HV-1280 Setting context class loader to HV's defining CL before calling into JAXB/JAXP;

This makes sure we don't get in touch with a JAXP implementation provided as part of the
deployed application when running on WF.

Author: gunnarmorling

documentation/src/main/asciidoc/ch01.asciidoc

@@ -104,6 +104,7 @@ The following shows how to do this via a http://docs.oracle.com/javase/8/docs/te
 grant codeBase "file:path/to/hibernate-validator-{hvVersion}.jar" {
     permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
     permission java.lang.RuntimePermission "accessDeclaredMembers";
+    permission java.lang.RuntimePermission "setContextClassLoader";
 
     // Only needed when working with XML descriptors (validation.xml or XML constraint mappings)
     permission java.util.PropertyPermission "mapAnyUriToUri", "read";
@@ -321,4 +322,3 @@ To learn more about the validation of beans and properties, just continue readin
 <<chapter-bean-constraints>>. If you are interested in using Bean Validation for the validation of
 method pre- and postcondition refer to <<chapter-method-constraints>>. In case your application has
 specific validation requirements have a look at <<validator-customconstraints>>.
-

engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/SetContextClassLoader.java

@@ -0,0 +1,35 @@
+/*
+ * Hibernate Validator, declare and validate application constraints
+ *
+ * License: Apache License, Version 2.0
+ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
+ */
+package org.hibernate.validator.internal.util.privilegedactions;
+
+import java.security.PrivilegedAction;
+
+import org.hibernate.validator.internal.util.Contracts;
+
+/**
+ * Privileged action used to set the Thread context class loader.
+ *
+ * @author Guillaume Smet
+ */
+public final class SetContextClassLoader implements PrivilegedAction<Void> {
+	private final ClassLoader classLoader;
+
+	public static SetContextClassLoader action(ClassLoader classLoader) {
+		Contracts.assertNotNull( classLoader, "class loader must not be null" );
+		return new SetContextClassLoader( classLoader );
+	}
+
+	private SetContextClassLoader(ClassLoader classLoader) {
+		this.classLoader = classLoader;
+	}
+
+	@Override
+	public Void run() {
+		Thread.currentThread().setContextClassLoader( classLoader );
+		return null;
+	}
+}

engine/src/main/java/org/hibernate/validator/internal/xml/ValidationXmlParser.java

@@ -9,6 +9,7 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
 import java.util.EnumSet;
 import java.util.HashMap;
@@ -27,7 +28,9 @@
 
 import org.hibernate.validator.internal.util.logging.Log;
 import org.hibernate.validator.internal.util.logging.LoggerFactory;
+import org.hibernate.validator.internal.util.privilegedactions.GetClassLoader;
 import org.hibernate.validator.internal.util.privilegedactions.NewJaxbContext;
+import org.hibernate.validator.internal.util.privilegedactions.SetContextClassLoader;
 import org.hibernate.validator.internal.util.privilegedactions.Unmarshal;
 
 /**
@@ -69,7 +72,11 @@ public final BootstrapConfiguration parseValidationXml() {
 			return BootstrapConfigurationImpl.getDefaultBootstrapConfiguration();
 		}
 
+		ClassLoader previousTccl = run( GetClassLoader.fromContext() );
+
 		try {
+			run( SetContextClassLoader.action( ValidationXmlParser.class.getClassLoader() ) );
+
 			// HV-970 The parser helper is only loaded if there actually is a validation.xml file;
 			// this avoids accessing javax.xml.stream.* (which does not exist on Android) when not actually
 			// working with the XML configuration
@@ -83,6 +90,7 @@ public final BootstrapConfiguration parseValidationXml() {
 			return createBootstrapConfiguration( validationConfig );
 		}
 		finally {
+			run( SetContextClassLoader.action( previousTccl ) );
 			closeStream( inputStream );
 		}
 	}
@@ -191,6 +199,16 @@ private EnumSet<ExecutableType> getValidatedExecutableTypes(DefaultValidatedExec
 		return executableTypes;
 	}
 
+	/**
+	 * Runs the given privileged action, using a privileged block if required.
+	 * <p>
+	 * <b>NOTE:</b> This must never be changed into a publicly available method to avoid execution of arbitrary
+	 * privileged actions within HV's protection domain.
+	 */
+	private static <T> T run(PrivilegedAction<T> action) {
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
+
 	/**
 	 * Runs the given privileged action, using a privileged block if required.
 	 * <p>

engine/src/main/java/org/hibernate/validator/internal/xml/XmlMappingParser.java

@@ -11,6 +11,7 @@
 import java.io.InputStream;
 import java.lang.annotation.Annotation;
 import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.security.PrivilegedExceptionAction;
 import java.util.Collections;
 import java.util.List;
@@ -37,7 +38,9 @@
 import org.hibernate.validator.internal.metadata.raw.ConstrainedType;
 import org.hibernate.validator.internal.util.logging.Log;
 import org.hibernate.validator.internal.util.logging.LoggerFactory;
+import org.hibernate.validator.internal.util.privilegedactions.GetClassLoader;
 import org.hibernate.validator.internal.util.privilegedactions.NewJaxbContext;
+import org.hibernate.validator.internal.util.privilegedactions.SetContextClassLoader;
 import org.hibernate.validator.internal.util.privilegedactions.Unmarshal;
 
 import static org.hibernate.validator.internal.util.CollectionHelper.newArrayList;
@@ -137,15 +140,7 @@ public final void parse(Set<InputStream> mappingStreams) {
 					in.mark( Integer.MAX_VALUE );
 				}
 
-				XMLEventReader xmlEventReader = xmlParserHelper.createXmlEventReader( "constraint mapping file", new CloseIgnoringInputStream( in ) );
-				String schemaVersion = xmlParserHelper.getSchemaVersion( "constraint mapping file", xmlEventReader );
-				String schemaResourceName = getSchemaResourceName( schemaVersion );
-				Schema schema = xmlParserHelper.getSchema( schemaResourceName );
-
-				Unmarshaller unmarshaller = jc.createUnmarshaller();
-				unmarshaller.setSchema( schema );
-
-				ConstraintMappingsType mapping = getValidationConfig( xmlEventReader, unmarshaller );
+				ConstraintMappingsType mapping = unmarshal( jc, in );
 				String defaultPackage = mapping.getDefaultPackage();
 
 				parseConstraintDefinitions(
@@ -180,6 +175,27 @@ public final void parse(Set<InputStream> mappingStreams) {
 		}
 	}
 
+	private ConstraintMappingsType unmarshal(JAXBContext jc, InputStream in) throws JAXBException {
+		ClassLoader previousTccl = run( GetClassLoader.fromContext() );
+
+		try {
+			run( SetContextClassLoader.action( XmlMappingParser.class.getClassLoader() ) );
+
+			XMLEventReader xmlEventReader = xmlParserHelper.createXmlEventReader( "constraint mapping file", new CloseIgnoringInputStream( in ) );
+			String schemaVersion = xmlParserHelper.getSchemaVersion( "constraint mapping file", xmlEventReader );
+			String schemaResourceName = getSchemaResourceName( schemaVersion );
+			Schema schema = xmlParserHelper.getSchema( schemaResourceName );
+
+			Unmarshaller unmarshaller = jc.createUnmarshaller();
+			unmarshaller.setSchema( schema );
+
+			return getValidationConfig( xmlEventReader, unmarshaller );
+		}
+		finally {
+			run( SetContextClassLoader.action( previousTccl ) );
+		}
+	}
+
 	public final Set<Class<?>> getXmlConfiguredClasses() {
 		return processedClasses;
 	}
@@ -369,6 +385,16 @@ private String getSchemaResourceName(String schemaVersion) {
 		return schemaResource;
 	}
 
+	/**
+	 * Runs the given privileged action, using a privileged block if required.
+	 * <p>
+	 * <b>NOTE:</b> This must never be changed into a publicly available method to avoid execution of arbitrary
+	 * privileged actions within HV's protection domain.
+	 */
+	private static <T> T run(PrivilegedAction<T> action) {
+		return System.getSecurityManager() != null ? AccessController.doPrivileged( action ) : action.run();
+	}
+
 	/**
 	 * Runs the given privileged action, using a privileged block if required.
 	 * <p>

integration/src/test/java/org/hibernate/validator/integration/wildfly/xml/Camera.java

@@ -0,0 +1,15 @@
+/*
+ * Hibernate Validator, declare and validate application constraints
+ *
+ * License: Apache License, Version 2.0
+ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
+ */
+package org.hibernate.validator.integration.wildfly.xml;
+
+/**
+ * @author Gunnar Morling
+ */
+public class Camera {
+
+	public String brand = null;
+}

integration/src/test/java/org/hibernate/validator/integration/wildfly/xml/JaxpContainedInDeploymentIT.java

@@ -0,0 +1,142 @@
+/*
+ * Hibernate Validator, declare and validate application constraints
+ *
+ * License: Apache License, Version 2.0
+ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
+ */
+package org.hibernate.validator.integration.wildfly.xml;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
+
+import java.util.Set;
+
+import javax.inject.Inject;
+import javax.validation.ConstraintViolation;
+import javax.validation.Validator;
+import javax.validation.constraints.NotNull;
+
+import org.jboss.arquillian.container.test.api.Deployer;
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.container.test.api.RunAsClient;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.arquillian.junit.InSequence;
+import org.jboss.arquillian.test.api.ArquillianResource;
+import org.jboss.shrinkwrap.api.Archive;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.asset.Asset;
+import org.jboss.shrinkwrap.api.asset.EmptyAsset;
+import org.jboss.shrinkwrap.api.asset.StringAsset;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.jboss.shrinkwrap.descriptor.api.Descriptors;
+import org.jboss.shrinkwrap.descriptor.api.validationConfiguration11.ValidationConfigurationDescriptor;
+import org.jboss.shrinkwrap.descriptor.api.validationMapping11.ValidationMappingDescriptor;
+import org.jboss.shrinkwrap.resolver.api.maven.Maven;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * Test for https://hibernate.atlassian.net/browse/HV-1280. To reproduce the issue, the deployment must be done twice
+ * (it will only show up during the 2nd deploy), which is why the test is managing the deployment itself via client-side
+ * test methods.
+ *
+ * @author Gunnar Morling
+ */
+@RunWith(Arquillian.class)
+public class JaxpContainedInDeploymentIT {
+
+	private static final String WAR_FILE_NAME = JaxpContainedInDeploymentIT.class.getSimpleName() + ".war";
+
+	@ArquillianResource
+	private Deployer deployer;
+
+	@Inject
+	private Validator validator;
+
+	@Deployment(name = "jaxpit", managed = false)
+	public static Archive<?> createTestArchive() {
+		return ShrinkWrap
+				.create( WebArchive.class, WAR_FILE_NAME )
+				.addClass( Camera.class )
+				.addAsResource( validationXml(), "META-INF/validation.xml" )
+				.addAsResource( mappingXml(), "META-INF/my-mapping.xml" )
+				.addAsLibrary( Maven.resolver().resolve( "xerces:xercesImpl:2.9.1" ).withoutTransitivity().asSingleFile() )
+				.addAsResource( "log4j.properties" )
+				.addAsWebInfResource( EmptyAsset.INSTANCE, "beans.xml" );
+	}
+
+	private static Asset validationXml() {
+		String validationXml = Descriptors.create( ValidationConfigurationDescriptor.class )
+				.version( "1.1" )
+				.constraintMapping( "META-INF/my-mapping.xml" )
+				.exportAsString();
+		return new StringAsset( validationXml );
+	}
+
+	private static Asset mappingXml() {
+		String mappingXml = Descriptors.create( ValidationMappingDescriptor.class )
+				.version( "1.1" )
+				.createBean()
+					.clazz( Camera.class.getName() )
+						.createField()
+							.name( "brand" )
+							.createConstraint()
+								.annotation( "javax.validation.constraints.NotNull" )
+						.up()
+					.up()
+				.up()
+				.exportAsString();
+		return new StringAsset( mappingXml );
+	}
+
+	@Test
+	@RunAsClient
+	@InSequence(0)
+	public void deploy1() throws Exception {
+		deployer.deploy( "jaxpit" );
+	}
+
+	@Test
+	@InSequence(1)
+	public void test1() throws Exception {
+		doTest();
+	}
+
+	@Test
+	@RunAsClient
+	@InSequence(2)
+	public void undeploy1() throws Exception {
+		deployer.undeploy( "jaxpit" );
+	}
+
+	@Test
+	@RunAsClient
+	@InSequence(3)
+	public void deploy2() throws Exception {
+		deployer.deploy( "jaxpit" );
+	}
+
+	@Test
+	@InSequence(4)
+	public void test2() throws Exception {
+		doTest();
+	}
+
+	@Test
+	@RunAsClient
+	@InSequence(5)
+	public void undeploy2() throws Exception {
+		deployer.undeploy( "jaxpit" );
+	}
+
+	private void doTest() {
+		Set<ConstraintViolation<Camera>> violations = validator.validate( new Camera() );
+
+		assertEquals( 1, violations.size() );
+		assertSame( NotNull.class, violations.iterator()
+				.next()
+				.getConstraintDescriptor()
+				.getAnnotation()
+				.annotationType() );
+	}
+}

tck-runner/src/test/resources/test.policy

@@ -26,6 +26,7 @@
 grant codeBase "file:${localRepository}/org/hibernate/hibernate-validator/${project.version}/hibernate-validator-${project.version}.jar" {
     permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
     permission java.lang.RuntimePermission "accessDeclaredMembers";
+    permission java.lang.RuntimePermission "setContextClassLoader";
 
     // JAXB
     permission java.util.PropertyPermission "mapAnyUriToUri", "read";
@@ -36,6 +37,7 @@ grant codeBase "file:${localRepository}/org/hibernate/hibernate-validator/${proj
 grant codeBase "file:${basedir}/../engine/target/hibernate-validator-${project.version}.jar" {
     permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
     permission java.lang.RuntimePermission "accessDeclaredMembers";
+    permission java.lang.RuntimePermission "setContextClassLoader";
 
     // JAXB
     permission java.util.PropertyPermission "mapAnyUriToUri", "read";