From 50446a33dd88b7533ae263d445e9e666bd8ac59b Mon Sep 17 00:00:00 2001 From: Miroslav Kos Date: Fri, 18 Jul 2014 19:14:38 +0200 Subject: [PATCH] 8038970: Deprivilege JAX-WS/JAF code Changes to prepare for granting minimal set of permissions to JAX-WS code. Reviewed-by: mchung --- .../javax/activation/CommandMap.java | 9 ++- .../javax/activation/FileTypeMap.java | 8 +- .../v2/model/nav/ReflectionNavigator.java | 78 +++++++++++++------ .../internal/bind/v2/runtime/JaxBeanInfo.java | 17 +++- .../bind/v2/runtime/reflect/Accessor.java | 3 +- .../bind/v2/runtime/reflect/opt/Injector.java | 39 ++++++---- .../api/streaming/XMLStreamWriterFactory.java | 28 +++++-- .../ws/assembler/MetroConfigLoader.java | 20 +---- .../internal/ws/assembler/TubeCreator.java | 4 +- .../assembler/TubelineAssemblyController.java | 7 +- .../internal/ws/client/WSServiceDelegate.java | 18 ++--- .../internal/ws/fault/SOAPFaultBuilder.java | 13 +--- .../sun/xml/internal/ws/model/Injector.java | 44 ++++++----- 13 files changed, 163 insertions(+), 125 deletions(-) diff --git a/jaxws/src/share/jaf_classes/javax/activation/CommandMap.java b/jaxws/src/share/jaf_classes/javax/activation/CommandMap.java index 93393377a06..d07ae3ec38b 100644 --- a/jaxws/src/share/jaf_classes/javax/activation/CommandMap.java +++ b/jaxws/src/share/jaf_classes/javax/activation/CommandMap.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -93,10 +93,11 @@ public abstract class CommandMap { // otherwise, we also allow it if this code and the // factory come from the same (non-system) class loader (e.g., // the JAF classes were loaded with the applet classes). - if (CommandMap.class.getClassLoader() == null || - CommandMap.class.getClassLoader() != - commandMap.getClass().getClassLoader()) + ClassLoader cl = CommandMap.class.getClassLoader(); + if (cl == null || cl.getParent() == null || + cl != commandMap.getClass().getClassLoader()) { throw ex; + } } } // remove any per-thread-context-class-loader CommandMap diff --git a/jaxws/src/share/jaf_classes/javax/activation/FileTypeMap.java b/jaxws/src/share/jaf_classes/javax/activation/FileTypeMap.java index a7c41185273..313998a6aec 100644 --- a/jaxws/src/share/jaf_classes/javax/activation/FileTypeMap.java +++ b/jaxws/src/share/jaf_classes/javax/activation/FileTypeMap.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -96,9 +96,9 @@ public abstract class FileTypeMap { // otherwise, we also allow it if this code and the // factory come from the same (non-system) class loader (e.g., // the JAF classes were loaded with the applet classes). - if (FileTypeMap.class.getClassLoader() == null || - FileTypeMap.class.getClassLoader() != - fileTypeMap.getClass().getClassLoader()) + ClassLoader cl = FileTypeMap.class.getClassLoader(); + if (cl == null || cl.getParent() == null || + cl != fileTypeMap.getClass().getClassLoader()) throw ex; } } diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/model/nav/ReflectionNavigator.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/model/nav/ReflectionNavigator.java index 7f25c89d688..7d86d087ffc 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/model/nav/ReflectionNavigator.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/model/nav/ReflectionNavigator.java @@ -35,6 +35,8 @@ import java.lang.reflect.ParameterizedType; import java.lang.reflect.Type; import java.lang.reflect.TypeVariable; import java.lang.reflect.WildcardType; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Arrays; import java.util.Collection; @@ -264,20 +266,38 @@ import com.sun.xml.internal.bind.v2.runtime.Location; return clazz.getSimpleName(); } - public Collection getDeclaredFields(Class clazz) { - return Arrays.asList(clazz.getDeclaredFields()); + public Collection getDeclaredFields(final Class clazz) { + Field[] fields = AccessController.doPrivileged(new PrivilegedAction() { + @Override + public Field[] run() { + return clazz.getDeclaredFields(); + } + }); + return Arrays.asList(fields); } - public Field getDeclaredField(Class clazz, String fieldName) { - try { - return clazz.getDeclaredField(fieldName); - } catch (NoSuchFieldException e) { - return null; - } + public Field getDeclaredField(final Class clazz, final String fieldName) { + return AccessController.doPrivileged(new PrivilegedAction() { + @Override + public Field run() { + try { + return clazz.getDeclaredField(fieldName); + } catch (NoSuchFieldException e) { + return null; + } + } + }); } - public Collection getDeclaredMethods(Class clazz) { - return Arrays.asList(clazz.getDeclaredMethods()); + public Collection getDeclaredMethods(final Class clazz) { + Method[] methods = + AccessController.doPrivileged(new PrivilegedAction() { + @Override + public Method[] run() { + return clazz.getDeclaredMethods(); + } + }); + return Arrays.asList(methods); } public Class getDeclaringClassForField(Field field) { @@ -565,7 +585,7 @@ import com.sun.xml.internal.bind.v2.runtime.Location; return method.isBridge(); } - public boolean isOverriding(Method method, Class base) { + public boolean isOverriding(Method method, final Class base) { // this isn't actually correct, // as the JLS considers // class Derived extends Base { @@ -576,22 +596,30 @@ import com.sun.xml.internal.bind.v2.runtime.Location; // } // to be overrided. Handling this correctly needs a careful implementation - String name = method.getName(); - Class[] params = method.getParameterTypes(); + final String name = method.getName(); + final Class[] params = method.getParameterTypes(); - while (base != null) { - try { - if (base.getDeclaredMethod(name, params) != null) { - return true; + return AccessController.doPrivileged( + new PrivilegedAction() { + + @Override + public Boolean run() { + Class clazz = base; + while (clazz != null) { + try { + Method m = clazz.getDeclaredMethod(name, params); + if (m != null) { + return Boolean.TRUE; + } + } catch (NoSuchMethodException ignored) { + // recursively go into the base class + } + clazz = clazz.getSuperclass(); + } + return Boolean.FALSE; + } } - } catch (NoSuchMethodException e) { - // recursively go into the base class - } - - base = base.getSuperclass(); - } - - return false; + ); } public boolean isInterface(Class clazz) { diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/JaxBeanInfo.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/JaxBeanInfo.java index 059d9e32018..eaf696c4f29 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/JaxBeanInfo.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/JaxBeanInfo.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,8 @@ package com.sun.xml.internal.bind.v2.runtime; import java.io.IOException; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Arrays; import java.util.Collection; import java.util.Collections; @@ -415,6 +417,15 @@ public abstract class JaxBeanInfo { private static final Class[] unmarshalEventParams = { Unmarshaller.class, Object.class }; private static Class[] marshalEventParams = { Marshaller.class }; + private Method[] getDeclaredMethods(final Class c) { + return AccessController.doPrivileged(new PrivilegedAction() { + @Override + public Method[] run() { + return c.getDeclaredMethods(); + } + }); + } + /** * use reflection to determine which of the 4 object lifecycle methods exist on * the JAXB bound type. @@ -428,7 +439,7 @@ public abstract class JaxBeanInfo { } while (jt != null) { - for (Method m : jt.getDeclaredMethods()) { + for (Method m : getDeclaredMethods(jt)) { String name = m.getName(); if (lcm.beforeUnmarshal == null) { @@ -468,7 +479,7 @@ public abstract class JaxBeanInfo { } catch (SecurityException e) { // this happens when we don't have enough permission. logger.log(Level.WARNING, Messages.UNABLE_TO_DISCOVER_EVENTHANDLER.format( - jaxbType.getName(), e)); + jaxbType.getName(), e), e); } } diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/Accessor.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/Accessor.java index 7923cab28d7..e005de2e538 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/Accessor.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/Accessor.java @@ -229,8 +229,7 @@ public abstract class Accessor implements Receiver { if (!Modifier.isPublic(mod) || Modifier.isFinal(mod) || !Modifier.isPublic(f.getDeclaringClass().getModifiers())) { try { // attempt to make it accessible, but do so in the security context of the calling application. - // don't do this in the doPrivilege block, as that would create a security hole for anyone - // to make any field accessible. + // don't do this in the doPrivilege block f.setAccessible(true); } catch (SecurityException e) { if ((!accessWarned) && (!supressAccessorWarnings)) { diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/opt/Injector.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/opt/Injector.java index 78f4746abea..17c99557d9f 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/opt/Injector.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/opt/Injector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -146,26 +146,31 @@ final class Injector { private static final Method findLoadedClass; static { + Method[] m = AccessController.doPrivileged( + new PrivilegedAction() { + @Override + public Method[] run() { + return new Method[]{ + getMethod(ClassLoader.class, "defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE), + getMethod(ClassLoader.class, "resolveClass", Class.class), + getMethod(ClassLoader.class, "findLoadedClass", String.class) + }; + } + } + ); + defineClass = m[0]; + resolveClass = m[1]; + findLoadedClass = m[2]; + } + + private static Method getMethod(final Class c, final String methodname, final Class... params) { try { - defineClass = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE); - resolveClass = ClassLoader.class.getDeclaredMethod("resolveClass", Class.class); - findLoadedClass = ClassLoader.class.getDeclaredMethod("findLoadedClass", String.class); + Method m = c.getDeclaredMethod(methodname, params); + m.setAccessible(true); + return m; } catch (NoSuchMethodException e) { - // impossible throw new NoSuchMethodError(e.getMessage()); } - AccessController.doPrivileged(new PrivilegedAction() { - - @Override - public Void run() { - // TODO: check security implication - // do these setAccessible allow anyone to call these methods freely?s - defineClass.setAccessible(true); - resolveClass.setAccessible(true); - findLoadedClass.setAccessible(true); - return null; - } - }); } private Injector(ClassLoader parent) { diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/api/streaming/XMLStreamWriterFactory.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/api/streaming/XMLStreamWriterFactory.java index 6cff489ba7b..fa52778a9f1 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/api/streaming/XMLStreamWriterFactory.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/api/streaming/XMLStreamWriterFactory.java @@ -42,6 +42,8 @@ import java.io.OutputStream; import java.io.StringWriter; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.logging.Level; import java.util.logging.Logger; @@ -91,8 +93,6 @@ public abstract class XMLStreamWriterFactory { } } catch (XMLStreamException ex) { Logger.getLogger(XMLStreamWriterFactory.class.getName()).log(Level.INFO, null, ex); - } catch (NoSuchMethodException ex) { - Logger.getLogger(XMLStreamWriterFactory.class.getName()).log(Level.INFO, null, ex); } } @@ -282,17 +282,31 @@ public abstract class XMLStreamWriterFactory { return new Zephyr(xof,clazz); } catch (XMLStreamException e) { return null; // impossible - } catch (NoSuchMethodException e) { - return null; // this xof wasn't Zephyr } } - private Zephyr(XMLOutputFactory xof, Class clazz) throws NoSuchMethodException { + private Zephyr(XMLOutputFactory xof, Class clazz) { this.xof = xof; zephyrClass = clazz; - setOutputMethod = clazz.getMethod("setOutput", StreamResult.class, String.class); - resetMethod = clazz.getMethod("reset"); + setOutputMethod = getMethod(clazz, "setOutput", StreamResult.class, String.class); + resetMethod = getMethod(clazz, "reset"); + } + + private static Method getMethod(final Class c, final String methodname, final Class... params) { + return AccessController.doPrivileged( + new PrivilegedAction() { + @Override + public Method run() { + try { + return c.getMethod(methodname, params); + } catch (NoSuchMethodException e) { + // impossible + throw new NoSuchMethodError(e.getMessage()); + } + } + } + ); } /** diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java index 1e33628b0c1..966e1736aac 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -42,13 +42,12 @@ import javax.xml.bind.Unmarshaller; import javax.xml.stream.XMLInputFactory; import javax.xml.ws.WebServiceException; import java.lang.reflect.Method; -import java.lang.reflect.ReflectPermission; import java.net.MalformedURLException; import java.net.URI; import java.net.URISyntaxException; import java.net.URL; -import java.security.*; -import java.util.PropertyPermission; +import java.security.AccessController; +import java.security.PrivilegedExceptionAction; import java.util.logging.Level; /** @@ -258,24 +257,13 @@ class MetroConfigLoader { public JAXBContext run() throws Exception { return JAXBContext.newInstance(MetroConfig.class.getPackage().getName()); } - }, createSecurityContext() - ); + }); } else { // usage from JAX-WS/Metro/Glassfish return JAXBContext.newInstance(MetroConfig.class.getPackage().getName()); } } - private static AccessControlContext createSecurityContext() { - PermissionCollection perms = new Permissions(); - perms.add(new RuntimePermission("accessClassInPackage.com" + ".sun.xml.internal.ws.runtime.config")); // avoid repackaging - perms.add(new ReflectPermission("suppressAccessChecks")); - return new AccessControlContext( - new ProtectionDomain[]{ - new ProtectionDomain(null, perms), - }); - } - private static boolean isJDKInternal() { // avoid "string repackaging" return MetroConfigLoader.class.getName().startsWith("com." + "sun.xml.internal.ws"); diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubeCreator.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubeCreator.java index d0e980ce937..d68f854c38f 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubeCreator.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubeCreator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -49,7 +49,7 @@ final class TubeCreator { try { Class factoryClass; if (isJDKInternal(className)) { - factoryClass = Class.forName(className, true, null); + factoryClass = Class.forName(className, true, TubeCreator.class.getClassLoader()); } else { factoryClass = Class.forName(className, true, tubeFactoryClassLoader); } diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubelineAssemblyController.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubelineAssemblyController.java index 3f925581a85..a82c491e7fc 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubelineAssemblyController.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubelineAssemblyController.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -109,11 +109,12 @@ final class TubelineAssemblyController { } private Collection initializeTubeCreators(TubeFactoryList tfl) { - final ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader(); + ClassLoader tccl = Thread.currentThread().getContextClassLoader(); + ClassLoader classLoader = tccl != null ? tccl : TubelineAssemblyController.class.getClassLoader(); LinkedList tubeCreators = new LinkedList(); for (TubeFactoryConfig tubeFactoryConfig : tfl.getTubeFactoryConfigs()) { - tubeCreators.addFirst(new TubeCreator(tubeFactoryConfig, contextClassLoader)); + tubeCreators.addFirst(new TubeCreator(tubeFactoryConfig, classLoader)); } return tubeCreators; } diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/client/WSServiceDelegate.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/client/WSServiceDelegate.java index 7805320d90a..1c054547a4e 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/client/WSServiceDelegate.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/client/WSServiceDelegate.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -91,7 +91,8 @@ import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; import java.net.MalformedURLException; import java.net.URL; -import java.security.*; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -715,11 +716,6 @@ public class WSServiceDelegate extends WSService { final ClassLoader loader = getDelegatingLoader(portInterface.getClassLoader(), WSServiceDelegate.class.getClassLoader()); - // accessClassInPackage privilege needs to be granted ... - RuntimePermission perm = new RuntimePermission("accessClassInPackage.com.sun." + "xml.internal.*"); - PermissionCollection perms = perm.newPermissionCollection(); - perms.add(perm); - return AccessController.doPrivileged( new PrivilegedAction() { @Override @@ -728,12 +724,8 @@ public class WSServiceDelegate extends WSService { new Class[]{portInterface, WSBindingProvider.class, Closeable.class}, pis); return portInterface.cast(proxy); } - }, - new AccessControlContext( - new ProtectionDomain[]{ - new ProtectionDomain(null, perms) - }) - ); + }); + } private WSDLService getWSDLModelfromSEI(final Class sei) { diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java index 92bd3b26167..bf258021c33 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -58,12 +58,8 @@ import javax.xml.ws.soap.SOAPFaultException; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.Method; -import java.lang.reflect.ReflectPermission; -import java.security.AccessControlContext; import java.security.AccessController; -import java.security.Permissions; import java.security.PrivilegedAction; -import java.security.ProtectionDomain; import java.util.Iterator; import java.util.Map; import java.util.logging.Level; @@ -569,9 +565,6 @@ public abstract class SOAPFaultBuilder { // in jdk runtime doPrivileged is necessary since JAX-WS internal classes are in restricted packages if (isJDKRuntime()) { - Permissions permissions = new Permissions(); - permissions.add(new RuntimePermission("accessClassInPackage.com.sun." + "xml.internal.ws.fault")); - permissions.add(new ReflectPermission("suppressAccessChecks")); return AccessController.doPrivileged( new PrivilegedAction() { @Override @@ -582,9 +575,7 @@ public abstract class SOAPFaultBuilder { throw new Error(e); } } - }, - new AccessControlContext(new ProtectionDomain[]{new ProtectionDomain(null, permissions)}) - ); + }); } else { try { diff --git a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/model/Injector.java b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/model/Injector.java index 9d07e99b7c7..158e0a9f8ef 100644 --- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/model/Injector.java +++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/model/Injector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2008, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -50,28 +50,36 @@ final class Injector { private static final Method definePackage; static { + Method[] m = AccessController.doPrivileged( + new PrivilegedAction() { + @Override + public Method[] run() { + return new Method[]{ + getMethod(ClassLoader.class, "defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE), + getMethod(ClassLoader.class, "resolveClass", Class.class), + getMethod(ClassLoader.class, "getPackage", String.class), + getMethod(ClassLoader.class, "definePackage", + String.class, String.class, String.class, String.class, + String.class, String.class, String.class, URL.class) + }; + } + } + ); + defineClass = m[0]; + resolveClass = m[1]; + getPackage = m[2]; + definePackage = m[3]; + } + + private static Method getMethod(final Class c, final String methodname, final Class... params) { try { - defineClass = ClassLoader.class.getDeclaredMethod("defineClass",String.class,byte[].class,Integer.TYPE,Integer.TYPE); - resolveClass = ClassLoader.class.getDeclaredMethod("resolveClass",Class.class); - getPackage = ClassLoader.class.getDeclaredMethod("getPackage", String.class); - definePackage = ClassLoader.class.getDeclaredMethod("definePackage", - String.class, String.class, String.class, String.class, - String.class, String.class, String.class, URL.class); + Method m = c.getDeclaredMethod(methodname, params); + m.setAccessible(true); + return m; } catch (NoSuchMethodException e) { // impossible throw new NoSuchMethodError(e.getMessage()); } - AccessController.doPrivileged(new PrivilegedAction() { - public Void run() { - // TODO: check security implication - // do these setAccessible allow anyone to call these methods freely?s - defineClass.setAccessible(true); - resolveClass.setAccessible(true); - getPackage.setAccessible(true); - definePackage.setAccessible(true); - return null; - } - }); } static synchronized Class inject(ClassLoader cl, String className, byte[] image) {