Security Manager issue with TypeReference

[dadoonet]

This issue is coming from this report: Azure/autorest-clientruntime-for-java#136
Source of this report is here: elastic/elasticsearch#22679

Copying and pasting here the full stack trace:

java.util.concurrent.ExecutionException: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
	at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:357) ~[?:1.8.0_60]
	at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:1895) ~[?:1.8.0_60]
	at org.elasticsearch.discovery.zen.ZenDiscovery.pingAndWait(ZenDiscovery.java:1000) [elasticsearch-6.0.0-alpha1-SNAPSHOT.jar:6.0.0-alpha1-SNAPSHOT]
	at org.elasticsearch.discovery.zen.ZenDiscovery.findMaster(ZenDiscovery.java:860) [elasticsearch-6.0.0-alpha1-SNAPSHOT.jar:6.0.0-alpha1-SNAPSHOT]
	at org.elasticsearch.discovery.zen.ZenDiscovery.innerJoinCluster(ZenDiscovery.java:372) [elasticsearch-6.0.0-alpha1-SNAPSHOT.jar:6.0.0-alpha1-SNAPSHOT]
	at org.elasticsearch.discovery.zen.ZenDiscovery.access$3800(ZenDiscovery.java:80) [elasticsearch-6.0.0-alpha1-SNAPSHOT.jar:6.0.0-alpha1-SNAPSHOT]
	at org.elasticsearch.discovery.zen.ZenDiscovery$JoinThreadControl$1.run(ZenDiscovery.java:1176) [elasticsearch-6.0.0-alpha1-SNAPSHOT.jar:6.0.0-alpha1-SNAPSHOT]
	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:458) [elasticsearch-6.0.0-alpha1-SNAPSHOT.jar:6.0.0-alpha1-SNAPSHOT]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:1.8.0_60]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:1.8.0_60]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_60]
Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_60]
	at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_60]
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_60]
	at java.lang.Class.checkMemberAccess(Class.java:2348) ~[?:1.8.0_60]
	at java.lang.Class.getEnclosingMethod(Class.java:1037) ~[?:1.8.0_60]
	at sun.reflect.generics.scope.ClassScope.computeEnclosingScope(ClassScope.java:50) ~[?:?]
	at sun.reflect.generics.scope.AbstractScope.getEnclosingScope(AbstractScope.java:78) ~[?:?]
	at sun.reflect.generics.scope.AbstractScope.lookup(AbstractScope.java:96) ~[?:?]
	at sun.reflect.generics.factory.CoreReflectionFactory.findTypeVariable(CoreReflectionFactory.java:110) ~[?:?]
	at sun.reflect.generics.visitor.Reifier.visitTypeVariableSignature(Reifier.java:165) ~[?:?]
	at sun.reflect.generics.tree.TypeVariableSignature.accept(TypeVariableSignature.java:43) ~[?:?]
	at sun.reflect.generics.visitor.Reifier.reifyTypeArguments(Reifier.java:68) ~[?:?]
	at sun.reflect.generics.visitor.Reifier.visitClassTypeSignature(Reifier.java:138) ~[?:?]
	at sun.reflect.generics.tree.ClassTypeSignature.accept(ClassTypeSignature.java:49) ~[?:?]
	at sun.reflect.generics.repository.ClassRepository.getSuperclass(ClassRepository.java:90) ~[?:?]
	at java.lang.Class.getGenericSuperclass(Class.java:777) ~[?:1.8.0_60]
	at com.fasterxml.jackson.core.type.TypeReference.<init>(TypeReference.java:33) ~[jackson-core-2.8.6.jar:2.8.6]
	at com.microsoft.rest.serializer.JacksonMapperAdapter$1.<init>(JacksonMapperAdapter.java:179) ~[?:?]
	at com.microsoft.rest.serializer.JacksonMapperAdapter.deserialize(JacksonMapperAdapter.java:179) ~[?:?]
	at com.microsoft.rest.ServiceResponseBuilder.buildBody(ServiceResponseBuilder.java:289) ~[?:?]
	at com.microsoft.rest.ServiceResponseBuilder.build(ServiceResponseBuilder.java:141) ~[?:?]
	at com.microsoft.azure.management.compute.implementation.VirtualMachinesInner.listAllDelegate(VirtualMachinesInner.java:1201) ~[?:?]
	at com.microsoft.azure.management.compute.implementation.VirtualMachinesInner.access$700(VirtualMachinesInner.java:46) ~[?:?]
	at com.microsoft.azure.management.compute.implementation.VirtualMachinesInner$42.call(VirtualMachinesInner.java:1191) ~[?:?]
	at com.microsoft.azure.management.compute.implementation.VirtualMachinesInner$42.call(VirtualMachinesInner.java:1187) ~[?:?]
	at rx.internal.operators.OnSubscribeMap$MapSubscriber.onNext(OnSubscribeMap.java:69) ~[?:?]
	at retrofit2.adapter.rxjava.RxJavaCallAdapterFactory$RequestArbiter.request(RxJavaCallAdapterFactory.java:173) ~[?:?]
	at rx.Subscriber.setProducer(Subscriber.java:211) ~[?:?]
	at rx.internal.operators.OnSubscribeMap$MapSubscriber.setProducer(OnSubscribeMap.java:102) ~[?:?]
	at retrofit2.adapter.rxjava.RxJavaCallAdapterFactory$CallOnSubscribe.call(RxJavaCallAdapterFactory.java:152) ~[?:?]
	at retrofit2.adapter.rxjava.RxJavaCallAdapterFactory$CallOnSubscribe.call(RxJavaCallAdapterFactory.java:138) ~[?:?]
	at rx.Observable.unsafeSubscribe(Observable.java:9861) ~[?:?]
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:48) ~[?:?]
	at rx.internal.operators.OnSubscribeMap.call(OnSubscribeMap.java:33) ~[?:?]
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) ~[?:?]
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) ~[?:?]
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) ~[?:?]
	at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) ~[?:?]
	at rx.Observable.subscribe(Observable.java:9957) ~[?:?]
	at rx.Observable.subscribe(Observable.java:9924) ~[?:?]
	at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:445) ~[?:?]
	at rx.observables.BlockingObservable.single(BlockingObservable.java:342) ~[?:?]
	at com.microsoft.azure.management.compute.implementation.VirtualMachinesInner.listAll(VirtualMachinesInner.java:1113) ~[?:?]
	at com.microsoft.azure.management.compute.implementation.VirtualMachinesImpl.list(VirtualMachinesImpl.java:63) ~[?:?]
	at org.elasticsearch.cloud.azure.arm.AzureManagementServiceImpl.lambda$getVirtualMachines$1(AzureManagementServiceImpl.java:100) ~[?:?]

And also Ryan's comment:

That looks like an issue in jackson itself. The TypeReference ctor calls Class.getGenericSuperclass(), which from an anonymous class requires that permission (and the adaptor in azure creates an anonymous TypeReference instance. It seems like a web of complicated design that may not be possible to untangle (even with a flat jar).

The code which creates this call is:

    @Override
    @SuppressWarnings("unchecked")
    public <T> T deserialize(String value, final Type type) throws IOException {
        if (value == null || value.isEmpty()) {
            return null;
        }
        return (T) serializer().readValue(value, new TypeReference<T>() {
            @Override
            public Type getType() {
                return type;
            }
        });
    }

[cowtowncoder]

Sounds unfortunate, but I am not quite sure why Class.getGenericSuperClass() should be problematic compared to, say, getSuperClassClass(), from JVM perspective.
Use of this method is not really optional since it is what is used to resolve not just class relationship but also type bindings, for simplest of cases like:

TypeReference ref = new TypeReference<Map<String,POJO>() { };

I guess failure is related to specific classes (as in some internal classes being hidden, access forbidden or restricted), if not a bug (which would have been my first guess).
But if so it'd be necessary to figure a way to avoid such class, using default JDK methods.

I am open to workarounds if need be to work around this, esp. if there was some way to reproduce the issue without running on Azure (i.e. regression test on vanilla JDK, perhaps with custom SecurityManager?)

[dadoonet]

Azure/autorest-clientruntime-for-java#136 is now closed as they found a workaround.
I'm closing this one then.

Thanks for your time @cowtowncoder!

[cowtowncoder]

@dadoonet Thank you for the follow up, glad there is a work-around.