Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using geoip2-java without granting the 'suppressAccessChecks' permission #51

Closed
martijnvg opened this issue Dec 7, 2015 · 4 comments
Closed

Using geoip2-java without granting the 'suppressAccessChecks' permission #51

martijnvg opened this issue Dec 7, 2015 · 4 comments

Comments

@martijnvg
Copy link
Contributor

The way jackson-databind is being used, is that it always uses reflection to suppress access checking in order to deserialise into the geoip2 model classes. This doesn't have to be way and jackson-databind can also be used without suppressing access checks. The jackson-databind's ObjectMapper needs be configured to not overwrite access modifiers ObjectMapper#configure(MapperFeature.CAN_OVERRIDE_ACCESS_MODIFIERS, false) and the model classes would then also need to have public getters/setters or public constructors. I'm wondering if using reflection to suppress access checking was chosen for a particular reason. It would be great if geoip2-java can be used without the suppressAccessChecks permission.

We're currently developing a pipeline framework to enrich data before indexing:
elastic/elasticsearch#14049

and are using geoip for geo lookups: https://github.com/elastic/elasticsearch/blob/feature/ingest/plugins/ingest/src/main/java/org/elasticsearch/ingest/processor/geoip/GeoIpProcessor.java#L47

Elasticsearch runs with the security manager enabled and doesn't allow suppressing access checks. Because this pipeline framework is a plugin we can specifically allow it in specifically privilege code blocks, but we prefer to use geoip2 without setting the suppressAccessChecks privilege at all.
@oschwald
Copy link
Member

oschwald commented Dec 7, 2015

The model classes are intentionally immutable. However, it might be possible to make Jackson use a constructor rather than overriding the access modifier.

@martijnvg
Copy link
Contributor Author

Hey @oschwald this looks possible. If I add a constructor to one of the model classes and move the annotations to the parameters then the model classes get constructed correctly.

@martijnvg
Copy link
Contributor Author

Would a change that makes Jackson use the constructor of the model classes instead of overriding the access modifiers be accepted?

@oschwald
Copy link
Member

Yes, definitely, as long as it did not otherwise change the API and included any additional tests necessary.

martijnvg added a commit to martijnvg/GeoIP2-java that referenced this issue Dec 16, 2015
@martijnvg
Configure jackson-databind to not suppress access checks.
41de1c9 
Because of this change all model classes have now annotated constructors.

This allows geoip2 to be run in secured environments without enabling suppressAccessChecks permission.

Closes maxmind#51
@martijnvg martijnvg mentioned this issue Dec 16, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oschwald @martijnvg