CXF-7292 additional privileged blocks required when Security Manager is enabled This closes #248
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/45a04b3e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/45a04b3e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/45a04b3e Branch: refs/heads/3.1.x-fixes Commit: 45a04b3ec3281ea04a06e0dfc88502d2f182f4b6 Parents: 1eac82a Author: Ivo Studensky <istud...@redhat.com> Authored: Thu Feb 18 14:00:29 2016 +0100 Committer: Daniel Kulp <dk...@apache.org> Committed: Fri Mar 24 13:43:12 2017 -0400 ---------------------------------------------------------------------- .../apache/cxf/catalog/OASISCatalogManager.java | 38 +++++++++++++++-- .../common/classloader/ClassLoaderUtils.java | 41 +++++++++++++++--- .../org/apache/cxf/common/i18n/BundleUtils.java | 35 +++++++++++++-- .../cxf/common/injection/ResourceInjector.java | 2 +- .../org/apache/cxf/common/jaxb/JAXBUtils.java | 19 +++++++-- .../org/apache/cxf/common/logging/LogUtils.java | 45 ++++++++++++++++---- .../org/apache/cxf/common/util/ProxyHelper.java | 31 ++++++++++++-- .../java/org/apache/cxf/helpers/DOMUtils.java | 32 ++++++++++++-- .../java/org/apache/cxf/helpers/XPathUtils.java | 18 +++++++- .../org/apache/cxf/resource/URIResolver.java | 14 ++++-- .../cxf/binding/soap/SOAPBindingUtil.java | 39 ++++++++++++++--- .../handler/AnnotationHandlerChainBuilder.java | 16 ++++++- .../cxf/frontend/ClientProxyFactoryBean.java | 17 +++++++- .../cxf/transport/http/CXFAuthenticator.java | 8 ++-- .../http/URLConnectionHTTPConduit.java | 19 ++++++++- 15 files changed, 322 insertions(+), 52 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java b/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java index 2aa061e..5a6911f 100644 --- a/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java +++ b/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java @@ -24,6 +24,10 @@ import java.io.IOException; import java.net.MalformedURLException; import java.net.URISyntaxException; import java.net.URL; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.Enumeration; import java.util.Set; import java.util.concurrent.CopyOnWriteArraySet; @@ -133,7 +137,7 @@ public class OASISCatalogManager { } public final void loadContextCatalogs(String name) { try { - loadCatalogs(Thread.currentThread().getContextClassLoader(), name); + loadCatalogs(getContextClassLoader(), name); } catch (IOException e) { LOG.log(Level.WARNING, "Error loading " + name + " catalog files", e); } @@ -146,12 +150,27 @@ public class OASISCatalogManager { Enumeration<URL> catalogs = classLoader.getResources(name); while (catalogs.hasMoreElements()) { - URL catalogURL = catalogs.nextElement(); + final URL catalogURL = catalogs.nextElement(); if (catalog == null) { LOG.log(Level.WARNING, "Catalog found at {0} but no org.apache.xml.resolver.CatalogManager was found." + " Check the classpatch for an xmlresolver jar.", catalogURL.toString()); } else if (!loadedCatalogs.contains(catalogURL.toString())) { - ((Catalog)catalog).parseCatalog(catalogURL); + final SecurityManager sm = System.getSecurityManager(); + if (sm == null) { + ((Catalog)catalog).parseCatalog(catalogURL); + } else { + try { + AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() { + @Override + public Void run() throws Exception { + ((Catalog)catalog).parseCatalog(catalogURL); + return null; + } + }); + } catch (PrivilegedActionException e) { + throw (IOException) e.getException(); + } + } loadedCatalogs.add(catalogURL.toString()); } } @@ -230,4 +249,17 @@ public class OASISCatalogManager { return resolver; } + private static ClassLoader getContextClassLoader() { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + @Override + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } + }); + } + return Thread.currentThread().getContextClassLoader(); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java index cbd3f43..cc73cf8 100644 --- a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java +++ b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java @@ -250,7 +250,7 @@ public final class ClassLoaderUtils { public static Class<?> loadClass(String className, Class<?> callingClass) throws ClassNotFoundException { try { - ClassLoader cl = Thread.currentThread().getContextClassLoader(); + ClassLoader cl = getContextClassLoader(); if (cl != null) { return cl.loadClass(className); @@ -263,7 +263,7 @@ public final class ClassLoaderUtils { public static <T> Class<? extends T> loadClass(String className, Class<?> callingClass, Class<T> type) throws ClassNotFoundException { try { - ClassLoader cl = Thread.currentThread().getContextClassLoader(); + ClassLoader cl = getContextClassLoader(); if (cl != null) { return cl.loadClass(className).asSubclass(type); @@ -279,15 +279,44 @@ public final class ClassLoaderUtils { return Class.forName(className); } catch (ClassNotFoundException ex) { try { - if (ClassLoaderUtils.class.getClassLoader() != null) { - return ClassLoaderUtils.class.getClassLoader().loadClass(className); + final ClassLoader loader = getClassLoader(ClassLoaderUtils.class); + if (loader != null) { + return loader.loadClass(className); } } catch (ClassNotFoundException exc) { - if (callingClass != null && callingClass.getClassLoader() != null) { - return callingClass.getClassLoader().loadClass(className); + if (callingClass != null) { + final ClassLoader callingClassLoader = getClassLoader(callingClass); + if (callingClassLoader != null) { + return callingClassLoader.loadClass(className); + } } } throw ex; } } + + private static ClassLoader getContextClassLoader() { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } + }); + } + return Thread.currentThread().getContextClassLoader(); + } + + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java b/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java index 5fdd3b4..9945c97 100644 --- a/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java +++ b/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java @@ -19,6 +19,8 @@ package org.apache.cxf.common.i18n; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.text.MessageFormat; import java.util.Locale; import java.util.MissingResourceException; @@ -77,7 +79,7 @@ public final class BundleUtils { public static ResourceBundle getBundle(Class<?> cls) { try { - ClassLoader loader = cls.getClassLoader(); + ClassLoader loader = getClassLoader(cls); if (loader == null) { return ResourceBundle.getBundle(getBundleName(cls), Locale.getDefault()); } @@ -85,7 +87,7 @@ public final class BundleUtils { Locale.getDefault(), loader); } catch (MissingResourceException ex) { - ClassLoader loader = Thread.currentThread().getContextClassLoader(); + ClassLoader loader = getContextClassLoader(); if (loader == null) { return ResourceBundle.getBundle(getBundleName(cls), Locale.getDefault()); } @@ -106,7 +108,7 @@ public final class BundleUtils { */ public static ResourceBundle getBundle(Class<?> cls, String name) { try { - ClassLoader loader = cls.getClassLoader(); + ClassLoader loader = getClassLoader(cls); if (loader == null) { return ResourceBundle.getBundle(getBundleName(cls, name), Locale.getDefault()); } @@ -114,7 +116,7 @@ public final class BundleUtils { Locale.getDefault(), loader); } catch (MissingResourceException ex) { - ClassLoader loader = Thread.currentThread().getContextClassLoader(); + ClassLoader loader = getContextClassLoader(); if (loader == null) { return ResourceBundle.getBundle(getBundleName(cls, name), Locale.getDefault()); } @@ -136,4 +138,29 @@ public final class BundleUtils { public static String getFormattedString(ResourceBundle b, String key, Object ... params) { return MessageFormat.format(b.getString(key), params); } + + private static ClassLoader getContextClassLoader() { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } + }); + } + return Thread.currentThread().getContextClassLoader(); + } + + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java b/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java index 2e6eb3b..56734ef 100644 --- a/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java +++ b/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java @@ -79,7 +79,7 @@ public class ResourceInjector extends AbstractAnnotationVisitor { return null; } try { - return cls.getDeclaredField(name); + return ReflectionUtil.getDeclaredField(cls, name); } catch (Exception ex) { return getField(cls.getSuperclass(), name); } http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java b/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java index be86175..46d0db0 100644 --- a/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java +++ b/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java @@ -38,6 +38,8 @@ import java.net.URISyntaxException; import java.net.URL; import java.net.URLClassLoader; import java.nio.charset.StandardCharsets; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; @@ -875,7 +877,7 @@ public final class JAXBUtils { Package pkg = jcls.getPackage(); packages.put(pkgName, jcls.getResourceAsStream("jaxb.index")); - packageLoaders.put(pkgName, jcls.getClassLoader()); + packageLoaders.put(pkgName, getClassLoader(jcls)); String objectFactoryClassName = pkgName + "." + "ObjectFactory"; Class<?> ofactory = null; CachedClass cachedFactory = null; @@ -889,8 +891,7 @@ public final class JAXBUtils { } if (ofactory == null) { try { - ofactory = Class.forName(objectFactoryClassName, false, jcls - .getClassLoader()); + ofactory = Class.forName(objectFactoryClassName, false, getClassLoader(jcls)); objectFactories.add(ofactory); addToObjectFactoryCache(pkg, ofactory, objectFactoryCache); } catch (ClassNotFoundException e) { @@ -945,6 +946,18 @@ public final class JAXBUtils { classes.addAll(objectFactories); } + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + @Override + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } private static void addToObjectFactoryCache(Package objectFactoryPkg, Class<?> ofactory, http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java b/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java index 83faf0f..54e05ad 100644 --- a/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java +++ b/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java @@ -229,8 +229,8 @@ public final class LogUtils { protected static Logger createLogger(Class<?> cls, String name, String loggerName) { - ClassLoader orig = Thread.currentThread().getContextClassLoader(); - ClassLoader n = cls.getClassLoader(); + ClassLoader orig = getContextClassLoader(); + ClassLoader n = getClassLoader(cls); if (n != null) { setContextClassLoader(n); } @@ -307,12 +307,41 @@ public final class LogUtils { } private static void setContextClassLoader(final ClassLoader classLoader) { - AccessController.doPrivileged(new PrivilegedAction<Object>() { - public Object run() { - Thread.currentThread().setContextClassLoader(classLoader); - return null; - } - }); + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + AccessController.doPrivileged(new PrivilegedAction<Object>() { + public Object run() { + Thread.currentThread().setContextClassLoader(classLoader); + return null; + } + }); + } else { + Thread.currentThread().setContextClassLoader(classLoader); + } + } + + private static ClassLoader getContextClassLoader() { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } + }); + } + return Thread.currentThread().getContextClassLoader(); + } + + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); } /** http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java index 413098c..3b69faa 100644 --- a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java +++ b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java @@ -22,6 +22,8 @@ package org.apache.cxf.common.util; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Method; import java.lang.reflect.Proxy; +import java.security.AccessController; +import java.security.PrivilegedAction; /** * @@ -55,17 +57,40 @@ public class ProxyHelper { * @param interfaces * @return classloader that sees all interfaces */ - private ClassLoader getClassLoaderForInterfaces(ClassLoader loader, Class<?>[] interfaces) { + private ClassLoader getClassLoaderForInterfaces(final ClassLoader loader, final Class<?>[] interfaces) { if (canSeeAllInterfaces(loader, interfaces)) { return loader; } - ProxyClassLoader combined = new ProxyClassLoader(loader, interfaces); + ProxyClassLoader combined; + final SecurityManager sm = System.getSecurityManager(); + if (sm == null) { + combined = new ProxyClassLoader(loader, interfaces); + } else { + combined = AccessController.doPrivileged(new PrivilegedAction<ProxyClassLoader>() { + @Override + public ProxyClassLoader run() { + return new ProxyClassLoader(loader, interfaces); + } + }); + } for (Class<?> currentInterface : interfaces) { - combined.addLoader(currentInterface.getClassLoader()); + combined.addLoader(getClassLoader(currentInterface)); } return combined; } + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + private boolean canSeeAllInterfaces(ClassLoader loader, Class<?>[] interfaces) { for (Class<?> currentInterface : interfaces) { String ifName = currentInterface.getName(); http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java index 66c70a2..43a4d69 100644 --- a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java +++ b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java @@ -21,6 +21,8 @@ package org.apache.cxf.helpers; import java.io.IOException; import java.io.StringReader; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Collections; import java.util.LinkedHashSet; @@ -62,9 +64,9 @@ public final class DOMUtils { } private static DocumentBuilder getDocumentBuilder() throws ParserConfigurationException { - ClassLoader loader = Thread.currentThread().getContextClassLoader(); + ClassLoader loader = getContextClassLoader(); if (loader == null) { - loader = DOMUtils.class.getClassLoader(); + loader = getClassLoader(DOMUtils.class); } if (loader == null) { return DocumentBuilderFactory.newInstance().newDocumentBuilder(); @@ -78,7 +80,31 @@ public final class DOMUtils { } return factory; } - + + private static ClassLoader getContextClassLoader() { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } + }); + } + return Thread.currentThread().getContextClassLoader(); + } + + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + /** * Creates a new Document object * @throws ParserConfigurationException http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java b/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java index cb67d4a..ec3e06c 100644 --- a/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java +++ b/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java @@ -19,6 +19,8 @@ package org.apache.cxf.helpers; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.Map; import javax.xml.namespace.NamespaceContext; @@ -58,8 +60,8 @@ public class XPathUtils { } public Object getValue(String xpathExpression, Node node, QName type) { - ClassLoaderHolder loader - = ClassLoaderUtils.setThreadContextClassloader(xpath.getClass().getClassLoader()); + ClassLoaderHolder loader + = ClassLoaderUtils.setThreadContextClassloader(getClassLoader(xpath.getClass())); try { return xpath.evaluate(xpathExpression, node, type); } catch (Exception e) { @@ -84,4 +86,16 @@ public class XPathUtils { return getValue(xpathExpression, node, type) != null; } + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/resource/URIResolver.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/resource/URIResolver.java b/core/src/main/java/org/apache/cxf/resource/URIResolver.java index ed42fd1..43c7272 100644 --- a/core/src/main/java/org/apache/cxf/resource/URIResolver.java +++ b/core/src/main/java/org/apache/cxf/resource/URIResolver.java @@ -30,6 +30,8 @@ import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; import java.net.URLDecoder; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.HashMap; import java.util.Map; import java.util.logging.Level; @@ -132,10 +134,14 @@ public class URIResolver { // It is possible that spaces have been encoded. We should decode them first. uriStr = uriStr.replaceAll("%20", " "); - File uriFile = new File(uriStr); - - - uriFile = new File(uriFile.getAbsolutePath()); + final File uriFileTemp = new File(uriStr); + + File uriFile = new File(AccessController.doPrivileged(new PrivilegedAction<String>() { + @Override + public String run() { + return uriFileTemp.getAbsolutePath(); + } + })); if (!SecurityActions.fileExists(uriFile, CXFPermissions.RESOLVE_URI)) { try { URI urif = new URI(URLDecoder.decode(orig, "ASCII")); http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java ---------------------------------------------------------------------- diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java index 23327e8..f537574 100644 --- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java +++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java @@ -21,6 +21,8 @@ package org.apache.cxf.binding.soap; import java.lang.reflect.InvocationHandler; import java.lang.reflect.Proxy; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -87,14 +89,15 @@ public final class SOAPBindingUtil { */ Object proxy = null; try { - proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(), + proxy = Proxy.newProxyInstance(getContextClassLoader(), new Class[] {cls}, ih); } catch (Throwable ex) { - // Using cls classloader as a fallback to make it work within OSGi - ClassLoader contextLoader = Thread.currentThread().getContextClassLoader(); - if (contextLoader != cls.getClassLoader()) { - proxy = Proxy.newProxyInstance(cls.getClassLoader(), - new Class[] {cls}, ih); + // Using cls classloader as a fallback to make it work within OSGi + ClassLoader contextLoader = getContextClassLoader(); + final ClassLoader clsClassLoader = getClassLoader(cls); + if (contextLoader != clsClassLoader) { + proxy = Proxy.newProxyInstance(clsClassLoader, + new Class[] {cls}, ih); } else { if (ex instanceof RuntimeException) { throw (RuntimeException)ex; @@ -105,6 +108,30 @@ public final class SOAPBindingUtil { return cls.cast(proxy); } + private static ClassLoader getContextClassLoader() { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } + }); + } + return Thread.currentThread().getContextClassLoader(); + } + + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + public static boolean isSOAPBinding(Binding binding) { for (Object obj : binding.getExtensibilityElements()) { if (isSOAPBinding(obj)) { http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java ---------------------------------------------------------------------- diff --git a/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java b/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java index b72a721..879ffd3 100644 --- a/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java +++ b/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java @@ -20,6 +20,8 @@ package org.apache.cxf.jaxws.handler; import java.net.URL; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.List; import java.util.ResourceBundle; @@ -74,7 +76,7 @@ public class AnnotationHandlerChainBuilder extends HandlerChainBuilder { public List<Handler> buildHandlerChainFromClass(Class<?> clz, List<Handler> existingHandlers, QName portQName, QName serviceQName, String bindingID) { LOG.fine("building handler chain"); - classLoader = clz.getClassLoader(); + classLoader = getClassLoader(clz); HandlerChainAnnotation hcAnn = findHandlerChainAnnotation(clz, true); List<Handler> chain = null; if (hcAnn == null) { @@ -139,6 +141,18 @@ public class AnnotationHandlerChainBuilder extends HandlerChainBuilder { return sortHandlers(chain); } + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + private void processHandlerChainElement(Element el, List<Handler> chain, QName portQName, QName serviceQName, String bindingID) { Node node = el.getFirstChild(); http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java ---------------------------------------------------------------------- diff --git a/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java b/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java index 7564407..8fde6b0 100644 --- a/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java +++ b/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java @@ -19,6 +19,8 @@ package org.apache.cxf.frontend; import java.io.Closeable; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -171,8 +173,7 @@ public class ClientProxyFactoryBean extends AbstractBasicInterceptorProvider { ClientProxy handler = clientClientProxy(c); Class<?> classes[] = getImplementingClasses(); - - Object obj = ProxyHelper.getProxy(clientFactoryBean.getServiceClass().getClassLoader(), + Object obj = ProxyHelper.getProxy(getClassLoader(clientFactoryBean.getServiceClass()), classes, handler); @@ -186,6 +187,18 @@ public class ClientProxyFactoryBean extends AbstractBasicInterceptorProvider { } } + private static ClassLoader getClassLoader(final Class<?> clazz) { + final SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() { + public ClassLoader run() { + return clazz.getClassLoader(); + } + }); + } + return clazz.getClassLoader(); + } + protected Class<?>[] getImplementingClasses() { Class<?> cls = clientFactoryBean.getServiceClass(); return new Class[] {cls, Closeable.class, Client.class}; http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java index 7a29374..14f532b 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java @@ -50,7 +50,7 @@ public class CXFAuthenticator extends Authenticator { if (instance == null) { instance = new CXFAuthenticator(); Authenticator wrapped = null; - for (final Field f : Authenticator.class.getDeclaredFields()) { + for (final Field f : ReflectionUtil.getDeclaredFields(Authenticator.class)) { if (f.getType().equals(Authenticator.class)) { ReflectionUtil.setAccessible(f); try { @@ -74,9 +74,7 @@ public class CXFAuthenticator extends Authenticator { return new URLClassLoader(new URL[0], ClassLoader.getSystemClassLoader()); } }, null); - - - Method m = ClassLoader.class.getDeclaredMethod("defineClass", String.class, + Method m = ReflectionUtil.getDeclaredMethod(ClassLoader.class, "defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE); InputStream ins = ReferencingAuthenticator.class @@ -102,7 +100,7 @@ public class CXFAuthenticator extends Authenticator { } try { //clear the acc field that can hold onto the webapp classloader - Field f = loader.getClass().getDeclaredField("acc"); + Field f = ReflectionUtil.getDeclaredField(loader.getClass(), "acc"); ReflectionUtil.setAccessible(f).set(loader, null); } catch (Throwable t) { //ignore http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java index a429ddf..00fb97b 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java @@ -30,6 +30,9 @@ import java.net.URI; import java.net.URISyntaxException; import java.net.URL; import java.net.URLConnection; +import java.security.AccessController; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.util.logging.Level; import javax.net.ssl.HttpsURLConnection; @@ -254,7 +257,21 @@ public class URLConnectionHTTPConduit extends HTTPConduit { OutputStream cout = null; try { try { - cout = connection.getOutputStream(); +// cout = connection.getOutputStream(); + if (System.getSecurityManager() != null) { + try { + cout = AccessController.doPrivileged(new PrivilegedExceptionAction<OutputStream>() { + @Override + public OutputStream run() throws IOException { + return connection.getOutputStream(); + } + }); + } catch (PrivilegedActionException e) { + throw (IOException) e.getException(); + } + } else { + cout = connection.getOutputStream(); + } } catch (ProtocolException pe) { Boolean b = (Boolean)outMessage.get(HTTPURL_CONNECTION_METHOD_REFLECTION); cout = connectAndGetOutputStream(b);