == null ) {
stream = Environment.class.getClassLoader().getResourceAsStream( stripped );
}
if ( stream == null ) {
throw new HibernateException( resource + " not found" );
}
return stream;
InputStream stream = null;
ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
if ( classLoader != null ) {
stream = classLoader.getResourceAsStream( stripped );
}
if ( stream == null ) {
stream = Environment.class.getResourceAsStream( resource );
}
if ( stream == null ) {
stream = Environment.class.getClassLoader().getResourceAsStream( stripped );
}
if ( stream == null ) {
throw new HibernateException( resource + " not found" );
}
return stream;
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
public static InputStream getUserResourceAsStream(String resource) {
boolean hasLeadingSlash = resource.startsWith( "/" );
String stripped = hasLeadingSlash ? resource.substring( 1 ) : resource;

View File

@ -13,6 +13,8 @@ import java.lang.reflect.Field;
import java.lang.reflect.Member;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Locale;
import java.util.regex.Pattern;
import javax.persistence.Transient;
@ -235,7 +237,14 @@ public final class ReflectHelper {
}
private static Getter getter(Class clazz, String name) throws MappingException {
return PropertyAccessStrategyMixedImpl.INSTANCE.buildPropertyAccess( clazz, name ).getGetter();
final PrivilegedAction<Getter> action = new PrivilegedAction<Getter>() {
@Override
public Getter run() {
return PropertyAccessStrategyMixedImpl.INSTANCE.buildPropertyAccess( clazz, name ).getGetter();
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
public static Object getConstantValue(String name, SessionFactoryImplementor factory) {
@ -272,16 +281,23 @@ public final class ReflectHelper {
return null;
}
try {
Constructor<T> constructor = clazz.getDeclaredConstructor( NO_PARAM_SIGNATURE );
ensureAccessibility( constructor );
return constructor;
}
catch ( NoSuchMethodException nme ) {
throw new PropertyNotFoundException(
"Object class [" + clazz.getName() + "] must declare a default (no-argument) constructor"
);
}
final PrivilegedAction<Constructor> action = new PrivilegedAction<Constructor>() {
@Override
public Constructor run() {
try {
Constructor<T> constructor = clazz.getDeclaredConstructor( NO_PARAM_SIGNATURE );
ensureAccessibility( constructor );
return constructor;
}
catch (NoSuchMethodException e) {
throw new PropertyNotFoundException(
"Object class [" + clazz.getName() + "] must declare a default (no-argument) constructor"
);
}
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
/**
@ -348,12 +364,19 @@ public final class ReflectHelper {
}
public static Method getMethod(Class clazz, Method method) {
try {
return clazz.getMethod( method.getName(), method.getParameterTypes() );
}
catch (Exception e) {
return null;
}
final PrivilegedAction<Method> action = new PrivilegedAction<Method>() {
@Override
public Method run() {
try {
return clazz.getMethod( method.getName(), method.getParameterTypes() );
}
catch (Exception e){
return null;
}
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
public static Field findField(Class containerClass, String propertyName) {
@ -364,8 +387,14 @@ public final class ReflectHelper {
throw new IllegalArgumentException( "Illegal attempt to locate field [" + propertyName + "] on Object.class" );
}
Field field = locateField( containerClass, propertyName );
final PrivilegedAction<Field> action = new PrivilegedAction<Field>() {
@Override
public Field run() {
return locateField( containerClass, propertyName );
}
};
final Field field = System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
if ( field == null ) {
throw new PropertyNotFoundException(
String.format(
@ -383,11 +412,22 @@ public final class ReflectHelper {
}
public static void ensureAccessibility(AccessibleObject accessibleObject) {
if ( accessibleObject.isAccessible() ) {
return;
}
final PrivilegedAction<Object> action = new PrivilegedAction<Object>() {
@Override
public Object run() {
if ( !accessibleObject.isAccessible() ) {
accessibleObject.setAccessible( true );
}
return null;
}
};
accessibleObject.setAccessible( true );
if ( System.getSecurityManager() != null ) {
AccessController.doPrivileged( action );
}
else {
action.run();
}
}
private static Field locateField(Class clazz, String propertyName) {
@ -462,7 +502,7 @@ public final class ReflectHelper {
}
private static Method getGetterOrNull(Class containerClass, String propertyName) {
for ( Method method : containerClass.getDeclaredMethods() ) {
for ( Method method : getDeclaredMethods( containerClass ) ) {
// if the method has parameters, skip it
if ( method.getParameterCount() != 0 ) {
continue;
@ -513,17 +553,39 @@ public final class ReflectHelper {
String propertyName,
Method getMethod,
String stemName) {
// verify that the Class does not also define a method with the same stem name with 'is'
try {
final Method isMethod = containerClass.getDeclaredMethod( "is" + stemName );
final Method isMethod = getDeclaredMethod( containerClass, "is" + stemName );
if ( isMethod != null ) {
if ( !Modifier.isStatic( isMethod.getModifiers() ) && isMethod.getAnnotation( Transient.class ) == null ) {
// No such method should throw the caught exception. So if we get here, there was
// such a method.
checkGetAndIsVariants( containerClass, propertyName, getMethod, isMethod );
}
}
catch (NoSuchMethodException ignore) {
}
}
private static Method getDeclaredMethod(Class containerClass, String methodName) {
final PrivilegedAction<Method> action = new PrivilegedAction<Method>() {
@Override
public Method run() {
try {
return containerClass.getDeclaredMethod( methodName );
}
catch (NoSuchMethodException ignore) {
return null;
}
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
private static Method[] getDeclaredMethods(Class containerClass) {
final PrivilegedAction<Method[]> action = new PrivilegedAction<Method[]>() {
@Override
public Method[] run() {
return containerClass.getDeclaredMethods();
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
private static void checkGetAndIsVariants(
@ -554,16 +616,14 @@ public final class ReflectHelper {
Method isMethod,
String stemName) {
// verify that the Class does not also define a method with the same stem name with 'is'
try {
final Method getMethod = containerClass.getDeclaredMethod( "get" + stemName );
final Method getMethod = getDeclaredMethod( containerClass, "get" + stemName );
if ( getMethod != null ) {
// No such method should throw the caught exception. So if we get here, there was
// such a method.
if ( !Modifier.isStatic( getMethod.getModifiers() ) && getMethod.getAnnotation( Transient.class ) == null ) {
checkGetAndIsVariants( containerClass, propertyName, getMethod, isMethod );
}
}
catch (NoSuchMethodException ignore) {
}
}
public static Method getterMethodOrNull(Class containerJavaType, String propertyName) {
@ -631,7 +691,7 @@ public final class ReflectHelper {
private static Method setterOrNull(Class theClass, String propertyName, Class propertyType) {
Method potentialSetter = null;
for ( Method method : theClass.getDeclaredMethods() ) {
for ( Method method : getDeclaredMethods( theClass ) ) {
final String methodName = method.getName();
if ( method.getParameterCount() == 1 && methodName.startsWith( "set" ) ) {
final String testOldMethod = methodName.substring( 3 );
@ -656,7 +716,7 @@ public final class ReflectHelper {
* as an abstract - but again, that is such an edge case...
*/
public static Method findGetterMethodForFieldAccess(Field field, String propertyName) {
for ( Method method : field.getDeclaringClass().getDeclaredMethods() ) {
for ( Method method : getDeclaredMethods( field.getDeclaringClass() ) ) {
// if the method has parameters, skip it
if ( method.getParameterCount() != 0 ) {
continue;

View File

@ -10,6 +10,8 @@ import java.lang.annotation.Annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Target;
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.List;
import javax.persistence.Entity;
@ -72,6 +74,7 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
}
continue;
}
final Callback[] callbacks = resolveEntityCallbacks( entityXClass, callbackType, reflectionManager );
callbackRegistrar.registerCallbacks( entityClass, callbacks );
}
@ -119,7 +122,7 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
final boolean debugEnabled = log.isDebugEnabled();
do {
Callback callback = null;
List<XMethod> methods = currentClazz.getDeclaredMethods();
List<XMethod> methods = getDeclaredMethods( currentClazz );
for ( final XMethod xMethod : methods ) {
if ( xMethod.isAnnotationPresent( callbackType.getCallbackAnnotation() ) ) {
Method method = reflectionManager.toMethod( xMethod );
@ -190,7 +193,7 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
if ( listener != null ) {
XClass xListener = reflectionManager.toXClass( listener );
callbacksMethodNames = new ArrayList<>();
List<XMethod> methods = xListener.getDeclaredMethods();
List<XMethod> methods = getDeclaredMethods( xListener );
for ( final XMethod xMethod : methods ) {
if ( xMethod.isAnnotationPresent( callbackType.getCallbackAnnotation() ) ) {
final Method method = reflectionManager.toMethod( xMethod );
@ -338,4 +341,14 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
}
}
}
private static List<XMethod> getDeclaredMethods(XClass clazz) {
final PrivilegedAction<List<XMethod>> action = new PrivilegedAction<List<XMethod>>() {
@Override
public List<XMethod> run() {
return clazz.getDeclaredMethods();
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
}

View File

@ -7,6 +7,8 @@
package org.hibernate.metamodel.internal;
import java.lang.reflect.Field;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
@ -369,13 +371,26 @@ class MetadataContext {
return;
}
final String metamodelClassName = managedTypeClass.getName() + '_';
try {
final Class metamodelClass = Class.forName( metamodelClassName, true, managedTypeClass.getClassLoader() );
// we found the class; so populate it...
registerAttributes( metamodelClass, managedType );
final PrivilegedAction<Object> action = new PrivilegedAction<Object>() {
@Override
public Object run() {
try {
final Class metamodelClass = Class.forName( metamodelClassName, true, managedTypeClass.getClassLoader() );
// we found the class; so populate it...
registerAttributes( metamodelClass, managedType );
}
catch (ClassNotFoundException ignore) {
// nothing to do...
}
return null;
}
};
if ( System.getSecurityManager() != null ) {
AccessController.doPrivileged( action );
}
catch (ClassNotFoundException ignore) {
// nothing to do...
else {
action.run();
}
// todo : this does not account for @MappeSuperclass, mainly because this is not being tracked in our

View File

@ -8,6 +8,8 @@ package org.hibernate.tuple.entity;
import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
@ -157,24 +159,31 @@ public class PojoEntityTuplizer extends AbstractEntityTuplizer {
null :
ReflectHelper.getMethod( proxyInterface, idSetterMethod );
ProxyFactory pf = buildProxyFactoryInternal( persistentClass, idGetter, idSetter );
try {
pf.postInstantiate(
getEntityName(),
mappedClass,
proxyInterfaces,
proxyGetIdentifierMethod,
proxySetIdentifierMethod,
persistentClass.hasEmbeddedIdentifier() ?
(CompositeType) persistentClass.getIdentifier().getType() :
null
);
}
catch (HibernateException he) {
LOG.unableToCreateProxyFactory( getEntityName(), he );
pf = null;
}
return pf;
final PrivilegedAction<ProxyFactory> action = new PrivilegedAction<ProxyFactory>() {
@Override
public ProxyFactory run() {
ProxyFactory pf = buildProxyFactoryInternal( persistentClass, idGetter, idSetter );
try {
pf.postInstantiate(
getEntityName(),
mappedClass,
proxyInterfaces,
proxyGetIdentifierMethod,
proxySetIdentifierMethod,
persistentClass.hasEmbeddedIdentifier() ?
(CompositeType) persistentClass.getIdentifier().getType() :
null
);
}
catch (HibernateException he) {
LOG.unableToCreateProxyFactory( getEntityName(), he );
pf = null;
}
return pf;
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
protected ProxyFactory buildProxyFactoryInternal(

View File

@ -7,6 +7,8 @@
package org.hibernate.envers.configuration.internal.metadata.reader;
import java.lang.annotation.Annotation;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
@ -47,6 +49,7 @@ import org.hibernate.loader.PropertyPath;
import org.hibernate.mapping.Component;
import org.hibernate.mapping.Property;
import org.hibernate.mapping.Value;
import org.jboss.logging.Logger;
import static org.hibernate.envers.internal.tools.Tools.newHashMap;
@ -354,26 +357,47 @@ public class AuditedPropertiesReader {
//look in the class
addFromProperties(
clazz.getDeclaredProperties( "field" ),
getPropertiesFromClassByType( clazz, AccessType.FIELD ),
it -> "field",
fieldAccessedPersistentProperties,
allClassAudited
);
addFromProperties(
clazz.getDeclaredProperties( "property" ),
getPropertiesFromClassByType( clazz, AccessType.PROPERTY ),
propertyAccessedPersistentProperties::get,
propertyAccessedPersistentProperties.keySet(),
allClassAudited
);
if ( allClassAudited != null || !auditedPropertiesHolder.isEmpty() ) {
final XClass superclazz = clazz.getSuperclass();
final PrivilegedAction<XClass> action = new PrivilegedAction<XClass>() {
@Override
public XClass run() {
return clazz.getSuperclass();
}
};
final XClass superclazz = System.getSecurityManager() != null
? AccessController.doPrivileged( action )
: action.run();
if ( !clazz.isInterface() && !"java.lang.Object".equals( superclazz.getName() ) ) {
addPropertiesFromClass( superclazz );
}
}
}
private Iterable<XProperty> getPropertiesFromClassByType(XClass clazz, AccessType accessType) {
final PrivilegedAction<Iterable<XProperty>> action = new PrivilegedAction<Iterable<XProperty>>() {
@Override
public Iterable<XProperty> run() {
return clazz.getDeclaredProperties( accessType.getType() );
}
};
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
}
private void addFromProperties(
Iterable<XProperty> properties,
Function<String, String> accessTypeProvider,