Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10612

(7.1.z) HHH-10435 HHH-12542 HHH-12189 Hibernate requires special permission for creating classloader and loading integrators

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Rejected
    • Affects Version/s: 7.1.0.DR16, 7.2.0.GA.CR1
    • Fix Version/s: None
    • Component/s: Hibernate
    • Labels:
      None

      Description

      When running tests that use Hibernate native API with security manager we see

      Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.lang.RuntimePermission" "createClassLoader")" in code source "(vfs:/content/hibernate4native_transactiontest.ear/beans.jar <no signer certificates>)" of "null")
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
      	at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
      	at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
      	at org.wildfly.security.manager.WildFlySecurityManager.checkCreateClassLoader(WildFlySecurityManager.java:335)
      	at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274)
      	at java.lang.ClassLoader.<init>(ClassLoader.java:316)
      	at org.hibernate.boot.registry.classloading.internal.ClassLoaderServiceImpl$AggregatedClassLoader.<init>(ClassLoaderServiceImpl.java:164)
      	at org.hibernate.boot.registry.classloading.internal.ClassLoaderServiceImpl$AggregatedClassLoader.<init>(ClassLoaderServiceImpl.java:160)
      	at org.hibernate.boot.registry.classloading.internal.ClassLoaderServiceImpl.<init>(ClassLoaderServiceImpl.java:94)
      	at org.hibernate.boot.registry.BootstrapServiceRegistryBuilder.build(BootstrapServiceRegistryBuilder.java:207)
      	at org.hibernate.cfg.Configuration.<init>(Configuration.java:119)
      	at org.jboss.as.test.integration.hibernate.SFSBHibernateTransaction.setupConfig(SFSBHibernateTransaction.java:63)
      	... 200 more
      

      When we add that permission then we see

      Caused by: java.security.AccessControlException: WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/home/msimka/Projekty/redhat/git/wildfly/dist/target/wildfly-11.0.0.Beta1-SNAPSHOT/modules/system/layers/base/org/hibernate/main/hibernate-envers-5.1.5.Final.jar" "read")" in code source "(vfs:/content/hibernate4naturalid_test.ear/beans.jar <no signer certificates>)" of "ModuleClassLoader for Module "deployment.hibernate4naturalid_test.ear.beans.jar" from Service Module Loader")
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:278)
              at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
              at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
              at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:350)
              at java.util.zip.ZipFile.<init>(ZipFile.java:210)
              at java.util.zip.ZipFile.<init>(ZipFile.java:149)
              at java.util.jar.JarFile.<init>(JarFile.java:166)
              at java.util.jar.JarFile.<init>(JarFile.java:103)
              at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
              at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
              at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:84)
              at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
              at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
              at java.net.URL.openStream(URL.java:1045)
              at java.util.ServiceLoader.parse(ServiceLoader.java:304)
              at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
              at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
              at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
              at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
              at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
              at java.security.AccessController.doPrivileged(Native Method)
              at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
              at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
              at org.hibernate.boot.registry.classloading.internal.ClassLoaderServiceImpl.loadJavaServices(ClassLoaderServiceImpl.java:340)
              at org.hibernate.integrator.internal.IntegratorServiceImpl.<init>(IntegratorServiceImpl.java:40)
              at org.hibernate.boot.registry.BootstrapServiceRegistryBuilder.build(BootstrapServiceRegistryBuilder.java:213)
              at org.jboss.as.test.integration.hibernate.naturalid.SFSBHibernateSFNaturalId.setupConfig(SFSBHibernateSFNaturalId.java:57)
              ... 208 more
      

      Based on comment we should check whether Hibernate can do this in privileged block.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  gbadner Gail Badner
                  Reporter:
                  simkam Martin Simka
                  Tester:
                  Jiří Bílek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  10 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: