Return-Path: 
 <bval-commits-return-669-apmail-incubator-bval-commits-archive=incubator.apache.org@incubator.apache.org>
Delivered-To: apmail-incubator-bval-commits-archive@minotaur.apache.org
Received: (qmail 34211 invoked from network); 3 Dec 2010 21:07:26 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 3 Dec 2010 21:07:26 -0000
Received: (qmail 4533 invoked by uid 500); 3 Dec 2010 21:07:26 -0000
Delivered-To: apmail-incubator-bval-commits-archive@incubator.apache.org
Received: (qmail 4495 invoked by uid 500); 3 Dec 2010 21:07:26 -0000
Mailing-List: contact bval-commits-help@incubator.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:bval-commits-help@incubator.apache.org>
List-Unsubscribe: <mailto:bval-commits-unsubscribe@incubator.apache.org>
List-Post: <mailto:bval-commits@incubator.apache.org>
List-Id: <bval-commits.incubator.apache.org>
Reply-To: bval-dev@incubator.apache.org
Delivered-To: mailing list bval-commits@incubator.apache.org
Received: (qmail 4488 invoked by uid 99); 3 Dec 2010 21:07:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Dec 2010 21:07:25 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Dec 2010 21:07:22 +0000
Received: by eris.apache.org (Postfix, from userid 65534)
	id 4EDAE2388A3B; Fri,  3 Dec 2010 21:05:50 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r1042001 - in /incubator/bval/trunk:
 bval-core/src/main/java/org/apache/bval/util/
 bval-jsr303/src/main/java/org/apache/bval/jsr303/resolver/
 bval-jsr303/src/main/java/org/apache/bval/jsr303/util/
Date: Fri, 03 Dec 2010 21:05:50 -0000
To: bval-commits@incubator.apache.org
From: jrbauer@apache.org
X-Mailer: svnmailer-1.0.8
Message-Id: <20101203210550.4EDAE2388A3B@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org

Author: jrbauer
Date: Fri Dec  3 21:05:49 2010
New Revision: 1042001

URL: http://svn.apache.org/viewvc?rev=1042001&view=rev
Log:
BVAL-87 Committing J2 security updates contributed by Albert Lee.  

Modified:
    incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
    incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/resolver/DefaultTraversableResolver.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ClassHelper.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java

Modified: incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java?rev=1042001&r1=1042000&r2=1042001&view=diff
==============================================================================
--- incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java (original)
+++ incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/FieldAccess.java Fri Dec  3 21:05:49 2010
@@ -32,10 +32,15 @@ public class FieldAccess extends AccessS
      * Create a new FieldAccess instance.
      * @param field
      */
-    public FieldAccess(Field field) {
+    public FieldAccess(final Field field) {
         this.field = field;
         if(!field.isAccessible()) {
-            field.setAccessible(true);
+            PrivilegedActions.run( new PrivilegedAction<Object>() {
+                public Object run() {
+                    field.setAccessible(true);
+                    return (Object) null;
+                }
+            });
         }
     }
 

Modified: incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java?rev=1042001&r1=1042000&r2=1042001&view=diff
==============================================================================
--- incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java (original)
+++ incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/MethodAccess.java Fri Dec  3 21:05:49 2010
@@ -43,11 +43,16 @@ public class MethodAccess extends Access
      * @param propertyName
      * @param method
      */
-    public MethodAccess(String propertyName, Method method) {
+    public MethodAccess(String propertyName, final Method method) {
         this.method = method;
         this.propertyName = propertyName;
         if (!method.isAccessible()) {
-            method.setAccessible(true);
+            PrivilegedActions.run( new PrivilegedAction<Object>() {
+                public Object run() {
+                    method.setAccessible(true);
+                    return (Object) null;
+                }
+            });
         }
     }
 

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/resolver/DefaultTraversableResolver.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/resolver/DefaultTraversableResolver.java?rev=1042001&r1=1042000&r2=1042001&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/resolver/DefaultTraversableResolver.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/resolver/DefaultTraversableResolver.java Fri Dec  3 21:05:49 2010
@@ -16,14 +16,16 @@
  */
 package org.apache.bval.jsr303.resolver;
 
-import org.apache.bval.jsr303.util.SecureActions;
-import org.apache.commons.lang.ClassUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import java.lang.annotation.ElementType;
 
 import javax.validation.Path;
 import javax.validation.TraversableResolver;
-import java.lang.annotation.ElementType;
+
+import org.apache.bval.jsr303.util.ClassHelper;
+import org.apache.bval.jsr303.util.SecureActions;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 
 /** @see javax.validation.TraversableResolver */
@@ -72,7 +74,7 @@ public class DefaultTraversableResolver 
     @SuppressWarnings("unchecked")
     private void initJpa() {
         try {
-            ClassUtils.getClass(PERSISTENCE_UTIL_CLASSNAME);
+            ClassHelper.getClass(PERSISTENCE_UTIL_CLASSNAME);
             log.debug("Found {} on classpath.", PERSISTENCE_UTIL_CLASSNAME);
         } catch (Exception e) {
             log.debug("Cannot find {} on classpath. All properties will per default be traversable.", PERSISTENCE_UTIL_CLASSNAME);
@@ -81,7 +83,7 @@ public class DefaultTraversableResolver 
 
         try {
             Class<? extends TraversableResolver> jpaAwareResolverClass =
-                  (Class<? extends TraversableResolver>) ClassUtils
+                  (Class<? extends TraversableResolver>) ClassHelper
                         .getClass(JPA_AWARE_TRAVERSABLE_RESOLVER_CLASSNAME);
             jpaTR = SecureActions.newInstance(jpaAwareResolverClass);
             log.debug("Instantiated an instance of {}.", JPA_AWARE_TRAVERSABLE_RESOLVER_CLASSNAME);

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ClassHelper.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ClassHelper.java?rev=1042001&r1=1042000&r2=1042001&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ClassHelper.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ClassHelper.java Fri Dec  3 21:05:49 2010
@@ -23,6 +23,8 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 
+import org.apache.commons.lang.ClassUtils;
+
 /**
  * Common operations on classes that do not require an {@link AccessController}.
  * 
@@ -58,4 +60,16 @@ public class ClassHelper {
         }
     }
 
+    /**
+     * Perform ClassUtils.getClass functions with Java 2 Security enabled.
+     */
+    public static Class<?> getClass(String className) throws ClassNotFoundException {
+        return getClass(className, true);
+    }
+
+    public static Class<?> getClass(String className, boolean initialize) throws ClassNotFoundException {
+        ClassLoader ctxtCldr = SecureActions.getContextClassLoader(Thread.currentThread());
+        ClassLoader loader = (ctxtCldr != null) ? ctxtCldr : SecureActions.getClassLoader(ClassHelper.class);
+        return ClassUtils.getClass(loader, className, initialize);
+    }
 }

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java?rev=1042001&r1=1042000&r2=1042001&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java Fri Dec  3 21:05:49 2010
@@ -213,6 +213,19 @@ public class SecureActions extends Privi
     }
 
     /**
+     * Get class loader of <code>class</code>.
+     * @param clazz
+     * @return {@link ClassLoader}
+     */
+    public static ClassLoader getContextClassLoader(final Class<?> clazz) {
+        return run(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run() {
+                return clazz.getClassLoader();
+            }
+        });
+    }
+
+    /**
      * Get the constructor of <code>clazz</code> matching <code>params</code>.
      * @param <T>
      * @param clazz