HHH-15411 Introduce an system property to fully disable Hibernate's use of a system SecurityManager
This commit is contained in:
parent
deb2c52ab4
commit
697cfea170
|
@ -27,6 +27,7 @@ import org.hibernate.HibernateException;
|
|||
import org.hibernate.bytecode.enhance.spi.EnhancerConstants;
|
||||
import org.hibernate.bytecode.spi.BasicProxyFactory;
|
||||
import org.hibernate.internal.CoreMessageLogger;
|
||||
import org.hibernate.internal.util.securitymanager.SystemSecurityManager;
|
||||
import org.hibernate.proxy.ProxyConfiguration;
|
||||
import org.hibernate.proxy.ProxyFactory;
|
||||
|
||||
|
@ -82,7 +83,7 @@ public final class ByteBuddyState {
|
|||
this.proxyCache = new TypeCache( TypeCache.Sort.WEAK );
|
||||
this.basicProxyCache = new TypeCache( TypeCache.Sort.WEAK );
|
||||
|
||||
if ( System.getSecurityManager() != null ) {
|
||||
if ( SystemSecurityManager.isSecurityManagerEnabled() ) {
|
||||
this.classRewriter = new SecurityManagerClassRewriter();
|
||||
}
|
||||
else {
|
||||
|
@ -276,7 +277,7 @@ public final class ByteBuddyState {
|
|||
}
|
||||
};
|
||||
|
||||
this.delegateToInterceptorDispatcherMethodDelegation = System.getSecurityManager() != null
|
||||
this.delegateToInterceptorDispatcherMethodDelegation = SystemSecurityManager.isSecurityManagerEnabled()
|
||||
? AccessController.doPrivileged( delegateToInterceptorDispatcherMethodDelegationPrivilegedAction )
|
||||
: delegateToInterceptorDispatcherMethodDelegationPrivilegedAction.run();
|
||||
|
||||
|
@ -290,7 +291,7 @@ public final class ByteBuddyState {
|
|||
}
|
||||
};
|
||||
|
||||
this.interceptorFieldAccessor = System.getSecurityManager() != null
|
||||
this.interceptorFieldAccessor = SystemSecurityManager.isSecurityManagerEnabled()
|
||||
? AccessController.doPrivileged( interceptorFieldAccessorPrivilegedAction )
|
||||
: interceptorFieldAccessorPrivilegedAction.run();
|
||||
}
|
||||
|
|
|
@ -16,6 +16,7 @@ import java.util.function.Function;
|
|||
import java.util.stream.Stream;
|
||||
|
||||
import org.hibernate.HibernateException;
|
||||
import org.hibernate.internal.util.securitymanager.SystemSecurityManager;
|
||||
|
||||
/**
|
||||
* This dispatcher analyzes the stack frames to detect if a particular call should be authorized.
|
||||
|
@ -85,7 +86,7 @@ public class HibernateMethodLookupDispatcher {
|
|||
throw new SecurityException( "Unauthorized call by class " + callerClass );
|
||||
}
|
||||
|
||||
return System.getSecurityManager() != null ? AccessController.doPrivileged( privilegedAction ) :
|
||||
return SystemSecurityManager.isSecurityManagerEnabled() ? AccessController.doPrivileged( privilegedAction ) :
|
||||
privilegedAction.run();
|
||||
}
|
||||
|
||||
|
@ -133,13 +134,13 @@ public class HibernateMethodLookupDispatcher {
|
|||
}
|
||||
};
|
||||
|
||||
GET_CALLER_STACK_ACTION = System.getSecurityManager() != null
|
||||
GET_CALLER_STACK_ACTION = SystemSecurityManager.isSecurityManagerEnabled()
|
||||
? AccessController.doPrivileged( initializeGetCallerStackAction )
|
||||
: initializeGetCallerStackAction.run();
|
||||
}
|
||||
|
||||
private static Class<?> getCallerClass() {
|
||||
Class<?>[] stackTrace = System.getSecurityManager() != null
|
||||
Class<?>[] stackTrace = SystemSecurityManager.isSecurityManagerEnabled()
|
||||
? AccessController.doPrivileged( GET_CALLER_STACK_ACTION )
|
||||
: GET_CALLER_STACK_ACTION.run();
|
||||
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
/*
|
||||
* Hibernate, Relational Persistence for Idiomatic Java
|
||||
*
|
||||
* License: GNU Lesser General Public License (LGPL), version 2.1 or later.
|
||||
* See the lgpl.txt file in the root directory or <http://www.gnu.org/licenses/lgpl-2.1.html>.
|
||||
*/
|
||||
package org.hibernate.internal.util.securitymanager;
|
||||
|
||||
/**
|
||||
* Encapsulates access to {@link System#getSecurityManager()},
|
||||
* in preparation of it being phased out by the JDK.
|
||||
*
|
||||
* Since JDK 17 the security manager can be disabled by setting
|
||||
* the system property {@code java.security.manager} to {@code disallow};
|
||||
* to prepare for this we also offer the option of setting
|
||||
* {@code org.hibernate.internal.util.securitymanager.FULLY_DISABLE} to {@code true}
|
||||
* to have the same effect, although limited to the Hibernate ORM code.
|
||||
*/
|
||||
public final class SystemSecurityManager {
|
||||
|
||||
public static final String FULLY_DISABLE_PROP_NAME = "org.hibernate.internal.util.securitymanager.FULLY_DISABLE";
|
||||
private static final boolean disabledForced = Boolean.getBoolean( FULLY_DISABLE_PROP_NAME );
|
||||
|
||||
private static final boolean SM_IS_ENABLED = (!disabledForced) && (System.getSecurityManager() != null );
|
||||
|
||||
public static boolean isSecurityManagerEnabled() {
|
||||
return SM_IS_ENABLED;
|
||||
}
|
||||
|
||||
//N.B. do not expose a "doPrivileged" helper as that would introduce a security problem
|
||||
|
||||
}
|
|
@ -27,6 +27,7 @@ import org.hibernate.bytecode.enhance.spi.interceptor.LazyAttributeLoadingInterc
|
|||
import org.hibernate.collection.spi.PersistentCollection;
|
||||
import org.hibernate.engine.spi.PersistentAttributeInterceptable;
|
||||
import org.hibernate.internal.util.ReflectHelper;
|
||||
import org.hibernate.internal.util.securitymanager.SystemSecurityManager;
|
||||
import org.hibernate.proxy.HibernateProxy;
|
||||
import org.hibernate.proxy.LazyInitializer;
|
||||
|
||||
|
@ -378,7 +379,7 @@ public final class PersistenceUtilHelper {
|
|||
return new NoSuchAttributeAccess( specifiedClass, attributeName );
|
||||
}
|
||||
};
|
||||
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
|
||||
return SystemSecurityManager.isSecurityManagerEnabled() ? AccessController.doPrivileged( action ) : action.run();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -17,6 +17,7 @@ import org.hibernate.engine.spi.SharedSessionContractImplementor;
|
|||
import org.hibernate.internal.CoreMessageLogger;
|
||||
import org.hibernate.internal.util.ReflectHelper;
|
||||
import org.hibernate.internal.util.collections.ArrayHelper;
|
||||
import org.hibernate.internal.util.securitymanager.SystemSecurityManager;
|
||||
import org.hibernate.proxy.HibernateProxy;
|
||||
import org.hibernate.proxy.ProxyConfiguration;
|
||||
import org.hibernate.proxy.ProxyFactory;
|
||||
|
@ -119,7 +120,7 @@ public class ByteBuddyProxyFactory implements ProxyFactory, Serializable {
|
|||
|
||||
}
|
||||
};
|
||||
return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
|
||||
return SystemSecurityManager.isSecurityManagerEnabled() ? AccessController.doPrivileged( action ) : action.run();
|
||||
|
||||
}
|
||||
}
|
||||
|
|
|
@ -16,6 +16,7 @@ import org.hibernate.envers.exception.AuditException;
|
|||
import org.hibernate.envers.internal.entities.PropertyData;
|
||||
import org.hibernate.envers.internal.tools.ReflectionTools;
|
||||
import org.hibernate.internal.util.ReflectHelper;
|
||||
import org.hibernate.internal.util.securitymanager.SystemSecurityManager;
|
||||
import org.hibernate.property.access.spi.Getter;
|
||||
import org.hibernate.property.access.spi.Setter;
|
||||
import org.hibernate.service.ServiceRegistry;
|
||||
|
@ -35,7 +36,7 @@ public abstract class AbstractMapper {
|
|||
* @return the result of the privileged call, may be {@literal null}
|
||||
*/
|
||||
protected <T> T doPrivileged(Supplier<T> block) {
|
||||
if ( System.getSecurityManager() != null ) {
|
||||
if ( SystemSecurityManager.isSecurityManagerEnabled() ) {
|
||||
return AccessController.doPrivileged( (PrivilegedAction<T>) block::get );
|
||||
}
|
||||
else {
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.hibernate.envers.internal.entities.EntityInstantiator;
|
|||
import org.hibernate.envers.internal.entities.mapper.relation.query.RelationQueryGenerator;
|
||||
import org.hibernate.envers.internal.reader.AuditReaderImplementor;
|
||||
import org.hibernate.internal.util.ReflectHelper;
|
||||
import org.hibernate.internal.util.securitymanager.SystemSecurityManager;
|
||||
|
||||
/**
|
||||
* Initializes a persistent collection.
|
||||
|
@ -74,7 +75,7 @@ public abstract class AbstractCollectionInitializor<T> implements Initializor<T>
|
|||
* @return the result of the privileged call, may be {@literal null}
|
||||
*/
|
||||
protected <R> R doPrivileged(Supplier<R> block) {
|
||||
if ( System.getSecurityManager() != null ) {
|
||||
if ( SystemSecurityManager.isSecurityManagerEnabled() ) {
|
||||
return AccessController.doPrivileged( (PrivilegedAction<R>) block::get );
|
||||
}
|
||||
else {
|
||||
|
|
Loading…
Reference in New Issue