1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java Thu May 30 10:58:13 2013 -0700 1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java Wed Jun 12 14:47:09 2013 +0100 1.3 @@ -42,10 +42,13 @@ 1.4 import javax.xml.stream.XMLInputFactory; 1.5 import javax.xml.ws.WebServiceException; 1.6 import java.lang.reflect.Method; 1.7 +import java.lang.reflect.ReflectPermission; 1.8 import java.net.MalformedURLException; 1.9 import java.net.URI; 1.10 import java.net.URISyntaxException; 1.11 import java.net.URL; 1.12 +import java.security.*; 1.13 +import java.util.PropertyPermission; 1.14 import java.util.logging.Level; 1.15 1.16 /** 1.17 @@ -235,7 +238,7 @@ 1.18 private static MetroConfig loadMetroConfig(@NotNull URL resourceUrl) { 1.19 MetroConfig result = null; 1.20 try { 1.21 - JAXBContext jaxbContext = JAXBContext.newInstance(MetroConfig.class.getPackage().getName()); 1.22 + JAXBContext jaxbContext = createJAXBContext(); 1.23 Unmarshaller unmarshaller = jaxbContext.createUnmarshaller(); 1.24 XMLInputFactory factory = XmlUtil.newXMLInputFactory(true); 1.25 final JAXBElement<MetroConfig> configElement = unmarshaller.unmarshal(factory.createXMLStreamReader(resourceUrl.openStream()), MetroConfig.class); 1.26 @@ -246,6 +249,38 @@ 1.27 return result; 1.28 } 1.29 1.30 + private static JAXBContext createJAXBContext() throws Exception { 1.31 + if (isJDKInternal()) { 1.32 + // since jdk classes are repackaged, extra privilege is necessary to create JAXBContext 1.33 + return AccessController.doPrivileged( 1.34 + new PrivilegedExceptionAction<JAXBContext>() { 1.35 + @Override 1.36 + public JAXBContext run() throws Exception { 1.37 + return JAXBContext.newInstance(MetroConfig.class.getPackage().getName()); 1.38 + } 1.39 + }, createSecurityContext() 1.40 + ); 1.41 + } else { 1.42 + // usage from JAX-WS/Metro/Glassfish 1.43 + return JAXBContext.newInstance(MetroConfig.class.getPackage().getName()); 1.44 + } 1.45 + } 1.46 + 1.47 + private static AccessControlContext createSecurityContext() { 1.48 + PermissionCollection perms = new Permissions(); 1.49 + perms.add(new RuntimePermission("accessClassInPackage.com" + ".sun.xml.internal.ws.runtime.config")); // avoid repackaging 1.50 + perms.add(new ReflectPermission("suppressAccessChecks")); 1.51 + return new AccessControlContext( 1.52 + new ProtectionDomain[]{ 1.53 + new ProtectionDomain(null, perms), 1.54 + }); 1.55 + } 1.56 + 1.57 + private static boolean isJDKInternal() { 1.58 + // avoid "string repackaging" 1.59 + return MetroConfigLoader.class.getName().startsWith("com." + "sun.xml.internal.ws"); 1.60 + } 1.61 + 1.62 private static class MetroConfigUrlLoader extends ResourceLoader { 1.63 1.64 Container container; // TODO remove the field together with the code path using it (see below)