DATACMNS-1151 - Define generated PropertyAccessor classes with the entity protection domain.

We now define generated PropertyAccessor classes using the entities' protection domain. Reusing the same protection domain preserves the same security and visibility rules as if the class was shipped within the source of the class loaded and prevents SecurityExceptions caused by signature certificate mismatch.

Previously we uses the protection domain of the PersistentEntity class implementation. This mismatch caused SecurityExceptions if the JAR file of the PersistentEntity was signed but not the JAR file where the domain class resides.

Original pull request: #240.
This commit is contained in:
Mark Paluch
2017-09-05 08:50:35 +02:00
committed by Oliver Gierke
parent 2bfd278861
commit e8fad19bc0

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2016 the original author or authors.
* Copyright 2016-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -1469,15 +1469,15 @@ public class ClassGeneratingPropertyAccessorFactory implements PersistentPropert
*/
Class<?> defineClass(String name, byte[] bytes, int offset, int len, PersistentEntity<?, ?> persistentEntity) {
ClassLoader classLoader = persistentEntity.getType().getClassLoader();
Class<?> entityType = persistentEntity.getType();
ClassLoader classLoader = entityType.getClassLoader();
try {
Method defineClass = getClassLoaderMethod(persistentEntity);
defineClass.setAccessible(true);
return (Class<?>) defineClass.invoke(classLoader, name, bytes, offset, len,
persistentEntity.getClass().getProtectionDomain());
return (Class<?>) defineClass.invoke(classLoader, name, bytes, offset, len, entityType.getProtectionDomain());
} catch (ReflectiveOperationException e) {
throw new IllegalStateException(e);