SecurityException with ByteBuddy and Signed Application Jars

Using 5.3.0, with signed application jars, and a security policy in place, Hibernate initialization is failing with the SecurityException stack trace below. I am not familiar with ByteBuddy, but maybe the ProtectionDomain needs to be specified when loading the instrumented proxy classes? (kind of like https://stackoverflow.com/questions/42184038/strategy-for-intercepting-signed-classes?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa).

I’ve worked around this for now by setting hibernate.bytecode.provider to javassist on the JVM command line as a system property (I could not get hibernate to recognize that property in my hibernate props file).

I’ll take a look through the source and see if anything obvious jumps out at me.
If you want me to throw something in Jira, please let me know.

Thanks,
John

Caused by: org.hibernate.MappingException: Could not get constructor for org.hibernate.persister.entity.SingleTableEntityPersister
	at org.hibernate.persister.internal.PersisterFactoryImpl.createEntityPersister(PersisterFactoryImpl.java:123)
	at org.hibernate.persister.internal.PersisterFactoryImpl.createEntityPersister(PersisterFactoryImpl.java:77)
	at org.hibernate.metamodel.internal.MetamodelImpl.initialize(MetamodelImpl.java:137)
	at org.hibernate.internal.SessionFactoryImpl.<init>(SessionFactoryImpl.java:295)
	at org.hibernate.boot.internal.SessionFactoryBuilderImpl.build(SessionFactoryBuilderImpl.java:467)
	at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:886)
	... 15 common frames omitted
Caused by: org.hibernate.HibernateException: Unable to instantiate default tuplizer [org.hibernate.tuple.entity.PojoEntityTuplizer]
	at org.hibernate.tuple.entity.EntityTuplizerFactory.constructTuplizer(EntityTuplizerFactory.java:91)
	at org.hibernate.tuple.entity.EntityTuplizerFactory.constructDefaultTuplizer(EntityTuplizerFactory.java:116)
	at org.hibernate.tuple.entity.EntityMetamodel.<init>(EntityMetamodel.java:382)
	at org.hibernate.persister.entity.AbstractEntityPersister.<init>(AbstractEntityPersister.java:551)
	at org.hibernate.persister.entity.SingleTableEntityPersister.<init>(SingleTableEntityPersister.java:124)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.lang.reflect.Constructor.newInstance(Unknown Source)
	at org.hibernate.persister.internal.PersisterFactoryImpl.createEntityPersister(PersisterFactoryImpl.java:96)
	... 20 common frames omitted
Caused by: java.lang.reflect.InvocationTargetException: null
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
	at java.lang.reflect.Constructor.newInstance(Unknown Source)
	at org.hibernate.tuple.entity.EntityTuplizerFactory.constructTuplizer(EntityTuplizerFactory.java:88)
	... 29 common frames omitted
Caused by: java.lang.IllegalArgumentException: Could not create type
	at net.bytebuddy.TypeCache.findOrInsert(TypeCache.java:140)
	at net.bytebuddy.TypeCache$WithInlineExpunction.findOrInsert(TypeCache.java:346)
	at net.bytebuddy.TypeCache.findOrInsert(TypeCache.java:161)
	at net.bytebuddy.TypeCache$WithInlineExpunction.findOrInsert(TypeCache.java:355)
	at org.hibernate.proxy.pojo.bytebuddy.ByteBuddyProxyFactory.buildProxy(ByteBuddyProxyFactory.java:102)
	at org.hibernate.proxy.pojo.bytebuddy.ByteBuddyProxyFactory.postInstantiate(ByteBuddyProxyFactory.java:80)
	at org.hibernate.tuple.entity.PojoEntityTuplizer.buildProxyFactory(PojoEntityTuplizer.java:162)
	at org.hibernate.tuple.entity.AbstractEntityTuplizer.<init>(AbstractEntityTuplizer.java:156)
	at org.hibernate.tuple.entity.PojoEntityTuplizer.<init>(PojoEntityTuplizer.java:58)
	... 34 common frames omitted
Caused by: java.lang.IllegalStateException: Error invoking java.lang.ClassLoader#defineClass
	at net.bytebuddy.dynamic.loading.ClassInjector$UsingReflection$Dispatcher$Direct.defineClass(ClassInjector.java:412)
	at net.bytebuddy.dynamic.loading.ClassInjector$UsingReflection.inject(ClassInjector.java:185)
	at net.bytebuddy.dynamic.loading.ClassLoadingStrategy$Default$InjectionDispatcher.load(ClassLoadingStrategy.java:187)
	at net.bytebuddy.dynamic.loading.ClassLoadingStrategy$Default.load(ClassLoadingStrategy.java:120)
	at net.bytebuddy.dynamic.TypeResolutionStrategy$Passive.initialize(TypeResolutionStrategy.java:79)
	at net.bytebuddy.dynamic.DynamicType$Default$Unloaded.load(DynamicType.java:4457)
	at net.bytebuddy.dynamic.DynamicType$Default$Unloaded.load(DynamicType.java:4447)
	at org.hibernate.proxy.pojo.bytebuddy.ByteBuddyProxyFactory.lambda$buildProxy$1(ByteBuddyProxyFactory.java:116)
	at net.bytebuddy.TypeCache.findOrInsert(TypeCache.java:138)
	... 42 common frames omitted
Caused by: java.lang.SecurityException: class "com.fred.flintstone.entity.task.TestRunTask$HibernateProxy$yYbBct5p"'s signer information does not match signer information of other classes in the same package
	at java.lang.ClassLoader.checkCerts(Unknown Source)
	at java.lang.ClassLoader.preDefineClass(Unknown Source)
	at java.lang.ClassLoader.defineClass(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at net.bytebuddy.dynamic.loading.ClassInjector$UsingReflection$Dispatcher$Direct.defineClass(ClassInjector.java:408)
	... 50 common frames omitted

Hi @John_Casebolt ,

You’re right: there’s an issue with how proxies are created with ByteBuddy: the protection domain is completely ignored. We need to fix this.

I created https://hibernate.atlassian.net/browse/HHH-12614 to track this issue.

Thanks for the report.

I added some links Rafael provided us related to fixing it.

Thanks, guys - and continuing thanks for such a great product!

@John_Casebolt

Any chance you could try my branch here:

git clone git@github.com:gsmet/hibernate-orm.git
cd hibernate-orm
git checkout HHH-12614
./gradlew publishToMavenLocal

Then use the 5.3.1-SNAPSHOT artifacts obtained.

We are in a bit of a hurry to release 5.3.1.Final for inclusion into the next WildFly so it would be nice if you could validate it before the end of the day (sorry for the pressure)!

Thanks!

@gsmet -

Went to verify the fix this morning, but am not able to clone:

~/src casebolt@maiden> git clone git@github.com:gsmet/hibernate-orm.git
Cloning into 'hibernate-orm'...
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I am happy to try again once you tweak things…

John

@John_Casebolt ah sorry, maybe this one is not usable without being connected to GitHub.

Could you try:

git clone https://github.com/gsmet/hibernate-orm.git

instead?

It should work better.

@gsmet -

I was able to checkout/build/integrate/test from your issue branch.
Things are looking great - I was able to successfully start my application with a security policy enabled.

Thanks again!

John

@John_Casebolt cool, thanks for confirming that.

ORM 5.3.1 should be released very soon with this fix included.