From e150a6140e72ee29386ecb3d39f4a40bba3d84b8 Mon Sep 17 00:00:00 2001
From: Gail Badner <gbadner@redhat.com>
Date: Thu, 10 Dec 2015 16:41:05 -0800
Subject: [PATCH] HHH-10349 : PersistenceUtilHelper should call
 getDeclaredField/Method inside of privileged block

(cherry picked from commit 986b2b65ad24a4c24a04a75336489522b0e6a9a5)
---
 .../internal/util/PersistenceUtilHelper.java  | 39 +++++++++++--------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/internal/util/PersistenceUtilHelper.java b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/internal/util/PersistenceUtilHelper.java
index 42f1137220..9cba90dd17 100644
--- a/hibernate-entitymanager/src/main/java/org/hibernate/jpa/internal/util/PersistenceUtilHelper.java
+++ b/hibernate-entitymanager/src/main/java/org/hibernate/jpa/internal/util/PersistenceUtilHelper.java
@@ -10,6 +10,8 @@ import java.io.Serializable;
 import java.lang.reflect.Field;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -352,24 +354,29 @@ public final class PersistenceUtilHelper {
 			return attributeAccess;
 		}
 
-		private AttributeAccess buildAttributeAccess(String attributeName) {
-			for ( Class clazz : classHierarchy ) {
-				try {
-					final Field field = clazz.getDeclaredField( attributeName );
-					if ( field != null ) {
-						return new FieldAttributeAccess( field );
+		private AttributeAccess buildAttributeAccess(final String attributeName) {
+			final PrivilegedAction<AttributeAccess> action = new PrivilegedAction<AttributeAccess>() {
+				@Override
+				public AttributeAccess run() {
+					for ( Class clazz : classHierarchy ) {
+						try {
+							final Field field = clazz.getDeclaredField( attributeName );
+							if ( field != null ) {
+								return new FieldAttributeAccess( field );
+							}
+						}
+						catch ( NoSuchFieldException e ) {
+							final Method method = getMethod( clazz, attributeName );
+							if ( method != null ) {
+								return new MethodAttributeAccess( attributeName, method );
+							}
+						}
 					}
+					//we could not find any match
+					return new NoSuchAttributeAccess( specifiedClass, attributeName );
 				}
-				catch ( NoSuchFieldException e ) {
-					final Method method = getMethod( clazz, attributeName );
-					if ( method != null ) {
-						return new MethodAttributeAccess( attributeName, method );
-					}
-				}
-			}
-
-			//we could not find any match
-			return new NoSuchAttributeAccess( specifiedClass, attributeName );
+			};
+			return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
 		}
 	}