Author: mbenson
Date: Fri Apr 6 15:47:04 2012
New Revision: 1310408
URL: http://svn.apache.org/viewvc?rev=1310408&view=rev
Log:
plug security holes
Modified:
bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
Modified:
bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
(original)
+++ bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
Fri Apr 6 15:47:04 2012
@@ -19,6 +19,7 @@ package org.apache.bval.util;
import java.lang.annotation.ElementType;
import java.lang.reflect.Field;
import java.lang.reflect.Type;
+import java.security.AccessController;
import java.security.PrivilegedAction;
/**
@@ -34,11 +35,11 @@ public class FieldAccess extends AccessS
*/
public FieldAccess(final Field field) {
this.field = field;
- if(!field.isAccessible()) {
- PrivilegedActions.run( new PrivilegedAction<Object>() {
- public Object run() {
+ if (!field.isAccessible()) {
+ run(new PrivilegedAction<Void>() {
+ public Void run() {
field.setAccessible(true);
- return (Object) null;
+ return null;
}
});
}
@@ -101,4 +102,12 @@ public class FieldAccess extends AccessS
public int hashCode() {
return field.hashCode();
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
Modified:
bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
--- bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
(original)
+++ bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
Fri Apr 6 15:47:04 2012
@@ -21,6 +21,7 @@ import java.lang.annotation.ElementType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Type;
+import java.security.AccessController;
import java.security.PrivilegedAction;
/**
@@ -47,10 +48,10 @@ public class MethodAccess extends Access
this.method = method;
this.propertyName = propertyName;
if (!method.isAccessible()) {
- PrivilegedActions.run( new PrivilegedAction<Object>() {
- public Object run() {
+ run( new PrivilegedAction<Void>() {
+ public Void run() {
method.setAccessible(true);
- return (Object) null;
+ return null;
}
});
}
@@ -143,4 +144,12 @@ public class MethodAccess extends Access
public int hashCode() {
return method.hashCode();
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
Modified:
bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
---
bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
(original)
+++
bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
Fri Apr 6 15:47:04 2012
@@ -77,7 +77,8 @@ public class PrivilegedActions {
* @param action - the action to run
* @return result of running the action
*/
- public static <T> T run(PrivilegedAction<T> action) {
+ // should not be called by just anyone; do not increase access
+ private static <T> T run(PrivilegedAction<T> action) {
if (System.getSecurityManager() != null) {
return AccessController.doPrivileged(action);
} else {
@@ -91,7 +92,8 @@ public class PrivilegedActions {
* @param action - the action to run
* @return result of running the action
*/
- public static <T> T run(final PrivilegedExceptionAction<T> action) throws
PrivilegedActionException, Exception {
+ // should not be called by just anyone; do not increase access
+ private static <T> T run(final PrivilegedExceptionAction<T> action) throws
PrivilegedActionException, Exception {
if (System.getSecurityManager() != null) {
return AccessController.doPrivileged(action);
} else {
Modified:
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
---
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
(original)
+++
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/AnnotationConstraintBuilder.java
Fri Apr 6 15:47:04 2012
@@ -21,6 +21,7 @@ package org.apache.bval.jsr303;
import java.lang.annotation.Annotation;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collections;
@@ -40,7 +41,6 @@ import javax.validation.Payload;
import javax.validation.ReportAsSingleViolation;
import org.apache.bval.jsr303.groups.GroupsComputer;
-import org.apache.bval.jsr303.util.SecureActions;
import org.apache.bval.jsr303.xml.AnnotationProxyBuilder;
import org.apache.bval.util.AccessStrategy;
@@ -77,7 +77,7 @@ final class AnnotationConstraintBuilder<
/** build attributes, payload, groups from 'annotation' */
private void buildFromAnnotation() {
if (constraintValidation.getAnnotation() != null) {
- SecureActions.run(new PrivilegedAction<Object>() {
+ run(new PrivilegedAction<Object>() {
public Object run() {
for (Method method :
constraintValidation.getAnnotation().annotationType().getDeclaredMethods()) {
// groups + payload must also appear in attributes
(also
@@ -265,4 +265,12 @@ final class AnnotationConstraintBuilder<
((ConstraintValidation<Annotation>)
composite).setAnnotation(newAnnot);
}
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
Modified:
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
---
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
(original)
+++
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheFactoryContext.java
Fri Apr 6 15:47:04 2012
@@ -37,7 +37,6 @@ import org.apache.bval.MetaBeanFactory;
import org.apache.bval.MetaBeanFinder;
import org.apache.bval.MetaBeanManager;
import org.apache.bval.jsr303.util.SecureActions;
-import org.apache.bval.util.PrivilegedActions;
import org.apache.bval.xml.XMLMetaBeanBuilder;
import org.apache.bval.xml.XMLMetaBeanFactory;
import org.apache.bval.xml.XMLMetaBeanManager;
@@ -230,7 +229,7 @@ public class ApacheFactoryContext implem
}
private <F extends MetaBeanFactory> F createMetaBeanFactory(final Class<F>
cls) {
- return PrivilegedActions.run(new PrivilegedAction<F>() {
+ return run(new PrivilegedAction<F>() {
public F run() {
try {
@@ -296,4 +295,12 @@ public class ApacheFactoryContext implem
throw new ValidationException("Unable to load class: " +
className, ex);
}
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
Modified:
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
---
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
(original)
+++
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
Fri Apr 6 15:47:04 2012
@@ -28,6 +28,8 @@ import javax.validation.spi.BootstrapSta
import javax.validation.spi.ConfigurationState;
import javax.validation.spi.ValidationProvider;
import java.io.InputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.*;
import java.util.logging.Logger;
@@ -239,7 +241,7 @@ public class ConfigurationImpl implement
* @throws ValidationException if the ValidatorFactory cannot be built
*/
public ValidatorFactory buildValidatorFactory() {
- return
SecureActions.run(SecureActions.doPrivBuildValidatorFactory(this));
+ return run(SecureActions.doPrivBuildValidatorFactory(this));
}
public ValidatorFactory doPrivBuildValidatorFactory() {
@@ -328,4 +330,11 @@ public class ConfigurationImpl implement
this.providerClass = providerClass;
}
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
Modified:
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
---
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
(original)
+++
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintDefaults.java
Fri Apr 6 15:47:04 2012
@@ -18,12 +18,11 @@
*/
package org.apache.bval.jsr303;
-import org.apache.bval.jsr303.util.SecureActions;
-
import javax.validation.ConstraintValidator;
import java.io.IOException;
import java.io.InputStream;
import java.lang.annotation.Annotation;
+import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.*;
import java.util.logging.Level;
@@ -94,7 +93,7 @@ public class ConstraintDefaults {
final String eachClassName = tokens.nextToken();
Class<?> constraintValidatorClass =
- SecureActions.run(new PrivilegedAction<Class<?>>() {
+ run(new PrivilegedAction<Class<?>>() {
public Class<?> run() {
try {
return Class.forName(eachClassName, true,
classloader);
@@ -121,4 +120,12 @@ public class ConstraintDefaults {
if (classloader == null) classloader = getClass().getClassLoader();
return classloader;
}
+
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
Modified:
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
URL:
http://svn.apache.org/viewvc/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java?rev=1310408&r1=1310407&r2=1310408&view=diff
==============================================================================
---
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
(original)
+++
bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
Fri Apr 6 15:47:04 2012
@@ -25,6 +25,8 @@ import org.apache.bval.jsr303.Constraint
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Locale;
/**
@@ -57,9 +59,7 @@ public class ConstraintDefinitionValidat
* The annotation to check.
*/
private static void validAttributes(final Annotation annotation) {
- final Method[] methods = SecureActions.run(
- SecureActions.getDeclaredMethods(annotation.annotationType())
- );
+ final Method[] methods =
run(SecureActions.getDeclaredMethods(annotation.annotationType()));
for (Method method : methods ){
// Currently case insensitive, the spec is unclear about this
if
(method.getName().toLowerCase(Locale.ENGLISH).startsWith("valid")) {
@@ -69,4 +69,11 @@ public class ConstraintDefinitionValidat
}
}
+ private static <T> T run(PrivilegedAction<T> action) {
+ if (System.getSecurityManager() != null) {
+ return AccessController.doPrivileged(action);
+ } else {
+ return action.run();
+ }
+ }
}
