1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java Thu May 30 10:58:13 2013 -0700
1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java Wed Jun 12 14:47:09 2013 +0100
1.3 @@ -42,10 +42,13 @@
1.4 import javax.xml.stream.XMLInputFactory;
1.5 import javax.xml.ws.WebServiceException;
1.6 import java.lang.reflect.Method;
1.7 +import java.lang.reflect.ReflectPermission;
1.8 import java.net.MalformedURLException;
1.9 import java.net.URI;
1.10 import java.net.URISyntaxException;
1.11 import java.net.URL;
1.12 +import java.security.*;
1.13 +import java.util.PropertyPermission;
1.14 import java.util.logging.Level;
1.15
1.16 /**
1.17 @@ -235,7 +238,7 @@
1.18 private static MetroConfig loadMetroConfig(@NotNull URL resourceUrl) {
1.19 MetroConfig result = null;
1.20 try {
1.21 - JAXBContext jaxbContext = JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
1.22 + JAXBContext jaxbContext = createJAXBContext();
1.23 Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
1.24 XMLInputFactory factory = XmlUtil.newXMLInputFactory(true);
1.25 final JAXBElement<MetroConfig> configElement = unmarshaller.unmarshal(factory.createXMLStreamReader(resourceUrl.openStream()), MetroConfig.class);
1.26 @@ -246,6 +249,38 @@
1.27 return result;
1.28 }
1.29
1.30 + private static JAXBContext createJAXBContext() throws Exception {
1.31 + if (isJDKInternal()) {
1.32 + // since jdk classes are repackaged, extra privilege is necessary to create JAXBContext
1.33 + return AccessController.doPrivileged(
1.34 + new PrivilegedExceptionAction<JAXBContext>() {
1.35 + @Override
1.36 + public JAXBContext run() throws Exception {
1.37 + return JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
1.38 + }
1.39 + }, createSecurityContext()
1.40 + );
1.41 + } else {
1.42 + // usage from JAX-WS/Metro/Glassfish
1.43 + return JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
1.44 + }
1.45 + }
1.46 +
1.47 + private static AccessControlContext createSecurityContext() {
1.48 + PermissionCollection perms = new Permissions();
1.49 + perms.add(new RuntimePermission("accessClassInPackage.com" + ".sun.xml.internal.ws.runtime.config")); // avoid repackaging
1.50 + perms.add(new ReflectPermission("suppressAccessChecks"));
1.51 + return new AccessControlContext(
1.52 + new ProtectionDomain[]{
1.53 + new ProtectionDomain(null, perms),
1.54 + });
1.55 + }
1.56 +
1.57 + private static boolean isJDKInternal() {
1.58 + // avoid "string repackaging"
1.59 + return MetroConfigLoader.class.getName().startsWith("com." + "sun.xml.internal.ws");
1.60 + }
1.61 +
1.62 private static class MetroConfigUrlLoader extends ResourceLoader {
1.63
1.64 Container container; // TODO remove the field together with the code path using it (see below)
