GSON on Google App Engine throws a Security Exception

4 views
Skip to first unread message

Legend via StackOverflow

unread,
Jan 19, 2017, 6:24:06 AM1/19/17
to google-appengin...@googlegroups.com

I am trying to convert an object into JSON using the GSON library on Google App Engine. For some reason, it throws this exception and I don't understand how to solve this. Any suggestions?

java.lang.SecurityException: java.lang.IllegalAccessException: Reflection is not allowed on private static final int java.util.BitSet.ADDRESS_BITS_PER_WORD
    at com.google.appengine.runtime.Request.process-8d5b435d6736643f(Request.java)
    at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:29)
    at com.google.gson.ObjectNavigator.navigateClassFields(ObjectNavigator.java:141)
    at com.google.gson.ObjectNavigator.accept(ObjectNavigator.java:123)
    at com.google.gson.JsonSerializationVisitor.getJsonElementForChild(JsonSerializationVisitor.java:148)
    at com.google.gson.JsonSerializationVisitor.addAsArrayElement(JsonSerializationVisitor.java:139)
    at com.google.gson.JsonSerializationVisitor.visitArray(JsonSerializationVisitor.java:83)
    at com.google.gson.ObjectNavigator.accept(ObjectNavigator.java:109)
    at com.google.gson.JsonSerializationVisitor.getJsonElementForChild(JsonSerializationVisitor.java:148)
    at com.google.gson.JsonSerializationVisitor.addAsChildOfObject(JsonSerializationVisitor.java:126)
    at com.google.gson.JsonSerializationVisitor.visitArrayField(JsonSerializationVisitor.java:95)
    at com.google.gson.ObjectNavigator.navigateClassFields(ObjectNavigator.java:154)
    at com.google.gson.ObjectNavigator.accept(ObjectNavigator.java:123)
    at com.google.gson.JsonSerializationContextDefault.serialize(JsonSerializationContextDefault.java:56)
    at com.google.gson.Gson.toJsonTree(Gson.java:230)
    at com.google.gson.Gson.toJson(Gson.java:315)
    at com.google.gson.Gson.toJson(Gson.java:270)
    at com.google.gson.Gson.toJson(Gson.java:250)
    at companionmodel.Sample_Model_PopulateServlet.printOutput(Sample_Model_PopulateServlet.java:59)
    at companionmodel.Sample_Model_PopulateServlet.doGet(Sample_Model_PopulateServlet.java:28)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
    at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
    at com.google.apphosting.utils.servlet.ParseBlobUploadFilter.doFilter(ParseBlobUploadFilter.java:97)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.apphosting.runtime.jetty.SaveSessionFilter.doFilter(SaveSessionFilter.java:35)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at com.google.apphosting.utils.servlet.TransactionCleanupFilter.doFilter(TransactionCleanupFilter.java:43)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
    at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
    at com.google.apphosting.runtime.jetty.AppVersionHandlerMap.handle(AppVersionHandlerMap.java:238)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
    at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:923)
    at com.google.apphosting.runtime.jetty.RpcRequestParser.parseAvailable(RpcRequestParser.java:76)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
    at com.google.apphosting.runtime.jetty.JettyServletEngineAdapter.serviceRequest(JettyServletEngineAdapter.java:135)
    at com.google.apphosting.runtime.JavaRuntime.handleRequest(JavaRuntime.java:250)
    at com.google.apphosting.base.RuntimePb$EvaluationRuntime$6.handleBlockingRequest(RuntimePb.java:5838)
    at com.google.apphosting.base.RuntimePb$EvaluationRuntime$6.handleBlockingRequest(RuntimePb.java:5836)
    at com.google.net.rpc.impl.BlockingApplicationHandler.handleRequest(BlockingApplicationHandler.java:24)
    at com.google.net.rpc.impl.RpcUtil.runRpcInApplication(RpcUtil.java:398)
    at com.google.net.rpc.impl.Server$2.run(Server.java:852)
    at com.google.tracing.LocalTraceSpanRunnable.run(LocalTraceSpanRunnable.java:56)
    at com.google.tracing.LocalTraceSpanBuilder.internalContinueSpan(LocalTraceSpanBuilder.java:576)
    at com.google.net.rpc.impl.Server.startRpc(Server.java:807)
    at com.google.net.rpc.impl.Server.processRequest(Server.java:369)
    at com.google.net.rpc.impl.ServerConnection.messageReceived(ServerConnection.java:442)
    at com.google.net.rpc.impl.RpcConnection.parseMessages(RpcConnection.java:319)
    at com.google.net.rpc.impl.RpcConnection.dataReceived(RpcConnection.java:290)
    at com.google.net.async.Connection.handleReadEvent(Connection.java:474)
    at com.google.net.async.EventDispatcher.processNetworkEvents(EventDispatcher.java:831)
    at com.google.net.async.EventDispatcher.internalLoop(EventDispatcher.java:207)
    at com.google.net.async.EventDispatcher.loop(EventDispatcher.java:103)
    at com.google.net.rpc.RpcService.runUntilServerShutdown(RpcService.java:251)
    at com.google.apphosting.runtime.JavaRuntime$RpcRunnable.run(JavaRuntime.java:413)
    at java.lang.Thread.run(Unknown Source)

Code I am using:

Gson gson = new Gson();
String json = gson.toJson(modelObject);


Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/3002714/gson-on-google-app-engine-throws-a-security-exception

Legend via StackOverflow

unread,
Jan 19, 2017, 6:24:08 AM1/19/17
to google-appengin...@googlegroups.com

If App Engine does not support Reflection, then we are pretty much left to write our own toJSON method. This can be done as follows (not a big deal but someone might find it useful):

public SampleObject {

  //...

  /**
   * Convert this object to a JSON object for representation
   */
  public JSONObject toJSON() {
    try {
       JSONObject jsonobj = new JSONObject();
       jsonobj.put("id", this.id);
       jsonobj.put("name", this.name);
       return jsonobj;
    } catch(Exception e) {
       return null;
    }
  }
}

Then, you can use a toString method on this object to print out the JSON representation. Not the best I agree but some workaround for now.



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/3002714/gson-on-google-app-engine-throws-a-security-exception/3002877#3002877

Ash Kim via StackOverflow

unread,
Jan 19, 2017, 6:24:10 AM1/19/17
to google-appengin...@googlegroups.com

The app engine does support reflection - however you are trying to reflect on a private field of a JRE class:

Reflection

An application is allowed full, unrestricted, reflective access to its own classes. It may query any private members, use java.lang.reflect.AccessibleObject.setAccessible(), and read/set private members.

An application can also also reflect on JRE and API classes, such as java.lang.String and javax.servlet.http.HttpServletRequest. However, it can only access public members of these classes, not protected or private.

An application cannot reflect against any other classes not belonging to itself, and it can not use the setAccessible() method to circumvent these restrictions.

...from http://code.google.com/appengine/docs/java/runtime.html#The_Sandbox:

I'd consider writing a custom serializer for Bitset.

See: http://sites.google.com/site/gson/gson-user-guide#TOC-Custom-Serialization-and-Deserializ

Also: http://groups.google.com/group/google-gson/browse_thread/thread/535892ffcf691aa/897f27e37e03ce58?lnk=gst&q=bitset#897f27e37e03ce58

http://groups.google.com/group/google-gson/browse_thread/thread/535892ffcf691aa



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/3002714/gson-on-google-app-engine-throws-a-security-exception/3007044#3007044

Vasiliy via StackOverflow

unread,
Jan 19, 2017, 6:24:12 AM1/19/17
to google-appengin...@googlegroups.com

You can construct GsonBuilder with .excludeFieldsWithoutExposeAnnotation(), and mark all serialized fields with @Expose annotation. In this case, Gson doesn't try to serialize fields other that you want.

GsonBuilder gsonBuilder = new GsonBuilder();
gsonBuilder.excludeFieldsWithoutExposeAnnotation();
String json = gsonBuilder.create().toJson(modelObject);


Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/3002714/gson-on-google-app-engine-throws-a-security-exception/3466270#3466270

Savio Sebastian via StackOverflow

unread,
Jan 19, 2017, 6:24:14 AM1/19/17
to google-appengin...@googlegroups.com

I experienced a similar problem recently.

I was running Gson to parse JSON and it worked well for a long time so I didn't worry about GAE not allowing Reflection on it's platform.

I introduced a HashMap the Form class and it worked well in my local system with Gson doing JSON Parse perfectly.

But when I deployed that code to the Google App Engine Cloud it failed with the following exception:

java.lang.SecurityException: java.lang.IllegalAccessException: Reflection is not allowed on private final int java.lang.ThreadLocal.threadLocalHashCode

So now I've switched to Jackson JSON Parser which is faster and does not use reflection - but yes - more work.



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/3002714/gson-on-google-app-engine-throws-a-security-exception/41740535#41740535
Reply all
Reply to author
Forward
0 new messages