incubator-bval-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From romanst...@apache.org
Subject svn commit: r1161648 [1/2] - in /incubator/bval/trunk: ./ bval-core/src/main/java/org/apache/bval/util/ bval-jsr303/src/main/java/org/apache/bval/constraints/ bval-jsr303/src/main/java/org/apache/bval/jsr303/ bval-jsr303/src/main/java/org/apache/bval/j...
Date Thu, 25 Aug 2011 17:14:18 GMT
Author: romanstumm
Date: Thu Aug 25 17:14:15 2011
New Revision: 1161648

URL: http://svn.apache.org/viewvc?rev=1161648&view=rev
Log:
BVAL-92 applied patch "apache-bval-20110327231539-jw.diff" from Jörg Waßmer to fix Security holes in org.apache.bval.util.PrivilegedActions. Removed all deprecated and unused methods by changing the source code that still used deprecated methods.

Also upgraded the apache-rat-plugin.
Needed to enter a version for findbugs-maven-plugin, because I couldn't build with maven without it.

Modified:
    incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/Email.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmpty.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmptyValidator.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidationProvider.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidatorFactory.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/BeanDescriptorImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ClassValidator.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintFinderImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultConstraintValidatorFactory.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultValidationProviderResolver.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ElementDescriptorImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/PropertyDescriptorImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ConstructorDescriptorImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodBeanDescriptorImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodDescriptorImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ProcedureDescriptor.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/groups/Group.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/resolver/DefaultTraversableResolver.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ClassHelper.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/ConstraintDefinitionValidator.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/NodeBuilderCustomizableContextImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/NodeBuilderDefinedContextImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/NodeContextBuilderImpl.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/util/SecureActions.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/xml/AnnotationProxy.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/xml/AnnotationProxyBuilder.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/xml/MetaConstraint.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/xml/ValidationMappingParser.java
    incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/xml/ValidationParser.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/constraints/DigitsValidatorTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/constraints/EmailValidatorTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/constraints/FrenchZipCode.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/constraints/HasValue.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/constraints/ZipCodeCityCoherence.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/constraints/ZipCodeCityCoherenceValidator.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/BeanDescriptorTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/CustomValidatorFactoryTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/FooTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/PayloadTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/ValidatorResolutionTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/example/AccessTestBusinessObject.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/example/Address.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/example/Author.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/example/Book.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/example/Customer.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/example/RecursiveFoo.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/DefaultGroupSequenceTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/GroupSequenceTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/GroupValidationTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/GroupsComputerTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/implicit/ImplicitGroupingTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/inheritance/BillableUser.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/inheritance/BuyInOneClick.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/inheritance/GroupInheritanceTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/redefining/Address.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/groups/redefining/RedefiningDefaultGroupTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/util/EnumerationConverterTestCase.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/util/PathImplTest.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/util/TestUtils.java
    incubator/bval/trunk/bval-jsr303/src/test/java/org/apache/bval/jsr303/xml/ValidationParserTest.java
    incubator/bval/trunk/pom.xml

Modified: incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java (original)
+++ incubator/bval/trunk/bval-core/src/main/java/org/apache/bval/util/PrivilegedActions.java Thu Aug 25 17:14:15 2011
@@ -17,7 +17,6 @@
 package org.apache.bval.util;
 
 import java.lang.annotation.Annotation;
-import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.security.AccessController;
@@ -36,6 +35,7 @@ public class PrivilegedActions {
      * Requires security policy: 
      *   'permission java.util.PropertyPermission "read";'
      */
+    @Deprecated // unused method - will remove in future release
     public static final String getLineSeparator() {
         if (lineSeparator == null) {
             lineSeparator =
@@ -54,6 +54,7 @@ public class PrivilegedActions {
      * Requires security policy:
      *   'permission java.util.PropertyPermission "read";'
      */
+    @Deprecated // unused method - will remove in future release
     public static final String getPathSeparator() {
         if (pathSeparator == null) {
             pathSeparator =
@@ -67,88 +68,6 @@ public class PrivilegedActions {
     }
 
     /**
-     * Create a new instance of a specified class.
-     *
-     * @param cls - the class (no interface, non-abstract, has accessible default no-arg-constructor)
-     * @return a new instance
-     * @throws IllegalArgumentException on any error to wrap target exceptions.
-     */
-    public static <T> T newInstance(final Class<T> cls) {
-        return newInstance(cls, IllegalArgumentException.class);
-    }
-
-    /**
-     * Create a new instance of a specified class.
-     *
-     * @param <T>
-     * @param <E>
-     * @param cls - the class (no interface, non-abstract, has accessible matching constructor)
-     * @param exception type to rethrow
-     * @param paramTypes
-     * @param values
-     * @return a new instance
-     * @throws E
-     */
-    public static <T, E extends RuntimeException> T newInstance(final Class<T> cls,
-                                                                final Class<E> exception,
-                                                                final Class<?>[] paramTypes,
-                                                                final Object[] values) {
-        return run(new PrivilegedAction<T>() {
-            public T run() {
-                try {
-                    Constructor<T> cons = cls.getConstructor(paramTypes);
-                    if (!cons.isAccessible()) {
-                        cons.setAccessible(true);
-                    }
-                    return cons.newInstance(values);
-                } catch (Exception e) {
-                    throw newException("Cannot instantiate : " + cls, exception, e);
-                }
-            }
-        });
-    }
-
-    /**
-     * Create a new instance of the class using the default no-arg constructor.
-     * perform newInstance() call with AccessController.doPrivileged() if possible.
-     *
-     * @param cls       - the type to create a new instance from
-     * @param exception - type of exception to throw when newInstance() call fails
-     * @return the new instance of 'cls'
-     */
-    public static <T, E extends RuntimeException> T newInstance(final Class<T> cls,
-                                                                final Class<E> exception) {
-        return run(new PrivilegedAction<T>() {
-            public T run() {
-                try {
-                    return cls.newInstance();
-                } catch (Exception e) {
-                    throw newException("Cannot instantiate : " + cls, exception, e);
-                }
-            }
-
-
-        });
-    }
-
-    private static <E extends RuntimeException> RuntimeException newException(String msg,
-                                                                              final Class<E> exception,
-                                                                              Throwable e) {
-        try {
-            Constructor<E> co = exception.getConstructor(String.class, Throwable.class);
-            try {
-                return co.newInstance(msg, e);
-            } catch (Exception e1) {
-                //noinspection ThrowableInstanceNeverThrown
-                return new RuntimeException(msg, e); // fallback
-            }
-        } catch (NoSuchMethodException e1) {
-            //noinspection ThrowableInstanceNeverThrown
-            return new RuntimeException(msg, e); // fallback
-        }
-    }
-
-    /**
      * Perform action with AccessController.doPrivileged() if possible.
      *
      * @param action - the action to run
@@ -174,7 +93,7 @@ public class PrivilegedActions {
      */
     public static Object getAnnotationValue(final Annotation annotation, final String name)
           throws IllegalAccessException, InvocationTargetException {
-        return run(new PrivilegedAction<Object>() {
+        return doPrivileged(new PrivilegedAction<Object>() {
             public Object run() {
                 Method valueMethod;
                 try {
@@ -205,7 +124,7 @@ public class PrivilegedActions {
      * @return Classloader
      */
     public static ClassLoader getClassLoader(final Class<?> clazz) {
-        return run(new PrivilegedAction<ClassLoader>() {
+        return doPrivileged(new PrivilegedAction<ClassLoader>() {
             public ClassLoader run() {
                 ClassLoader cl = Thread.currentThread().getContextClassLoader();
                 if (cl == null) {
@@ -232,5 +151,21 @@ public class PrivilegedActions {
         });
     }
 
+
+
+    /**
+     * Perform action with AccessController.doPrivileged() if possible.
+     *
+     * @param action - the action to run
+     * @return result of running the action
+     */
+    private static <T> T doPrivileged(final PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
+
 }
 

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/Email.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/Email.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/Email.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/Email.java Thu Aug 25 17:14:15 2011
@@ -21,11 +21,12 @@ package org.apache.bval.constraints;
 import javax.validation.Constraint;
 import javax.validation.Payload;
 import java.lang.annotation.Documented;
-import static java.lang.annotation.ElementType.*;
 import java.lang.annotation.Retention;
-import static java.lang.annotation.RetentionPolicy.RUNTIME;
 import java.lang.annotation.Target;
 
+import static java.lang.annotation.ElementType.*;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
 /**
  * <p>
  * --

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmpty.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmpty.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmpty.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmpty.java Thu Aug 25 17:14:15 2011
@@ -21,11 +21,12 @@ package org.apache.bval.constraints;
 import javax.validation.Constraint;
 import javax.validation.Payload;
 import java.lang.annotation.Documented;
-import static java.lang.annotation.ElementType.*;
 import java.lang.annotation.Retention;
-import static java.lang.annotation.RetentionPolicy.RUNTIME;
 import java.lang.annotation.Target;
 
+import static java.lang.annotation.ElementType.*;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
 /**
  * <pre>
  * This class is NOT part of the bean_validation spec and might disappear

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmptyValidator.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmptyValidator.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmptyValidator.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/constraints/NotEmptyValidator.java Thu Aug 25 17:14:15 2011
@@ -21,8 +21,8 @@ package org.apache.bval.constraints;
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;
 import java.lang.reflect.Array;
-import java.lang.reflect.Method;
 import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 
 /**
  * Description:  Check the non emptyness of an

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidationProvider.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidationProvider.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidationProvider.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidationProvider.java Thu Aug 25 17:14:15 2011
@@ -18,15 +18,16 @@
  */
 package org.apache.bval.jsr303;
 
+import org.apache.commons.lang.ClassUtils;
+
 import javax.validation.Configuration;
 import javax.validation.ValidationException;
 import javax.validation.ValidatorFactory;
 import javax.validation.spi.BootstrapState;
 import javax.validation.spi.ConfigurationState;
 import javax.validation.spi.ValidationProvider;
-
-import org.apache.bval.jsr303.util.SecureActions;
-import org.apache.commons.lang.ClassUtils;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 /**
  * Description: Implementation of {@link ValidationProvider} for jsr303
@@ -39,8 +40,6 @@ import org.apache.commons.lang.ClassUtil
  */
 public class ApacheValidationProvider implements ValidationProvider<ApacheValidatorConfiguration> {
 
-    private static final Class<?>[] VALIDATOR_FACTORY_CONSTRUCTOR_ARGS = new Class[] { ConfigurationState.class };
-
     /**
      * Learn whether a particular builder class is suitable for this
      * {@link ValidationProvider}.
@@ -72,20 +71,59 @@ public class ApacheValidationProvider im
      * @throws javax.validation.ValidationException
      *             if the ValidatorFactory cannot be built
      */
-    public ValidatorFactory buildValidatorFactory(ConfigurationState configuration) {
+    @SuppressWarnings("unchecked")
+    public ValidatorFactory buildValidatorFactory(final ConfigurationState configuration) {
+        final Class<? extends ValidatorFactory> validatorFactoryClass;
         try {
             String validatorFactoryClassname =
                 configuration.getProperties().get(ApacheValidatorConfiguration.Properties.VALIDATOR_FACTORY_CLASSNAME);
-            @SuppressWarnings("unchecked")
-            final Class<? extends ValidatorFactory> validatorFactoryClass =
-                validatorFactoryClassname == null ? ApacheValidatorFactory.class
-                    : (Class<? extends ValidatorFactory>) ClassUtils.getClass(validatorFactoryClassname);
-            return SecureActions.newInstance(validatorFactoryClass, VALIDATOR_FACTORY_CONSTRUCTOR_ARGS,
-                new Object[] { configuration });
+
+            if (validatorFactoryClassname == null)
+                validatorFactoryClass = ApacheValidatorFactory.class;
+            else
+            {
+                validatorFactoryClass
+                  = (Class<? extends ValidatorFactory>) ClassUtils.getClass(validatorFactoryClassname);
+                validatorFactoryClass.asSubclass(ValidatorFactory.class);
+            }
         } catch (ValidationException ex) {
             throw ex;
         } catch (Exception ex) {
             throw new ValidationException("error building ValidatorFactory", ex);
         }
+
+        // FIXME 2011-03-27 jw:
+        // Should not use privileged action, but to avoid breaking things
+        // doing it here like the former version of this class did.
+        //
+        // The privileged action should be applied by the ValidatorFactory
+        // itself, if required.
+        // No privileges should be required to access the constructor,
+        // because the classloader of ApacheValidationProvider will always
+        // be an ancestor of the loader of validatorFactoryClass.
+        return (System.getSecurityManager() == null)
+            ? instantiateValidatorFactory(validatorFactoryClass, configuration)
+            : AccessController.doPrivileged(new PrivilegedAction<ValidatorFactory>() {
+                  public ValidatorFactory run() {
+                      return instantiateValidatorFactory(validatorFactoryClass, configuration);
+                  }
+              });
+    }
+
+
+
+    private static ValidatorFactory instantiateValidatorFactory(
+        final Class<? extends ValidatorFactory> validatorFactoryClass,
+        final ConfigurationState                configuration
+    ) {
+      try
+      {
+          return validatorFactoryClass.getConstructor(ConfigurationState.class).newInstance(configuration);
+      }
+      catch (final Exception ex)
+      {
+          throw new ValidationException("Cannot instantiate : " + validatorFactoryClass, ex);
+      }
     }
+
 }

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidatorFactory.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidatorFactory.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidatorFactory.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ApacheValidatorFactory.java Thu Aug 25 17:14:15 2011
@@ -18,31 +18,21 @@
  */
 package org.apache.bval.jsr303;
 
-import java.lang.annotation.Annotation;
-import java.lang.reflect.Modifier;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import javax.validation.ConstraintValidatorFactory;
-import javax.validation.MessageInterpolator;
-import javax.validation.TraversableResolver;
-import javax.validation.Validation;
-import javax.validation.ValidationException;
-import javax.validation.Validator;
-import javax.validation.ValidatorFactory;
-import javax.validation.bootstrap.ProviderSpecificBootstrap;
-import javax.validation.spi.ConfigurationState;
-
-import org.apache.bval.jsr303.util.SecureActions;
 import org.apache.bval.jsr303.xml.AnnotationIgnores;
 import org.apache.bval.jsr303.xml.MetaConstraint;
 import org.apache.bval.jsr303.xml.ValidationMappingParser;
 import org.apache.bval.util.AccessStrategy;
 import org.apache.commons.lang.ClassUtils;
 
+import javax.validation.*;
+import javax.validation.bootstrap.ProviderSpecificBootstrap;
+import javax.validation.spi.ConfigurationState;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.*;
+
 /**
  * Description: a factory is a complete configurated object that can create
  * validators.<br/>
@@ -51,14 +41,16 @@ import org.apache.commons.lang.ClassUtil
 public class ApacheValidatorFactory implements ValidatorFactory, Cloneable {
     private static volatile ApacheValidatorFactory DEFAULT_FACTORY;
     private static final ConstraintDefaults defaultConstraints =
-        new ConstraintDefaults();
+            new ConstraintDefaults();
 
     private MessageInterpolator messageResolver;
     private TraversableResolver traversableResolver;
     private ConstraintValidatorFactory constraintValidatorFactory;
     private final Map<String, String> properties;
 
-    /** information from xml parsing */
+    /**
+     * information from xml parsing
+     */
     private final AnnotationIgnores annotationIgnores = new AnnotationIgnores();
     private final ConstraintCached constraintsCache = new ConstraintCached();
     private final Map<Class<?>, Class<?>[]> defaultSequences;
@@ -70,23 +62,23 @@ public class ApacheValidatorFactory impl
 
     /**
      * Convenience method to retrieve a default global ApacheValidatorFactory
-     * 
+     *
      * @return {@link ApacheValidatorFactory}
      */
     public static synchronized ApacheValidatorFactory getDefault() {
         if (DEFAULT_FACTORY == null) {
             ProviderSpecificBootstrap<ApacheValidatorConfiguration> provider =
-                Validation.byProvider(ApacheValidationProvider.class);
+                    Validation.byProvider(ApacheValidationProvider.class);
             ApacheValidatorConfiguration configuration = provider.configure();
             DEFAULT_FACTORY =
-                (ApacheValidatorFactory) configuration.buildValidatorFactory();
+                    (ApacheValidatorFactory) configuration.buildValidatorFactory();
         }
         return DEFAULT_FACTORY;
     }
 
     /**
      * Set a particular {@link ApacheValidatorFactory} instance as the default.
-     * 
+     *
      * @param aDefaultFactory
      */
     public static void setDefault(ApacheValidatorFactory aDefaultFactory) {
@@ -101,14 +93,14 @@ public class ApacheValidatorFactory impl
         defaultSequences = new HashMap<Class<?>, Class<?>[]>();
         validAccesses = new HashMap<Class<?>, List<AccessStrategy>>();
         constraintMap =
-            new HashMap<Class<?>, List<MetaConstraint<?, ? extends Annotation>>>();
+                new HashMap<Class<?>, List<MetaConstraint<?, ? extends Annotation>>>();
         configure(configurationState);
     }
 
     /**
      * Configure this {@link ApacheValidatorFactory} from a
      * {@link ConfigurationState}.
-     * 
+     *
      * @param configuration
      */
     protected void configure(ConfigurationState configuration) {
@@ -116,14 +108,14 @@ public class ApacheValidatorFactory impl
         setMessageInterpolator(configuration.getMessageInterpolator());
         setTraversableResolver(configuration.getTraversableResolver());
         setConstraintValidatorFactory(configuration
-            .getConstraintValidatorFactory());
+                .getConstraintValidatorFactory());
         ValidationMappingParser parser = new ValidationMappingParser(this);
         parser.processMappingConfig(configuration.getMappingStreams());
     }
 
     /**
      * Get the property map of this {@link ApacheValidatorFactory}.
-     * 
+     *
      * @return Map<String, String>
      */
     public Map<String, String> getProperties() {
@@ -133,7 +125,7 @@ public class ApacheValidatorFactory impl
     /**
      * Get the default {@link MessageInterpolator} used by this
      * {@link ApacheValidatorFactory}.
-     * 
+     *
      * @return {@link MessageInterpolator}
      */
     protected MessageInterpolator getDefaultMessageInterpolator() {
@@ -143,7 +135,7 @@ public class ApacheValidatorFactory impl
     /**
      * Shortcut method to create a new Validator instance with factory's
      * settings
-     * 
+     *
      * @return the new validator instance
      */
     public Validator getValidator() {
@@ -152,7 +144,7 @@ public class ApacheValidatorFactory impl
 
     /**
      * {@inheritDoc}
-     * 
+     *
      * @return the validator factory's context
      */
     public ApacheFactoryContext usingContext() {
@@ -173,7 +165,7 @@ public class ApacheValidatorFactory impl
 
     /**
      * Set the {@link MessageInterpolator} used.
-     * 
+     *
      * @param messageResolver
      */
     public final void setMessageInterpolator(MessageInterpolator messageResolver) {
@@ -185,16 +177,16 @@ public class ApacheValidatorFactory impl
      */
     public MessageInterpolator getMessageInterpolator() {
         return ((messageResolver != null) ? messageResolver
-            : getDefaultMessageInterpolator());
+                : getDefaultMessageInterpolator());
     }
 
     /**
      * Set the {@link TraversableResolver} used.
-     * 
+     *
      * @param traversableResolver
      */
     public final void setTraversableResolver(
-        TraversableResolver traversableResolver) {
+            TraversableResolver traversableResolver) {
         this.traversableResolver = traversableResolver;
     }
 
@@ -207,11 +199,11 @@ public class ApacheValidatorFactory impl
 
     /**
      * Set the {@link ConstraintValidatorFactory} used.
-     * 
+     *
      * @param constraintValidatorFactory
      */
     public final void setConstraintValidatorFactory(
-        ConstraintValidatorFactory constraintValidatorFactory) {
+            ConstraintValidatorFactory constraintValidatorFactory) {
         this.constraintValidatorFactory = constraintValidatorFactory;
     }
 
@@ -226,39 +218,52 @@ public class ApacheValidatorFactory impl
      * Return an object of the specified type to allow access to the
      * provider-specific API. If the Bean Validation provider implementation
      * does not support the specified class, the ValidationException is thrown.
-     * 
-     * @param type
-     *            the class of the object to be returned.
+     *
+     * @param type the class of the object to be returned.
      * @return an instance of the specified class
-     * @throws ValidationException
-     *             if the provider does not support the call.
+     * @throws ValidationException if the provider does not support the call.
      */
-    public <T> T unwrap(Class<T> type) {
+    public <T> T unwrap(final Class<T> type) {
+        // FIXME 2011-03-27 jw:
+        // This code is unsecure.
+        // It should allow only a fixed set of classes.
+        // Can't fix this because don't know which classes this method should support.
+
         if (type.isInstance(this)) {
-            @SuppressWarnings("unchecked")
-            final T result = (T) this;
-            return result;
+            //noinspection unchecked
+            return (T) this;
         } else if (!(type.isInterface() || Modifier.isAbstract(type
-            .getModifiers()))) {
-            return SecureActions.newInstance(type);
+                .getModifiers()))) {
+            return newInstance(type);
         } else {
             try {
                 Class<?> cls = ClassUtils.getClass(type.getName() + "Impl");
                 if (type.isAssignableFrom(cls)) {
-                    @SuppressWarnings("unchecked")
-                    final Class<? extends T> implClass =
-                        (Class<? extends T>) cls;
-                    return SecureActions.newInstance(implClass);
+                    //noinspection unchecked
+                    return (T) newInstance(cls);
                 }
             } catch (ClassNotFoundException e) {
+                // do nothing
             }
             throw new ValidationException("Type " + type + " not supported");
         }
     }
 
+    private <T> T newInstance(final Class<T> cls) {
+        return AccessController.doPrivileged(new PrivilegedAction<T>() {
+            public T run() {
+                try {
+                    return cls.newInstance();
+                } catch (final Exception ex) {
+                    throw new ValidationException("Cannot instantiate : " + cls, ex);
+                }
+            }
+        });
+    }
+
     /**
      * Get the detected {@link ConstraintDefaults}.
-     * 
+     *
      * @return ConstraintDefaults
      */
     public ConstraintDefaults getDefaultConstraints() {
@@ -267,7 +272,7 @@ public class ApacheValidatorFactory impl
 
     /**
      * Get the detected {@link AnnotationIgnores}.
-     * 
+     *
      * @return AnnotationIgnores
      */
     public AnnotationIgnores getAnnotationIgnores() {
@@ -276,7 +281,7 @@ public class ApacheValidatorFactory impl
 
     /**
      * Get the constraint cache used.
-     * 
+     *
      * @return {@link ConstraintCached}
      */
     public ConstraintCached getConstraintsCache() {
@@ -286,19 +291,19 @@ public class ApacheValidatorFactory impl
     /**
      * Add a meta-constraint to this {@link ApacheValidatorFactory}'s runtime
      * customizations.
-     * 
+     *
      * @param beanClass
      * @param metaConstraint
      */
     public void addMetaConstraint(Class<?> beanClass,
-        MetaConstraint<?, ?> metaConstraint) {
+                                  MetaConstraint<?, ?> metaConstraint) {
         List<MetaConstraint<?, ? extends Annotation>> slot =
-            constraintMap.get(beanClass);
+                constraintMap.get(beanClass);
         if (slot != null) {
             slot.add(metaConstraint);
         } else {
             List<MetaConstraint<?, ? extends Annotation>> constraintList =
-                new ArrayList<MetaConstraint<?, ? extends Annotation>>();
+                    new ArrayList<MetaConstraint<?, ? extends Annotation>>();
             constraintList.add(metaConstraint);
             constraintMap.put(beanClass, constraintList);
         }
@@ -306,10 +311,9 @@ public class ApacheValidatorFactory impl
 
     /**
      * Mark a property of <code>beanClass</code> for nested validation.
-     * 
+     *
      * @param beanClass
-     * @param accessStrategy
-     *            defining the property to validate
+     * @param accessStrategy defining the property to validate
      */
     public void addValid(Class<?> beanClass, AccessStrategy accessStrategy) {
         List<AccessStrategy> slot = validAccesses.get(beanClass);
@@ -324,7 +328,7 @@ public class ApacheValidatorFactory impl
 
     /**
      * Set the default group sequence for a particular bean class.
-     * 
+     *
      * @param beanClass
      * @param groupSequence
      */
@@ -334,7 +338,7 @@ public class ApacheValidatorFactory impl
 
     /**
      * Retrieve the runtime constraint configuration for a given class.
-     * 
+     *
      * @param <T>
      * @param beanClass
      * @return List of {@link MetaConstraint}s applicable to
@@ -342,9 +346,9 @@ public class ApacheValidatorFactory impl
      */
     @SuppressWarnings("unchecked")
     public <T> List<MetaConstraint<T, ? extends Annotation>> getMetaConstraints(
-        Class<T> beanClass) {
+            Class<T> beanClass) {
         List<MetaConstraint<?, ? extends Annotation>> slot =
-            constraintMap.get(beanClass);
+                constraintMap.get(beanClass);
         if (slot != null) {
             // noinspection RedundantCast
             return (List) slot;
@@ -357,7 +361,7 @@ public class ApacheValidatorFactory impl
      * Get the {@link AccessStrategy} {@link List} indicating nested bean
      * validations that must be triggered in the course of validating a
      * <code>beanClass</code> graph.
-     * 
+     *
      * @param beanClass
      * @return {@link List} of {@link AccessStrategy}
      */
@@ -366,13 +370,13 @@ public class ApacheValidatorFactory impl
         if (slot != null) {
             return slot;
         } else {
-            return Collections.<AccessStrategy> emptyList();
+            return Collections.<AccessStrategy>emptyList();
         }
     }
 
     /**
      * Get the default group sequence configured for <code>beanClass</code>.
-     * 
+     *
      * @param beanClass
      * @return group Class array
      */

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/BeanDescriptorImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/BeanDescriptorImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/BeanDescriptorImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/BeanDescriptorImpl.java Thu Aug 25 17:14:15 2011
@@ -24,7 +24,6 @@ import org.apache.bval.model.MetaPropert
 
 import javax.validation.metadata.BeanDescriptor;
 import javax.validation.metadata.PropertyDescriptor;
-
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ClassValidator.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ClassValidator.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ClassValidator.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ClassValidator.java Thu Aug 25 17:14:15 2011
@@ -25,7 +25,6 @@ import org.apache.bval.jsr303.groups.Gro
 import org.apache.bval.jsr303.util.ClassHelper;
 import org.apache.bval.jsr303.util.NodeImpl;
 import org.apache.bval.jsr303.util.PathImpl;
-import org.apache.bval.jsr303.util.SecureActions;
 import org.apache.bval.model.Features;
 import org.apache.bval.model.MetaBean;
 import org.apache.bval.model.MetaProperty;
@@ -38,7 +37,10 @@ import javax.validation.ValidationExcept
 import javax.validation.Validator;
 import javax.validation.groups.Default;
 import javax.validation.metadata.BeanDescriptor;
+import java.lang.reflect.Constructor;
 import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
@@ -48,11 +50,11 @@ import java.util.Set;
 /**
  * Objects of this class are able to validate bean instances (and the associated
  * object graphs).
- * <p>
+ * <p/>
  * Implementation is thread-safe.
- * <p>
+ * <p/>
  * API class
- * 
+ *
  * @author Roman Stumm
  * @author Carlos Vara <br/>
  */
@@ -68,7 +70,7 @@ public class ClassValidator implements V
 
     /**
      * Create a new ClassValidator instance.
-     * 
+     *
      * @param factoryContext
      */
     public ClassValidator(ApacheFactoryContext factoryContext) {
@@ -77,7 +79,7 @@ public class ClassValidator implements V
 
     /**
      * Create a new ClassValidator instance.
-     * 
+     *
      * @param factory
      * @deprecated provided for backward compatibility
      */
@@ -87,7 +89,7 @@ public class ClassValidator implements V
 
     /**
      * Get the metabean finder associated with this validator.
-     * 
+     *
      * @return a MetaBeanFinder
      * @see org.apache.bval.MetaBeanManagerFactory#getFinder()
      */
@@ -100,25 +102,19 @@ public class ClassValidator implements V
 
     /**
      * {@inheritDoc} Validates all constraints on <code>object</code>.
-     * 
-     * @param object
-     *            object to validate
-     * @param groups
-     *            group or list of groups targeted for validation (default to
-     *            {@link javax.validation.groups.Default})
-     * 
+     *
+     * @param object object to validate
+     * @param groups group or list of groups targeted for validation (default to
+     *               {@link javax.validation.groups.Default})
      * @return constraint violations or an empty Set if none
-     * 
-     * @throws IllegalArgumentException
-     *             if object is null or if null is passed to the varargs groups
-     * @throws ValidationException
-     *             if a non recoverable error happens during the validation
-     *             process
+     * @throws IllegalArgumentException if object is null or if null is passed to the varargs groups
+     * @throws ValidationException      if a non recoverable error happens during the validation
+     *                                  process
      */
     // @Override - not allowed in 1.5 for Interface methods
     @SuppressWarnings("unchecked")
     public <T> Set<ConstraintViolation<T>> validate(T object,
-        Class<?>... groups) {
+                                                    Class<?>... groups) {
         if (object == null)
             throw new IllegalArgumentException("cannot validate null");
         checkGroups(groups);
@@ -127,12 +123,12 @@ public class ClassValidator implements V
 
             Class<T> objectClass = (Class<T>) object.getClass();
             MetaBean objectMetaBean =
-                factoryContext.getMetaBeanFinder().findForClass(objectClass);
+                    factoryContext.getMetaBeanFinder().findForClass(objectClass);
 
             final GroupValidationContext<T> context =
-                createContext(objectMetaBean, object, objectClass, groups);
+                    createContext(objectMetaBean, object, objectClass, groups);
             final ConstraintValidationListener<T> result =
-                context.getListener();
+                    context.getListener();
             final Groups sequence = context.getGroups();
 
             // 1. process groups
@@ -165,30 +161,23 @@ public class ClassValidator implements V
     /**
      * {@inheritDoc} Validates all constraints placed on the property of
      * <code>object</code> named <code>propertyName</code>.
-     * 
-     * @param object
-     *            object to validate
-     * @param propertyName
-     *            property to validate (ie field and getter constraints). Nested
-     *            properties may be referenced (e.g. prop[2].subpropA.subpropB)
-     * @param groups
-     *            group or list of groups targeted for validation (default to
-     *            {@link javax.validation.groups.Default})
-     * 
+     *
+     * @param object       object to validate
+     * @param propertyName property to validate (ie field and getter constraints). Nested
+     *                     properties may be referenced (e.g. prop[2].subpropA.subpropB)
+     * @param groups       group or list of groups targeted for validation (default to
+     *                     {@link javax.validation.groups.Default})
      * @return constraint violations or an empty Set if none
-     * 
-     * @throws IllegalArgumentException
-     *             if <code>object</code> is null, if <code>propertyName</code>
-     *             null, empty or not a valid object property or if null is
-     *             passed to the varargs groups
-     * @throws ValidationException
-     *             if a non recoverable error happens during the validation
-     *             process
+     * @throws IllegalArgumentException if <code>object</code> is null, if <code>propertyName</code>
+     *                                  null, empty or not a valid object property or if null is
+     *                                  passed to the varargs groups
+     * @throws ValidationException      if a non recoverable error happens during the validation
+     *                                  process
      */
     // @Override - not allowed in 1.5 for Interface methods
     @SuppressWarnings("unchecked")
     public <T> Set<ConstraintViolation<T>> validateProperty(T object,
-        String propertyName, Class<?>... groups) {
+                                                            String propertyName, Class<?>... groups) {
         if (object == null)
             throw new IllegalArgumentException("cannot validate null");
 
@@ -199,20 +188,20 @@ public class ClassValidator implements V
 
             Class<T> objectClass = (Class<T>) object.getClass();
             MetaBean objectMetaBean =
-                factoryContext.getMetaBeanFinder().findForClass(objectClass);
+                    factoryContext.getMetaBeanFinder().findForClass(objectClass);
 
             GroupValidationContext<T> context =
-                createContext(objectMetaBean, object, objectClass, groups);
+                    createContext(objectMetaBean, object, objectClass, groups);
             ConstraintValidationListener<T> result = context.getListener();
             NestedMetaProperty nestedProp =
-                getNestedProperty(objectMetaBean, object, propertyName);
+                    getNestedProperty(objectMetaBean, object, propertyName);
             context.setMetaProperty(nestedProp.getMetaProperty());
             if (nestedProp.isNested()) {
                 context.setFixedValue(nestedProp.getValue());
             }
             if (context.getMetaProperty() == null)
                 throw new IllegalArgumentException("Unknown property "
-                    + object.getClass().getName() + "." + propertyName);
+                        + object.getClass().getName() + "." + propertyName);
             Groups sequence = context.getGroups();
 
             // 1. process groups
@@ -251,30 +240,22 @@ public class ClassValidator implements V
      * <code>ConstraintViolation</code> objects return null for
      * {@link ConstraintViolation#getRootBean()} and
      * {@link ConstraintViolation#getLeafBean()}
-     * 
-     * @param beanType
-     *            the bean type
-     * @param propertyName
-     *            property to validate
-     * @param value
-     *            property value to validate
-     * @param groups
-     *            group or list of groups targeted for validation (default to
-     *            {@link javax.validation.groups.Default})
-     * 
+     *
+     * @param beanType     the bean type
+     * @param propertyName property to validate
+     * @param value        property value to validate
+     * @param groups       group or list of groups targeted for validation (default to
+     *                     {@link javax.validation.groups.Default})
      * @return constraint violations or an empty Set if none
-     * 
-     * @throws IllegalArgumentException
-     *             if <code>beanType</code> is null, if
-     *             <code>propertyName</code> null, empty or not a valid object
-     *             property or if null is passed to the varargs groups
-     * @throws ValidationException
-     *             if a non recoverable error happens during the validation
-     *             process
+     * @throws IllegalArgumentException if <code>beanType</code> is null, if
+     *                                  <code>propertyName</code> null, empty or not a valid object
+     *                                  property or if null is passed to the varargs groups
+     * @throws ValidationException      if a non recoverable error happens during the validation
+     *                                  process
      */
     // @Override - not allowed in 1.5 for Interface methods
     public <T> Set<ConstraintViolation<T>> validateValue(Class<T> beanType,
-        String propertyName, Object value, Class<?>... groups) {
+                                                         String propertyName, Object value, Class<?>... groups) {
 
         checkBeanType(beanType);
         checkPropertyName(propertyName);
@@ -282,12 +263,12 @@ public class ClassValidator implements V
 
         try {
             MetaBean metaBean =
-                factoryContext.getMetaBeanFinder().findForClass(beanType);
+                    factoryContext.getMetaBeanFinder().findForClass(beanType);
             GroupValidationContext<T> context =
-                createContext(metaBean, null, beanType, groups);
+                    createContext(metaBean, null, beanType, groups);
             ConstraintValidationListener<T> result = context.getListener();
             context.setMetaProperty(getNestedProperty(metaBean, null,
-                propertyName).getMetaProperty());
+                    propertyName).getMetaProperty());
             context.setFixedValue(value);
             Groups sequence = context.getGroups();
 
@@ -321,17 +302,12 @@ public class ClassValidator implements V
      * {@inheritDoc} Return the descriptor object describing bean constraints.
      * The returned object (and associated objects including
      * <code>ConstraintDescriptor<code>s) are immutable.
-     * 
-     * @param clazz
-     *            class or interface type evaluated
-     * 
+     *
+     * @param clazz class or interface type evaluated
      * @return the bean descriptor for the specified class.
-     * 
-     * @throws IllegalArgumentException
-     *             if clazz is null
-     * @throws ValidationException
-     *             if a non recoverable error happens during the metadata
-     *             discovery or if some constraints are invalid.
+     * @throws IllegalArgumentException if clazz is null
+     * @throws ValidationException      if a non recoverable error happens during the metadata
+     *                                  discovery or if some constraints are invalid.
      */
     // @Override - not allowed in 1.5 for Interface methods
     public BeanDescriptor getConstraintsForClass(Class<?> clazz) {
@@ -340,9 +316,9 @@ public class ClassValidator implements V
         }
         try {
             MetaBean metaBean =
-                factoryContext.getMetaBeanFinder().findForClass(clazz);
+                    factoryContext.getMetaBeanFinder().findForClass(clazz);
             BeanDescriptorImpl edesc =
-                metaBean.getFeature(Jsr303Features.Bean.BEAN_DESCRIPTOR);
+                    metaBean.getFeature(Jsr303Features.Bean.BEAN_DESCRIPTOR);
             if (edesc == null) {
                 edesc = createBeanDescriptor(metaBean);
                 metaBean.putFeature(Jsr303Features.Bean.BEAN_DESCRIPTOR, edesc);
@@ -350,7 +326,7 @@ public class ClassValidator implements V
             return edesc;
         } catch (RuntimeException ex) {
             throw new ValidationException("error retrieving constraints for "
-                + clazz, ex);
+                    + clazz, ex);
         }
     }
 
@@ -359,36 +335,33 @@ public class ClassValidator implements V
      * provider-specific APIs. If the Bean Validation provider implementation
      * does not support the specified class, <code>ValidationException</code> is
      * thrown.
-     * 
-     * @param type
-     *            the class of the object to be returned.
-     * 
+     *
+     * @param type the class of the object to be returned.
      * @return an instance of the specified class
-     * 
-     * @throws ValidationException
-     *             if the provider does not support the call.
+     * @throws ValidationException if the provider does not support the call.
      */
     // @Override - not allowed in 1.5 for Interface methods
     public <T> T unwrap(Class<T> type) {
+        // FIXME 2011-03-27 jw:
+        // This code is unsecure.
+        // It should allow only a fixed set of classes.
+        // Can't fix this because don't know which classes this method should support.
+
         if (type.isAssignableFrom(getClass())) {
             @SuppressWarnings("unchecked")
             final T result = (T) this;
             return result;
         } else if (!(type.isInterface() || Modifier.isAbstract(type
-            .getModifiers()))) {
-            return SecureActions.newInstance(type,
-                new Class[] { ApacheFactoryContext.class },
-                new Object[] { factoryContext });
+                .getModifiers()))) {
+            return newInstance(type);
         } else {
             try {
                 Class<?> cls = ClassUtils.getClass(type.getName() + "Impl");
                 if (type.isAssignableFrom(cls)) {
                     @SuppressWarnings("unchecked")
                     final Class<? extends T> implClass =
-                        (Class<? extends T>) cls;
-                    return SecureActions.newInstance(implClass,
-                        new Class[] { ApacheFactoryContext.class },
-                        new Object[] { factoryContext });
+                            (Class<? extends T>) cls;
+                    return newInstance(implClass);
                 }
             } catch (ClassNotFoundException e) {
             }
@@ -396,18 +369,33 @@ public class ClassValidator implements V
         }
     }
 
+    private <T> T newInstance(final Class<T> cls) {
+        return AccessController.doPrivileged(new PrivilegedAction<T>() {
+            public T run() {
+                try {
+                    Constructor<T> cons = cls.getConstructor(ApacheFactoryContext.class);
+                    if (!cons.isAccessible()) {
+                        cons.setAccessible(true);
+                    }
+                    return cons.newInstance(factoryContext);
+                } catch (final Exception ex) {
+                    throw new ValidationException("Cannot instantiate : " + cls, ex);
+                }
+            }
+        });
+    }
+
     // Helpers
     // -------------------------------------------------------------------
 
     /**
      * Validates a bean and all its cascaded related beans for the currently
      * defined group.
-     * <p>
+     * <p/>
      * Special code is present to manage the {@link Default} group.
-     * 
-     * @param validationContext
-     *            The current context of this validation call. Must have its
-     *            {@link GroupValidationContext#getCurrentGroup()} field set.
+     *
+     * @param validationContext The current context of this validation call. Must have its
+     *                          {@link GroupValidationContext#getCurrentGroup()} field set.
      */
     protected void validateBeanNet(GroupValidationContext<?> context) {
 
@@ -429,7 +417,7 @@ public class ClassValidator implements V
 
             List<Group> defaultGroups = expandDefaultGroup(context);
             final ConstraintValidationListener<?> result =
-                (ConstraintValidationListener<?>) context.getListener();
+                    (ConstraintValidationListener<?>) context.getListener();
 
             // If the rootBean defines a GroupSequence
             if (defaultGroups.size() > 1) {
@@ -456,7 +444,7 @@ public class ClassValidator implements V
                 // Obtain the full class hierarchy
                 List<Class<?>> classHierarchy = new ArrayList<Class<?>>();
                 ClassHelper.fillFullClassHierarchyAsList(classHierarchy,
-                    context.getMetaBean().getBeanClass());
+                        context.getMetaBean().getBeanClass());
                 Class<?> initialOwner = context.getCurrentOwner();
 
                 // For each owner in the hierarchy
@@ -468,8 +456,8 @@ public class ClassValidator implements V
                     // Obtain the group sequence of the owner, and use it for
                     // the constraints that belong to it
                     List<Group> ownerDefaultGroups =
-                        context.getMetaBean().getFeature(
-                            "{GroupSequence:" + owner.getCanonicalName() + "}");
+                            context.getMetaBean().getFeature(
+                                    "{GroupSequence:" + owner.getCanonicalName() + "}");
                     for (Group each : ownerDefaultGroups) {
                         context.setCurrentGroup(each);
                         ValidationHelper.validateBean(context);
@@ -501,16 +489,14 @@ public class ClassValidator implements V
     /**
      * Checks if the the meta property <code>prop</code> defines a cascaded
      * bean, and in case it does, validates it.
-     * 
-     * @param context
-     *            The current validation context.
-     * @param prop
-     *            The property to cascade from (in case it is possible).
+     *
+     * @param context The current validation context.
+     * @param prop    The property to cascade from (in case it is possible).
      */
     private void validateCascadedBean(GroupValidationContext<?> context,
-        MetaProperty prop) {
+                                      MetaProperty prop) {
         AccessStrategy[] access =
-            prop.getFeature(Features.Property.REF_CASCADE);
+                prop.getFeature(Features.Property.REF_CASCADE);
         if (access != null) { // different accesses to relation
             // save old values from context
             final Object bean = context.getBean();
@@ -523,8 +509,8 @@ public class ClassValidator implements V
                     context.moveDown(prop, each);
                     // Now, if the related bean is an instance of Map/Array/etc,
                     ValidationHelper.validateContext(context,
-                        new Jsr303ValidationCallback(context),
-                        treatMapsLikeBeans);
+                            new Jsr303ValidationCallback(context),
+                            treatMapsLikeBeans);
                     // restore old values in context
                     context.moveUp(bean, mbean);
                 }
@@ -536,18 +522,15 @@ public class ClassValidator implements V
      * Before accessing a related bean (marked with
      * {@link javax.validation.Valid}), the validator has to check if it is
      * reachable and cascadable.
-     * 
-     * @param context
-     *            The current validation context.
-     * @param prop
-     *            The property of the related bean.
-     * @param access
-     *            The access strategy used to get the related bean value.
+     *
+     * @param context The current validation context.
+     * @param prop    The property of the related bean.
+     * @param access  The access strategy used to get the related bean value.
      * @return <code>true</code> if the validator can access the related bean,
      *         <code>false</code> otherwise.
      */
     private boolean isCascadable(GroupValidationContext<?> context,
-        MetaProperty prop, AccessStrategy access) {
+                                 MetaProperty prop, AccessStrategy access) {
 
         PathImpl beanPath = context.getPropertyPath();
         NodeImpl node = new NodeImpl(prop.getName());
@@ -556,26 +539,26 @@ public class ClassValidator implements V
         }
         try {
             if (!context.getTraversableResolver().isReachable(
-                context.getBean(), node,
-                context.getRootMetaBean().getBeanClass(), beanPath,
-                access.getElementType()))
+                    context.getBean(), node,
+                    context.getRootMetaBean().getBeanClass(), beanPath,
+                    access.getElementType()))
                 return false;
         } catch (RuntimeException e) {
             throw new ValidationException(
-                "Error in TraversableResolver.isReachable() for "
-                    + context.getBean(), e);
+                    "Error in TraversableResolver.isReachable() for "
+                            + context.getBean(), e);
         }
 
         try {
             if (!context.getTraversableResolver().isCascadable(
-                context.getBean(), node,
-                context.getRootMetaBean().getBeanClass(), beanPath,
-                access.getElementType()))
+                    context.getBean(), node,
+                    context.getRootMetaBean().getBeanClass(), beanPath,
+                    access.getElementType()))
                 return false;
         } catch (RuntimeException e) {
             throw new ValidationException(
-                "Error TraversableResolver.isCascadable() for "
-                    + context.getBean(), e);
+                    "Error TraversableResolver.isCascadable() for "
+                            + context.getBean(), e);
         }
 
         return true;
@@ -584,7 +567,7 @@ public class ClassValidator implements V
     /**
      * in case of a default group return the list of groups for a redefined
      * default GroupSequence
-     * 
+     *
      * @return null when no in default group or default group sequence not
      *         redefined
      */
@@ -592,11 +575,11 @@ public class ClassValidator implements V
         if (context.getCurrentGroup().isDefault()) {
             // mention if metaBean redefines the default group
             List<Group> groupSeq =
-                context.getMetaBean().getFeature(
-                    Jsr303Features.Bean.GROUP_SEQUENCE);
+                    context.getMetaBean().getFeature(
+                            Jsr303Features.Bean.GROUP_SEQUENCE);
             if (groupSeq != null) {
                 context.getGroups().assertDefaultGroupSequenceIsExpandable(
-                    groupSeq);
+                        groupSeq);
             }
             return groupSeq;
         } else {
@@ -606,19 +589,19 @@ public class ClassValidator implements V
 
     /**
      * Generate an unrecoverable validation error
-     * 
+     *
      * @param ex
      * @param object
      * @return a {@link RuntimeException} of the appropriate type
      */
     protected static RuntimeException unrecoverableValidationError(
-        RuntimeException ex, Object object) {
+            RuntimeException ex, Object object) {
         if (ex instanceof UnknownPropertyException) {
             // Convert to IllegalArgumentException
             return new IllegalArgumentException(ex.getMessage(), ex);
         } else if (ex instanceof ValidationException) {
             return ex; // do not wrap specific ValidationExceptions (or
-                       // instances from subclasses)
+            // instances from subclasses)
         } else {
             String objectId = "";
             try {
@@ -631,7 +614,7 @@ public class ClassValidator implements V
                 objectId = "<unknown>";
             } finally {
                 return new ValidationException("error during validation of "
-                    + objectId, ex);
+                        + objectId, ex);
             }
         }
     }
@@ -658,7 +641,7 @@ public class ClassValidator implements V
      * from the instance
      */
     private NestedMetaProperty getNestedProperty(MetaBean metaBean, Object t,
-        String propertyName) {
+                                                 String propertyName) {
         NestedMetaProperty nested = new NestedMetaProperty(propertyName, t);
         nested.setMetaBean(metaBean);
         nested.parse();
@@ -667,7 +650,7 @@ public class ClassValidator implements V
 
     /**
      * Create a {@link GroupValidationContext}.
-     * 
+     *
      * @param <T>
      * @param metaBean
      * @param object
@@ -676,13 +659,13 @@ public class ClassValidator implements V
      * @return {@link GroupValidationContext} instance
      */
     protected <T> GroupValidationContext<T> createContext(MetaBean metaBean,
-        T object, Class<T> objectClass, Class<?>[] groups) {
+                                                          T object, Class<T> objectClass, Class<?>[] groups) {
         ConstraintValidationListener<T> listener =
-            new ConstraintValidationListener<T>(object, objectClass);
+                new ConstraintValidationListener<T>(object, objectClass);
         GroupValidationContextImpl<T> context =
-            new GroupValidationContextImpl<T>(listener, this.factoryContext
-                .getMessageInterpolator(), this.factoryContext
-                .getTraversableResolver(), metaBean);
+                new GroupValidationContextImpl<T>(listener, this.factoryContext
+                        .getMessageInterpolator(), this.factoryContext
+                        .getTraversableResolver(), metaBean);
         context.setBean(object, metaBean);
         context.setGroups(groupsComputer.computeGroups(groups));
         return context;
@@ -690,7 +673,7 @@ public class ClassValidator implements V
 
     /**
      * Create a {@link BeanDescriptorImpl}
-     * 
+     *
      * @param metaBean
      * @return {@link BeanDescriptorImpl} instance
      */
@@ -702,7 +685,7 @@ public class ClassValidator implements V
 
     /**
      * Behavior configuration -
-     * 
+     * <p/>
      * <pre>
      * parameter: treatMapsLikeBeans - true (validate maps like beans, so that
      *                             you can use Maps to validate dynamic classes or
@@ -710,7 +693,7 @@ public class ClassValidator implements V
      *                           - false (default), validate maps like collections
      *                             (validating the values only)
      * </pre>
-     * 
+     * <p/>
      * (is still configuration to better in BeanValidationContext?)
      */
     public boolean isTreatMapsLikeBeans() {
@@ -724,9 +707,8 @@ public class ClassValidator implements V
     /**
      * Checks that beanType is valid according to spec Section 4.1.1 i. Throws
      * an {@link IllegalArgumentException} if it is not.
-     * 
-     * @param beanType
-     *            Bean type to check.
+     *
+     * @param beanType Bean type to check.
      */
     private void checkBeanType(Class<?> beanType) {
         if (beanType == null) {
@@ -737,23 +719,21 @@ public class ClassValidator implements V
     /**
      * Checks that the property name is valid according to spec Section 4.1.1 i.
      * Throws an {@link IllegalArgumentException} if it is not.
-     * 
-     * @param propertyName
-     *            Property name to check.
+     *
+     * @param propertyName Property name to check.
      */
     private void checkPropertyName(String propertyName) {
         if (propertyName == null || propertyName.trim().length() == 0) {
             throw new IllegalArgumentException(
-                "Property path cannot be null or empty.");
+                    "Property path cannot be null or empty.");
         }
     }
 
     /**
      * Checks that the groups array is valid according to spec Section 4.1.1 i.
      * Throws an {@link IllegalArgumentException} if it is not.
-     * 
-     * @param groups
-     *            The groups to check.
+     *
+     * @param groups The groups to check.
      */
     private void checkGroups(Class<?>[] groups) {
         if (groups == null) {
@@ -767,7 +747,7 @@ public class ClassValidator implements V
      * current context set.
      */
     protected class Jsr303ValidationCallback implements
-        ValidationHelper.ValidateCallback {
+            ValidationHelper.ValidateCallback {
 
         private final GroupValidationContext<?> context;
 

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConfigurationImpl.java Thu Aug 25 17:14:15 2011
@@ -24,21 +24,12 @@ import org.apache.bval.jsr303.xml.Valida
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import javax.validation.ConstraintValidatorFactory;
-import javax.validation.MessageInterpolator;
-import javax.validation.TraversableResolver;
-import javax.validation.ValidationException;
-import javax.validation.ValidationProviderResolver;
-import javax.validation.ValidatorFactory;
+import javax.validation.*;
 import javax.validation.spi.BootstrapState;
 import javax.validation.spi.ConfigurationState;
 import javax.validation.spi.ValidationProvider;
 import java.io.InputStream;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 /**
  * Description: used to configure apache-validation for jsr303.

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintFinderImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintFinderImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintFinderImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ConstraintFinderImpl.java Thu Aug 25 17:14:15 2011
@@ -18,23 +18,17 @@
  */
 package org.apache.bval.jsr303;
 
-import javax.validation.metadata.ConstraintDescriptor;
-import javax.validation.metadata.ElementDescriptor;
-import javax.validation.metadata.Scope;
-import javax.validation.metadata.ElementDescriptor.ConstraintFinder;
-
 import org.apache.bval.jsr303.groups.Group;
 import org.apache.bval.jsr303.groups.Groups;
 import org.apache.bval.jsr303.groups.GroupsComputer;
 import org.apache.bval.model.MetaBean;
 
+import javax.validation.metadata.ConstraintDescriptor;
+import javax.validation.metadata.ElementDescriptor;
+import javax.validation.metadata.ElementDescriptor.ConstraintFinder;
+import javax.validation.metadata.Scope;
 import java.lang.annotation.ElementType;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Set;
+import java.util.*;
 
 /**
  * Description: Implementation of the fluent {@link ConstraintFinder} interface.<br/>

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultConstraintValidatorFactory.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultConstraintValidatorFactory.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultConstraintValidatorFactory.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultConstraintValidatorFactory.java Thu Aug 25 17:14:15 2011
@@ -18,23 +18,33 @@
  */
 package org.apache.bval.jsr303;
 
-
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorFactory;
+import javax.validation.ValidationException;
 
-import org.apache.bval.jsr303.util.SecureActions;
 
 /**
  * Description: create constraint instances with the default / no-arg constructor <br/>
  */
 public class DefaultConstraintValidatorFactory implements ConstraintValidatorFactory {
+
     /**
      * Instantiate a Constraint.
      *
      * @return Returns a new Constraint instance
      *         The ConstraintFactory is <b>not</b> responsible for calling Constraint#initialize
      */
-    public <T extends ConstraintValidator<?, ?>> T getInstance(Class<T> constraintClass) {
-        return SecureActions.newInstance(constraintClass);
+    public <T extends ConstraintValidator<?, ?>> T getInstance(final Class<T> constraintClass)
+    {
+      // 2011-03-27 jw: Do not use PrivilegedAction.
+      // Otherwise any user code would be executed with the privileges of this class.
+      try
+      {
+        return constraintClass.newInstance();
+      }
+      catch (final Exception ex)
+      {
+        throw new ValidationException("Cannot instantiate : " + constraintClass, ex);
+      }
     }
 }

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultMessageInterpolator.java Thu Aug 25 17:14:15 2011
@@ -22,6 +22,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.validation.MessageInterpolator;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Locale;
 import java.util.Map;
 import java.util.MissingResourceException;
@@ -161,14 +163,20 @@ public class DefaultMessageInterpolator 
      */
     private ResourceBundle getFileBasedResourceBundle(Locale locale) {
         ResourceBundle rb = null;
-        final ClassLoader classLoader = SecureActions.getContextClassLoader(Thread.currentThread());
+        final ClassLoader classLoader = doPrivileged(SecureActions.getContextClassLoader());
         if (classLoader != null) {
             rb = loadBundle(classLoader, locale,
                   USER_VALIDATION_MESSAGES + " not found by thread local classloader");
         }
+
+        // 2011-03-27 jw: No privileged action required.
+        // A class can always access the classloader of itself and of subclasses.
         if (rb == null) {
-            rb = loadBundle(SecureActions.getClassLoader(this.getClass()), locale,
-                  USER_VALIDATION_MESSAGES + " not found by validator classloader");
+            rb = loadBundle(
+              getClass().getClassLoader(),
+              locale,
+              USER_VALIDATION_MESSAGES + " not found by validator classloader"
+            );
         }
         if (rb != null) {
             log.debug("{} found", USER_VALIDATION_MESSAGES);
@@ -192,7 +200,7 @@ public class DefaultMessageInterpolator 
     private String replaceVariables(String message, ResourceBundle bundle, Locale locale,
                                     boolean recurse) {
         Matcher matcher = messageParameterPattern.matcher(message);
-        StringBuffer sb = new StringBuffer();
+        StringBuffer sb = new StringBuffer(64);
         String resolvedParameterValue;
         while (matcher.find()) {
             String parameter = matcher.group(1);
@@ -207,7 +215,7 @@ public class DefaultMessageInterpolator 
     private String replaceAnnotationAttributes(String message,
                                                Map<String, Object> annotationParameters) {
         Matcher matcher = messageParameterPattern.matcher(message);
-        StringBuffer sb = new StringBuffer();
+        StringBuffer sb = new StringBuffer(64);
         while (matcher.find()) {
             String resolvedParameterValue;
             String parameter = matcher.group(1);
@@ -252,24 +260,23 @@ public class DefaultMessageInterpolator 
     }
 
     private ResourceBundle findDefaultResourceBundle(Locale locale) {
-        if (defaultBundlesMap.containsKey(locale)) {
-            return defaultBundlesMap.get(locale);
+        ResourceBundle bundle = defaultBundlesMap.get(locale);
+        if (bundle == null)
+        {
+            bundle = ResourceBundle.getBundle(DEFAULT_VALIDATION_MESSAGES, locale);
+            defaultBundlesMap.put(locale, bundle);
         }
-
-        ResourceBundle bundle =
-              ResourceBundle.getBundle(DEFAULT_VALIDATION_MESSAGES, locale);
-        defaultBundlesMap.put(locale, bundle);
         return bundle;
     }
 
     private ResourceBundle findUserResourceBundle(Locale locale) {
-        if (userBundlesMap.containsKey(locale)) {
-            return userBundlesMap.get(locale);
-        }
-
-        ResourceBundle bundle = getFileBasedResourceBundle(locale);
-        if (bundle != null) {
-            userBundlesMap.put(locale, bundle);
+        ResourceBundle bundle = userBundlesMap.get(locale);
+        if (bundle == null)
+        {
+            bundle = getFileBasedResourceBundle(locale);
+            if (bundle != null) {
+                userBundlesMap.put(locale, bundle);
+            }
         }
         return bundle;
     }
@@ -294,4 +301,22 @@ public class DefaultMessageInterpolator 
         return src.replace("\\", "\\\\").replace("$", "\\$");
     }
 
+
+
+    /**
+     * Perform action with AccessController.doPrivileged() if a security manager is installed.
+     *
+     * @param action
+     *  the action to run
+     * @return
+     *  result of the action
+     */
+    private static <T> T doPrivileged(final PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
+
 }

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultValidationProviderResolver.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultValidationProviderResolver.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultValidationProviderResolver.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/DefaultValidationProviderResolver.java Thu Aug 25 17:14:15 2011
@@ -20,13 +20,12 @@ package org.apache.bval.jsr303;
 import javax.validation.ValidationException;
 import javax.validation.ValidationProviderResolver;
 import javax.validation.spi.ValidationProvider;
-
-import org.apache.bval.jsr303.util.SecureActions;
-
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
@@ -35,7 +34,7 @@ public class DefaultValidationProviderRe
 
     //TODO - Spec recommends caching per classloader
     private static final String SPI_CFG =
-        "META-INF/services/javax.validation.spi.ValidationProvider";
+            "META-INF/services/javax.validation.spi.ValidationProvider";
 
     /**
      * {@inheritDoc}
@@ -63,10 +62,21 @@ public class DefaultValidationProviderRe
                                 // try loading the specified class
                                 final Class<?> provider = cl.loadClass(line);
                                 // create an instance to return
-                                providers.add((ValidationProvider<?>) SecureActions.newInstance(provider));
+                                ValidationProvider<?> vp =
+                                        AccessController.doPrivileged(new PrivilegedAction<ValidationProvider<?>>() {
+                                            public ValidationProvider<?> run() {
+                                                try {
+                                                    return (ValidationProvider<?>) provider.newInstance();
+                                                } catch (final Exception ex) {
+                                                    throw new ValidationException("Cannot instantiate : " + provider, ex);
+                                                }
+                                            }
+                                        });
+                                 providers.add(vp);
+
                             } catch (ClassNotFoundException e) {
                                 throw new ValidationException("Failed to load provider " +
-                                    line + " configured in file " + url, e);
+                                        line + " configured in file " + url, e);
                             }
                         }
                         line = br.readLine();

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ElementDescriptorImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ElementDescriptorImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ElementDescriptorImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/ElementDescriptorImpl.java Thu Aug 25 17:14:15 2011
@@ -16,12 +16,11 @@
  */
 package org.apache.bval.jsr303;
 
-import javax.validation.metadata.ConstraintDescriptor;
-import javax.validation.metadata.ElementDescriptor;
-
 import org.apache.bval.model.MetaBean;
 import org.apache.bval.model.Validation;
 
+import javax.validation.metadata.ConstraintDescriptor;
+import javax.validation.metadata.ElementDescriptor;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/Jsr303MetaBeanFactory.java Thu Aug 25 17:14:15 2011
@@ -42,6 +42,8 @@ import javax.validation.*;
 import javax.validation.groups.Default;
 import java.lang.annotation.Annotation;
 import java.lang.reflect.*;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
@@ -127,7 +129,7 @@ public class Jsr303MetaBeanFactory imple
                   new AppendValidationToMeta(metabean));
         }
 
-        final Field[] fields = SecureActions.getDeclaredFields(beanClass);
+        final Field[] fields = doPrivileged(SecureActions.getDeclaredFields(beanClass));
         for (Field field : fields) {
             MetaProperty metaProperty = metabean.getProperty(field.getName());
             // create a property for those fields for which there is not yet a MetaProperty
@@ -145,7 +147,7 @@ public class Jsr303MetaBeanFactory imple
                 }
             }
         }
-        final Method[] methods = SecureActions.getDeclaredMethods(beanClass);
+        final Method[] methods = doPrivileged(SecureActions.getDeclaredMethods(beanClass));
         for (Method method : methods) {
 
             String propName = null;
@@ -595,4 +597,22 @@ public class Jsr303MetaBeanFactory imple
             }
         } while (removed && assignableTypes.size() > 1);
     }
+
+
+
+    /**
+     * Perform action with AccessController.doPrivileged() if a security manager is installed.
+     *
+     * @param action
+     *  the action to run
+     * @return
+     *  result of the action
+     */
+    private static <T> T doPrivileged(final PrivilegedAction<T> action) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(action);
+        } else {
+            return action.run();
+        }
+    }
 }

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/PropertyDescriptorImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/PropertyDescriptorImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/PropertyDescriptorImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/PropertyDescriptorImpl.java Thu Aug 25 17:14:15 2011
@@ -18,11 +18,11 @@
  */
 package org.apache.bval.jsr303;
 
-import javax.validation.metadata.PropertyDescriptor;
-
 import org.apache.bval.model.Features;
 import org.apache.bval.model.MetaProperty;
 
+import javax.validation.metadata.PropertyDescriptor;
+
 /**
  * Description: {@link PropertyDescriptor} implementation.<br/>
  */

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ConstructorDescriptorImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ConstructorDescriptorImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ConstructorDescriptorImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ConstructorDescriptorImpl.java Thu Aug 25 17:14:15 2011
@@ -17,13 +17,13 @@
 package org.apache.bval.jsr303.extensions;
 
 
-import java.util.ArrayList;
-import java.util.List;
-
 import org.apache.bval.jsr303.ElementDescriptorImpl;
 import org.apache.bval.model.MetaBean;
 import org.apache.bval.model.Validation;
 
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * Description: {@link ConstructorDescriptor} implementation.<br/>
  */

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodBeanDescriptorImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodBeanDescriptorImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodBeanDescriptorImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodBeanDescriptorImpl.java Thu Aug 25 17:14:15 2011
@@ -16,16 +16,16 @@
  */
 package org.apache.bval.jsr303.extensions;
 
+import org.apache.bval.jsr303.ApacheFactoryContext;
+import org.apache.bval.jsr303.BeanDescriptorImpl;
+import org.apache.bval.model.MetaBean;
+
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
-import org.apache.bval.jsr303.ApacheFactoryContext;
-import org.apache.bval.jsr303.BeanDescriptorImpl;
-import org.apache.bval.model.MetaBean;
-
 /**
  * Description: {@link MethodBeanDescriptor} implementation.<br/>
  */

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodDescriptorImpl.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodDescriptorImpl.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodDescriptorImpl.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/MethodDescriptorImpl.java Thu Aug 25 17:14:15 2011
@@ -16,15 +16,15 @@
  */
 package org.apache.bval.jsr303.extensions;
 
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.List;
-
 import org.apache.bval.jsr303.ConstraintValidation;
 import org.apache.bval.jsr303.ElementDescriptorImpl;
 import org.apache.bval.model.MetaBean;
 import org.apache.bval.model.Validation;
 
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
 /**
  * Description: {@link MethodDescriptor} implementation.<br/>
  */

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ProcedureDescriptor.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ProcedureDescriptor.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ProcedureDescriptor.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/extensions/ProcedureDescriptor.java Thu Aug 25 17:14:15 2011
@@ -17,10 +17,10 @@
 package org.apache.bval.jsr303.extensions;
 
 
-import java.util.List;
-
 import org.apache.bval.model.MetaBean;
 
+import java.util.List;
+
 /**
  * Description: superinterface of {@link ConstructorDescriptor} and {@link MethodDescriptor}.<br/>
  */

Modified: incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/groups/Group.java
URL: http://svn.apache.org/viewvc/incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/groups/Group.java?rev=1161648&r1=1161647&r2=1161648&view=diff
==============================================================================
--- incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/groups/Group.java (original)
+++ incubator/bval/trunk/bval-jsr303/src/main/java/org/apache/bval/jsr303/groups/Group.java Thu Aug 25 17:14:15 2011
@@ -18,10 +18,10 @@
  */
 package org.apache.bval.jsr303.groups;
 
-import javax.validation.groups.Default;
-
 import org.apache.commons.lang.ObjectUtils;
 
+import javax.validation.groups.Default;
+
 /**
  * Immutable object that wraps an interface representing a single group.
  */



Mime
View raw message