HHH-12542 - Add necessary privileged action blocks for SecurityManager used on WildFly.

hibernate-core/src/main/java/org/hibernate/boot/cfgxml/internal/ConfigLoader.java

@@ -12,6 +12,8 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Properties;
 
 import org.hibernate.boot.cfgxml.spi.LoadedConfig;
@@ -48,18 +50,19 @@ public class ConfigLoader {
 	}
 
 	public LoadedConfig loadConfigXmlResource(String cfgXmlResourceName) {
+		final PrivilegedAction<JaxbCfgHibernateConfiguration> action = new PrivilegedAction<JaxbCfgHibernateConfiguration>() {
+			@Override
+			public JaxbCfgHibernateConfiguration run() {
 				final InputStream stream = bootstrapServiceRegistry.getService( ClassLoaderService.class ).locateResourceStream( cfgXmlResourceName );
 				if ( stream == null ) {
 					throw new ConfigurationException( "Could not locate cfg.xml resource [" + cfgXmlResourceName + "]" );
 				}
 
 				try {
-			final JaxbCfgHibernateConfiguration jaxbCfg = jaxbProcessorHolder.getValue().unmarshal(
+					return jaxbProcessorHolder.getValue().unmarshal(
 							stream,
 							new Origin( SourceType.RESOURCE, cfgXmlResourceName )
 					);
-
-			return LoadedConfig.consume( jaxbCfg );
 				}
 				finally {
 					try {
@@ -70,6 +73,12 @@ public class ConfigLoader {
 					}
 				}
 			}
+		};
+
+		return LoadedConfig.consume(
+				System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run()
+		);
+	}
 
 	public LoadedConfig loadConfigXmlFile(File cfgXmlFile) {
 		try {

hibernate-core/src/main/java/org/hibernate/boot/jaxb/internal/AbstractBinder.java

@@ -7,6 +7,9 @@
 package org.hibernate.boot.jaxb.internal;
 
 import java.io.InputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Unmarshaller;
@@ -98,9 +101,16 @@ public abstract class AbstractBinder implements Binder {
 
 	private Binding doBind(XMLEventReader eventReader, Origin origin) {
 		try {
+			final PrivilegedAction<Binding> action = new PrivilegedAction<Binding>() {
+				@Override
+				public Binding run() {
 					final StartElement rootElementStartEvent = seekRootElementStartEvent( eventReader, origin );
 					return doBind( eventReader, rootElementStartEvent, origin );
 				}
+			};
+
+			return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+		}
 		finally {
 			try {
 				eventReader.close();

hibernate-core/src/main/java/org/hibernate/boot/registry/classloading/internal/ClassLoaderServiceImpl.java

@@ -83,11 +83,16 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 		orderedClassLoaderSet.add( ClassLoaderServiceImpl.class.getClassLoader() );
 
 		// now build the aggregated class loader...
-		this.aggregatedClassLoader = AccessController.doPrivileged( new PrivilegedAction<AggregatedClassLoader>() {
+		final PrivilegedAction<AggregatedClassLoader> action = new PrivilegedAction<AggregatedClassLoader>() {
+			@Override
 			public AggregatedClassLoader run() {
 				return new AggregatedClassLoader( orderedClassLoaderSet, lookupPrecedence );
 			}
-		} );
+		};
+
+		this.aggregatedClassLoader = System.getSecurityManager() != null
+				? AccessController.doPrivileged( action )
+				: action.run();
 	}
 
 	/**
@@ -347,6 +352,9 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 	@Override
 	@SuppressWarnings({"unchecked"})
 	public <T> Class<T> classForName(String className) {
+		final PrivilegedAction<Class<T>> action = new PrivilegedAction<Class<T>>() {
+			@Override
+			public Class<T> run() {
 				try {
 					return (Class<T>) Class.forName( className, true, getAggregatedClassLoader() );
 				}
@@ -357,10 +365,16 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 					throw new ClassLoadingException( "Unable to load class [" + className + "]", e );
 				}
 			}
+		};
+
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	@Override
-	public URL locateResource(String name) {
+	public URL locateResource(final String name) {
-		// first we try name as a URL
+		final PrivilegedAction<URL> action = new PrivilegedAction<URL>() {
+			@Override
+			public URL run() {
 				try {
 					return new URL( name );
 				}
@@ -377,10 +391,10 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 				}
 
 				if ( name.startsWith( "/" ) ) {
-			name = name.substring( 1 );
+					final String resourceName = name.substring( 1 );
 
 					try {
-				final URL url = getAggregatedClassLoader().getResource( name );
+						final URL url = getAggregatedClassLoader().getResource( resourceName );
 						if ( url != null ) {
 							return url;
 						}
@@ -391,6 +405,10 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 
 				return null;
 			}
+		};
+
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	@Override
 	public InputStream locateResourceStream(String name) {
@@ -456,6 +474,9 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 	@Override
 	@SuppressWarnings("unchecked")
 	public <S> Collection<S> loadJavaServices(Class<S> serviceContract) {
+		final PrivilegedAction<Collection<S>> action = new PrivilegedAction<Collection<S>>() {
+			@Override
+			public Collection<S> run() {
 				ServiceLoader<S> serviceLoader = serviceLoaders.get( serviceContract );
 				if ( serviceLoader == null ) {
 					serviceLoader = ServiceLoader.load( serviceContract, getAggregatedClassLoader() );
@@ -467,6 +488,9 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 				}
 				return services;
 			}
+		};
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	@Override
 	@SuppressWarnings("unchecked")
@@ -480,8 +504,14 @@ public class ClassLoaderServiceImpl implements ClassLoaderService {
 
 	@Override
 	public <T> T workWithClassLoader(Work<T> work) {
+		final PrivilegedAction<T> action = new PrivilegedAction<T>() {
+			@Override
+			public T run() {
 				return work.doWork( getAggregatedClassLoader() );
 			}
+		};
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	private ClassLoader getAggregatedClassLoader() {
 		final AggregatedClassLoader aggregated = this.aggregatedClassLoader;

hibernate-core/src/main/java/org/hibernate/internal/util/ConfigHelper.java

@@ -10,6 +10,8 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import org.hibernate.HibernateException;
 import org.hibernate.cfg.Environment;
@@ -113,6 +115,9 @@ public final class ConfigHelper {
 	}
 
 	public static InputStream getResourceAsStream(String resource) {
+		final PrivilegedAction<InputStream> action = new PrivilegedAction<InputStream>() {
+			@Override
+			public InputStream run() {
 				String stripped = resource.startsWith( "/" )
 						? resource.substring( 1 )
 						: resource;
@@ -133,7 +138,9 @@ public final class ConfigHelper {
 				}
 				return stream;
 			}
-
+		};
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	public static InputStream getUserResourceAsStream(String resource) {
 		boolean hasLeadingSlash = resource.startsWith( "/" );

hibernate-core/src/main/java/org/hibernate/internal/util/ReflectHelper.java

@@ -13,6 +13,8 @@ import java.lang.reflect.Field;
 import java.lang.reflect.Member;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Locale;
 import java.util.regex.Pattern;
 import javax.persistence.Transient;
@@ -235,8 +237,15 @@ public final class ReflectHelper {
 	}
 
 	private static Getter getter(Class clazz, String name) throws MappingException {
+		final PrivilegedAction<Getter> action = new PrivilegedAction<Getter>() {
+			@Override
+			public Getter run() {
 				return PropertyAccessStrategyMixedImpl.INSTANCE.buildPropertyAccess( clazz, name ).getGetter();
 			}
+		};
+
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	public static Object getConstantValue(String name, SessionFactoryImplementor factory) {
 		boolean conventionalJavaConstants = factory.getSessionFactoryOptions().isConventionalJavaConstants();
@@ -272,17 +281,24 @@ public final class ReflectHelper {
 			return null;
 		}
 
+		final PrivilegedAction<Constructor> action = new PrivilegedAction<Constructor>() {
+			@Override
+			public Constructor run() {
 				try {
 					Constructor<T> constructor = clazz.getDeclaredConstructor( NO_PARAM_SIGNATURE );
 					ensureAccessibility( constructor );
 					return constructor;
 				}
-		catch ( NoSuchMethodException nme ) {
+				catch (NoSuchMethodException e) {
 					throw new PropertyNotFoundException(
 							"Object class [" + clazz.getName() + "] must declare a default (no-argument) constructor"
 					);
 				}
 			}
+		};
+
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	/**
 	 * Determine if the given class is declared abstract.
@@ -348,6 +364,9 @@ public final class ReflectHelper {
 	}
 
 	public static Method getMethod(Class clazz, Method method) {
+		final PrivilegedAction<Method> action = new PrivilegedAction<Method>() {
+			@Override
+			public Method run() {
 				try {
 					return clazz.getMethod( method.getName(), method.getParameterTypes() );
 				}
@@ -355,6 +374,10 @@ public final class ReflectHelper {
 					return null;
 				}
 			}
+		};
+
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	public static Field findField(Class containerClass, String propertyName) {
 		if ( containerClass == null ) {
@@ -364,8 +387,14 @@ public final class ReflectHelper {
 			throw new IllegalArgumentException( "Illegal attempt to locate field [" + propertyName + "] on Object.class" );
 		}
 
-		Field field = locateField( containerClass, propertyName );
+		final PrivilegedAction<Field> action = new PrivilegedAction<Field>() {
+			@Override
+			public Field run() {
+				return locateField( containerClass, propertyName );
+			}
+		};
 
+		final Field field = System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
 		if ( field == null ) {
 			throw new PropertyNotFoundException(
 					String.format(
@@ -383,12 +412,23 @@ public final class ReflectHelper {
 	}
 
 	public static void ensureAccessibility(AccessibleObject accessibleObject) {
-		if ( accessibleObject.isAccessible() ) {
+		final PrivilegedAction<Object> action = new PrivilegedAction<Object>() {
-			return;
+			@Override
-		}
+			public Object run() {
-
+				if ( !accessibleObject.isAccessible() ) {
 					accessibleObject.setAccessible( true );
 				}
+				return null;
+			}
+		};
+
+		if ( System.getSecurityManager() != null ) {
+			AccessController.doPrivileged( action );
+		}
+		else {
+			action.run();
+		}
+	}
 
 	private static Field locateField(Class clazz, String propertyName) {
 		if ( clazz == null || Object.class.equals( clazz ) ) {
@@ -462,7 +502,7 @@ public final class ReflectHelper {
 	}
 
 	private static Method getGetterOrNull(Class containerClass, String propertyName) {
-		for ( Method method : containerClass.getDeclaredMethods() ) {
+		for ( Method method : getDeclaredMethods( containerClass ) ) {
 			// if the method has parameters, skip it
 			if ( method.getParameterCount() != 0 ) {
 				continue;
@@ -513,17 +553,39 @@ public final class ReflectHelper {
 			String propertyName,
 			Method getMethod,
 			String stemName) {
-		// verify that the Class does not also define a method with the same stem name with 'is'
+		final Method isMethod = getDeclaredMethod( containerClass, "is" + stemName );
-		try {
+		if ( isMethod != null ) {
-			final Method isMethod = containerClass.getDeclaredMethod( "is" + stemName );
 			if ( !Modifier.isStatic( isMethod.getModifiers() ) && isMethod.getAnnotation( Transient.class ) == null ) {
 				// No such method should throw the caught exception.  So if we get here, there was
 				// such a method.
 				checkGetAndIsVariants( containerClass, propertyName, getMethod, isMethod );
 			}
 		}
-		catch (NoSuchMethodException ignore) {
 	}
+
+	private static Method getDeclaredMethod(Class containerClass, String methodName) {
+		final PrivilegedAction<Method> action = new PrivilegedAction<Method>() {
+			@Override
+			public Method run() {
+				try {
+					return containerClass.getDeclaredMethod( methodName );
+				}
+				catch (NoSuchMethodException ignore) {
+					return null;
+				}
+			}
+		};
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
+
+	private static Method[] getDeclaredMethods(Class containerClass) {
+		final PrivilegedAction<Method[]> action = new PrivilegedAction<Method[]>() {
+			@Override
+			public Method[] run() {
+				return containerClass.getDeclaredMethods();
+			}
+		};
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
 	}
 
 	private static void checkGetAndIsVariants(
@@ -554,16 +616,14 @@ public final class ReflectHelper {
 			Method isMethod,
 			String stemName) {
 		// verify that the Class does not also define a method with the same stem name with 'is'
-		try {
+		final Method getMethod = getDeclaredMethod( containerClass, "get" + stemName );
-			final Method getMethod = containerClass.getDeclaredMethod( "get" + stemName );
+		if ( getMethod != null ) {
 			// No such method should throw the caught exception.  So if we get here, there was
 			// such a method.
 			if ( !Modifier.isStatic( getMethod.getModifiers() ) && getMethod.getAnnotation( Transient.class ) == null ) {
 				checkGetAndIsVariants( containerClass, propertyName, getMethod, isMethod );
 			}
 		}
-		catch (NoSuchMethodException ignore) {
-		}
 	}
 
 	public static Method getterMethodOrNull(Class containerJavaType, String propertyName) {
@@ -631,7 +691,7 @@ public final class ReflectHelper {
 	private static Method setterOrNull(Class theClass, String propertyName, Class propertyType) {
 		Method potentialSetter = null;
 
-		for ( Method method : theClass.getDeclaredMethods() ) {
+		for ( Method method : getDeclaredMethods( theClass ) ) {
 			final String methodName = method.getName();
 			if ( method.getParameterCount() == 1 && methodName.startsWith( "set" ) ) {
 				final String testOldMethod = methodName.substring( 3 );
@@ -656,7 +716,7 @@ public final class ReflectHelper {
 	 * as an abstract - but again, that is such an edge case...
 	 */
 	public static Method findGetterMethodForFieldAccess(Field field, String propertyName) {
-		for ( Method method : field.getDeclaringClass().getDeclaredMethods() ) {
+		for ( Method method : getDeclaredMethods( field.getDeclaringClass() ) ) {
 			// if the method has parameters, skip it
 			if ( method.getParameterCount() != 0 ) {
 				continue;

hibernate-core/src/main/java/org/hibernate/jpa/event/internal/CallbackBuilderLegacyImpl.java

@@ -10,6 +10,8 @@ import java.lang.annotation.Annotation;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Target;
 import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.List;
 import javax.persistence.Entity;
@@ -72,6 +74,7 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
 					}
 					continue;
 				}
+
 				final Callback[] callbacks = resolveEntityCallbacks( entityXClass, callbackType, reflectionManager );
 				callbackRegistrar.registerCallbacks( entityClass, callbacks );
 			}
@@ -119,7 +122,7 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
 		final boolean debugEnabled = log.isDebugEnabled();
 		do {
 			Callback callback = null;
-			List<XMethod> methods = currentClazz.getDeclaredMethods();
+			List<XMethod> methods = getDeclaredMethods( currentClazz );
 			for ( final XMethod xMethod : methods ) {
 				if ( xMethod.isAnnotationPresent( callbackType.getCallbackAnnotation() ) ) {
 					Method method = reflectionManager.toMethod( xMethod );
@@ -190,7 +193,7 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
 			if ( listener != null ) {
 				XClass xListener = reflectionManager.toXClass( listener );
 				callbacksMethodNames = new ArrayList<>();
-				List<XMethod> methods = xListener.getDeclaredMethods();
+				List<XMethod> methods = getDeclaredMethods( xListener );
 				for ( final XMethod xMethod : methods ) {
 					if ( xMethod.isAnnotationPresent( callbackType.getCallbackAnnotation() ) ) {
 						final Method method = reflectionManager.toMethod( xMethod );
@@ -338,4 +341,14 @@ public class CallbackBuilderLegacyImpl implements CallbackBuilder {
 			}
 		}
 	}
+
+	private static List<XMethod> getDeclaredMethods(XClass clazz) {
+		final PrivilegedAction<List<XMethod>> action = new PrivilegedAction<List<XMethod>>() {
+			@Override
+			public List<XMethod> run() {
+				return clazz.getDeclaredMethods();
+			}
+		};
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 }

hibernate-core/src/main/java/org/hibernate/metamodel/internal/MetadataContext.java

@@ -7,6 +7,8 @@
 package org.hibernate.metamodel.internal;
 
 import java.lang.reflect.Field;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
@@ -369,6 +371,10 @@ class MetadataContext {
 			return;
 		}
 		final String metamodelClassName = managedTypeClass.getName() + '_';
+
+		final PrivilegedAction<Object> action = new PrivilegedAction<Object>() {
+			@Override
+			public Object run() {
 				try {
 					final Class metamodelClass = Class.forName( metamodelClassName, true, managedTypeClass.getClassLoader() );
 					// we found the class; so populate it...
@@ -377,6 +383,15 @@ class MetadataContext {
 				catch (ClassNotFoundException ignore) {
 					// nothing to do...
 				}
+				return null;
+			}
+		};
+		if ( System.getSecurityManager() != null ) {
+			AccessController.doPrivileged( action );
+		}
+		else {
+			action.run();
+		}
 
 		// todo : this does not account for @MappeSuperclass, mainly because this is not being tracked in our
 		// internal metamodel as populated from the annotatios properly

hibernate-core/src/main/java/org/hibernate/tuple/entity/PojoEntityTuplizer.java

@@ -8,6 +8,8 @@ package org.hibernate.tuple.entity;
 
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
@@ -157,6 +159,9 @@ public class PojoEntityTuplizer extends AbstractEntityTuplizer {
 				null :
 				ReflectHelper.getMethod( proxyInterface, idSetterMethod );
 
+		final PrivilegedAction<ProxyFactory> action = new PrivilegedAction<ProxyFactory>() {
+			@Override
+			public ProxyFactory run() {
 				ProxyFactory pf = buildProxyFactoryInternal( persistentClass, idGetter, idSetter );
 				try {
 					pf.postInstantiate(
@@ -176,6 +181,10 @@ public class PojoEntityTuplizer extends AbstractEntityTuplizer {
 				}
 				return pf;
 			}
+		};
+
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
 
 	protected ProxyFactory buildProxyFactoryInternal(
 			PersistentClass persistentClass,

hibernate-envers/src/main/java/org/hibernate/envers/configuration/internal/metadata/reader/AuditedPropertiesReader.java

@@ -7,6 +7,8 @@
 package org.hibernate.envers.configuration.internal.metadata.reader;
 
 import java.lang.annotation.Annotation;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Iterator;
@@ -47,6 +49,7 @@ import org.hibernate.loader.PropertyPath;
 import org.hibernate.mapping.Component;
 import org.hibernate.mapping.Property;
 import org.hibernate.mapping.Value;
+
 import org.jboss.logging.Logger;
 
 import static org.hibernate.envers.internal.tools.Tools.newHashMap;
@@ -354,26 +357,47 @@ public class AuditedPropertiesReader {
 
 		//look in the class
 		addFromProperties(
-				clazz.getDeclaredProperties( "field" ),
+				getPropertiesFromClassByType( clazz, AccessType.FIELD ),
 				it -> "field",
 				fieldAccessedPersistentProperties,
 				allClassAudited
 		);
+
 		addFromProperties(
-				clazz.getDeclaredProperties( "property" ),
+				getPropertiesFromClassByType( clazz, AccessType.PROPERTY ),
 				propertyAccessedPersistentProperties::get,
 				propertyAccessedPersistentProperties.keySet(),
 				allClassAudited
 		);
 
 		if ( allClassAudited != null || !auditedPropertiesHolder.isEmpty() ) {
-			final XClass superclazz = clazz.getSuperclass();
+			final PrivilegedAction<XClass> action = new PrivilegedAction<XClass>() {
+				@Override
+				public XClass run() {
+					return clazz.getSuperclass();
+				}
+			};
+
+			final XClass superclazz = System.getSecurityManager() != null
+					? AccessController.doPrivileged( action )
+					: action.run();
+
 			if ( !clazz.isInterface() && !"java.lang.Object".equals( superclazz.getName() ) ) {
 				addPropertiesFromClass( superclazz );
 			}
 		}
 	}
 
+	private Iterable<XProperty> getPropertiesFromClassByType(XClass clazz, AccessType accessType) {
+		final PrivilegedAction<Iterable<XProperty>> action = new PrivilegedAction<Iterable<XProperty>>() {
+			@Override
+			public Iterable<XProperty> run() {
+				return clazz.getDeclaredProperties( accessType.getType() );
+			}
+		};
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
+
 	private void addFromProperties(
 			Iterable<XProperty> properties,
 			Function<String, String> accessTypeProvider,