cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject [3/4] cxf git commit: CXF-7292 additional privileged blocks required when Security Manager is enabled This closes #248
Date Fri, 24 Mar 2017 17:45:06 GMT
CXF-7292 additional privileged blocks required when Security Manager is enabled
This closes #248


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/45a04b3e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/45a04b3e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/45a04b3e

Branch: refs/heads/3.1.x-fixes
Commit: 45a04b3ec3281ea04a06e0dfc88502d2f182f4b6
Parents: 1eac82a
Author: Ivo Studensky <istudens@redhat.com>
Authored: Thu Feb 18 14:00:29 2016 +0100
Committer: Daniel Kulp <dkulp@apache.org>
Committed: Fri Mar 24 13:43:12 2017 -0400

----------------------------------------------------------------------
 .../apache/cxf/catalog/OASISCatalogManager.java | 38 +++++++++++++++--
 .../common/classloader/ClassLoaderUtils.java    | 41 +++++++++++++++---
 .../org/apache/cxf/common/i18n/BundleUtils.java | 35 +++++++++++++--
 .../cxf/common/injection/ResourceInjector.java  |  2 +-
 .../org/apache/cxf/common/jaxb/JAXBUtils.java   | 19 +++++++--
 .../org/apache/cxf/common/logging/LogUtils.java | 45 ++++++++++++++++----
 .../org/apache/cxf/common/util/ProxyHelper.java | 31 ++++++++++++--
 .../java/org/apache/cxf/helpers/DOMUtils.java   | 32 ++++++++++++--
 .../java/org/apache/cxf/helpers/XPathUtils.java | 18 +++++++-
 .../org/apache/cxf/resource/URIResolver.java    | 14 ++++--
 .../cxf/binding/soap/SOAPBindingUtil.java       | 39 ++++++++++++++---
 .../handler/AnnotationHandlerChainBuilder.java  | 16 ++++++-
 .../cxf/frontend/ClientProxyFactoryBean.java    | 17 +++++++-
 .../cxf/transport/http/CXFAuthenticator.java    |  8 ++--
 .../http/URLConnectionHTTPConduit.java          | 19 ++++++++-
 15 files changed, 322 insertions(+), 52 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java b/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java
index 2aa061e..5a6911f 100644
--- a/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java
+++ b/core/src/main/java/org/apache/cxf/catalog/OASISCatalogManager.java
@@ -24,6 +24,10 @@ import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.Enumeration;
 import java.util.Set;
 import java.util.concurrent.CopyOnWriteArraySet;
@@ -133,7 +137,7 @@ public class OASISCatalogManager {
     }
     public final void loadContextCatalogs(String name) {
         try {
-            loadCatalogs(Thread.currentThread().getContextClassLoader(), name);
+            loadCatalogs(getContextClassLoader(), name);
         } catch (IOException e) {
             LOG.log(Level.WARNING, "Error loading " + name + " catalog files", e);
         }
@@ -146,12 +150,27 @@ public class OASISCatalogManager {
 
         Enumeration<URL> catalogs = classLoader.getResources(name);
         while (catalogs.hasMoreElements()) {
-            URL catalogURL = catalogs.nextElement();
+            final URL catalogURL = catalogs.nextElement();
             if (catalog == null) {
                 LOG.log(Level.WARNING, "Catalog found at {0} but no org.apache.xml.resolver.CatalogManager
was found."
                         + "  Check the classpatch for an xmlresolver jar.", catalogURL.toString());
             } else if (!loadedCatalogs.contains(catalogURL.toString())) {
-                ((Catalog)catalog).parseCatalog(catalogURL);
+                final SecurityManager sm = System.getSecurityManager();
+                if (sm == null) {
+                    ((Catalog)catalog).parseCatalog(catalogURL);
+                } else {
+                    try {
+                        AccessController.doPrivileged(new PrivilegedExceptionAction<Void>()
{
+                            @Override
+                            public Void run() throws Exception {
+                                ((Catalog)catalog).parseCatalog(catalogURL);
+                                return null;
+                            }
+                        });
+                    } catch (PrivilegedActionException e) {
+                        throw (IOException) e.getException();
+                    }
+                }
                 loadedCatalogs.add(catalogURL.toString());
             }
         }
@@ -230,4 +249,17 @@ public class OASISCatalogManager {
         return resolver;
     }
 
+    private static ClassLoader getContextClassLoader() {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                @Override
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        }
+        return Thread.currentThread().getContextClassLoader();
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
index cbd3f43..cc73cf8 100644
--- a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java
@@ -250,7 +250,7 @@ public final class ClassLoaderUtils {
     public static Class<?> loadClass(String className, Class<?> callingClass)
         throws ClassNotFoundException {
         try {
-            ClassLoader cl = Thread.currentThread().getContextClassLoader();
+            ClassLoader cl = getContextClassLoader();
 
             if (cl != null) {
                 return cl.loadClass(className);
@@ -263,7 +263,7 @@ public final class ClassLoaderUtils {
     public static <T> Class<? extends T> loadClass(String className, Class<?>
callingClass, Class<T> type)
         throws ClassNotFoundException {
         try {
-            ClassLoader cl = Thread.currentThread().getContextClassLoader();
+            ClassLoader cl = getContextClassLoader();
 
             if (cl != null) {
                 return cl.loadClass(className).asSubclass(type);
@@ -279,15 +279,44 @@ public final class ClassLoaderUtils {
             return Class.forName(className);
         } catch (ClassNotFoundException ex) {
             try {
-                if (ClassLoaderUtils.class.getClassLoader() != null) {
-                    return ClassLoaderUtils.class.getClassLoader().loadClass(className);
+                final ClassLoader loader = getClassLoader(ClassLoaderUtils.class);
+                if (loader != null) {
+                    return loader.loadClass(className);
                 }
             } catch (ClassNotFoundException exc) {
-                if (callingClass != null && callingClass.getClassLoader() != null)
{
-                    return callingClass.getClassLoader().loadClass(className);
+                if (callingClass != null) {
+                    final ClassLoader callingClassLoader = getClassLoader(callingClass);
+                    if (callingClassLoader != null) {
+                        return callingClassLoader.loadClass(className);
+                    }
                 }
             }
             throw ex;
         }
     }
+
+    private static ClassLoader getContextClassLoader() {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        }
+        return Thread.currentThread().getContextClassLoader();
+    }
+
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java b/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java
index 5fdd3b4..9945c97 100644
--- a/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/i18n/BundleUtils.java
@@ -19,6 +19,8 @@
 
 package org.apache.cxf.common.i18n;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.text.MessageFormat;
 import java.util.Locale;
 import java.util.MissingResourceException;
@@ -77,7 +79,7 @@ public final class BundleUtils {
     public static ResourceBundle getBundle(Class<?> cls) {
         
         try {
-            ClassLoader loader = cls.getClassLoader();
+            ClassLoader loader = getClassLoader(cls);
             if (loader == null) {
                 return ResourceBundle.getBundle(getBundleName(cls), Locale.getDefault());
             }
@@ -85,7 +87,7 @@ public final class BundleUtils {
                                         Locale.getDefault(),
                                         loader);
         } catch (MissingResourceException ex) {
-            ClassLoader loader = Thread.currentThread().getContextClassLoader();
+            ClassLoader loader = getContextClassLoader();
             if (loader == null) {
                 return ResourceBundle.getBundle(getBundleName(cls), Locale.getDefault());
             }
@@ -106,7 +108,7 @@ public final class BundleUtils {
      */
     public static ResourceBundle getBundle(Class<?> cls, String name) {
         try {
-            ClassLoader loader = cls.getClassLoader();
+            ClassLoader loader = getClassLoader(cls);
             if (loader == null) {
                 return ResourceBundle.getBundle(getBundleName(cls, name), Locale.getDefault());
             }
@@ -114,7 +116,7 @@ public final class BundleUtils {
                                             Locale.getDefault(),
                                             loader);
         } catch (MissingResourceException ex) {
-            ClassLoader loader = Thread.currentThread().getContextClassLoader();
+            ClassLoader loader = getContextClassLoader();
             if (loader == null) {
                 return ResourceBundle.getBundle(getBundleName(cls, name), Locale.getDefault());
             }
@@ -136,4 +138,29 @@ public final class BundleUtils {
     public static String getFormattedString(ResourceBundle b, String key, Object ... params)
{
         return MessageFormat.format(b.getString(key), params);
     }
+
+    private static ClassLoader getContextClassLoader() {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        }
+        return Thread.currentThread().getContextClassLoader();
+    }
+
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java b/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java
index 2e6eb3b..56734ef 100644
--- a/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java
+++ b/core/src/main/java/org/apache/cxf/common/injection/ResourceInjector.java
@@ -79,7 +79,7 @@ public class ResourceInjector extends AbstractAnnotationVisitor {
             return null;
         }
         try {
-            return cls.getDeclaredField(name);
+            return ReflectionUtil.getDeclaredField(cls, name);
         } catch (Exception ex) {
             return getField(cls.getSuperclass(), name);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java b/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java
index be86175..46d0db0 100644
--- a/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/jaxb/JAXBUtils.java
@@ -38,6 +38,8 @@ import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLClassLoader;
 import java.nio.charset.StandardCharsets;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -875,7 +877,7 @@ public final class JAXBUtils {
                 Package pkg = jcls.getPackage();
                    
                 packages.put(pkgName, jcls.getResourceAsStream("jaxb.index"));
-                packageLoaders.put(pkgName, jcls.getClassLoader());
+                packageLoaders.put(pkgName, getClassLoader(jcls));
                 String objectFactoryClassName = pkgName + "." + "ObjectFactory";
                 Class<?> ofactory = null;
                 CachedClass cachedFactory = null;
@@ -889,8 +891,7 @@ public final class JAXBUtils {
                 }
                 if (ofactory == null) {
                     try {
-                        ofactory = Class.forName(objectFactoryClassName, false, jcls
-                                                 .getClassLoader());
+                        ofactory = Class.forName(objectFactoryClassName, false, getClassLoader(jcls));
                         objectFactories.add(ofactory);
                         addToObjectFactoryCache(pkg, ofactory, objectFactoryCache);
                     } catch (ClassNotFoundException e) {
@@ -945,6 +946,18 @@ public final class JAXBUtils {
         classes.addAll(objectFactories);
     }
 
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                @Override
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
        
     private static void addToObjectFactoryCache(Package objectFactoryPkg, 
                                          Class<?> ofactory,

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java b/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java
index 83faf0f..54e05ad 100644
--- a/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java
+++ b/core/src/main/java/org/apache/cxf/common/logging/LogUtils.java
@@ -229,8 +229,8 @@ public final class LogUtils {
     protected static Logger createLogger(Class<?> cls, 
                                          String name, 
                                          String loggerName) {
-        ClassLoader orig = Thread.currentThread().getContextClassLoader();
-        ClassLoader n = cls.getClassLoader();
+        ClassLoader orig = getContextClassLoader();
+        ClassLoader n = getClassLoader(cls);
         if (n != null) {
             setContextClassLoader(n);
         }
@@ -307,12 +307,41 @@ public final class LogUtils {
     }
     
     private static void setContextClassLoader(final ClassLoader classLoader) {
-        AccessController.doPrivileged(new PrivilegedAction<Object>() {
-            public Object run() {
-                Thread.currentThread().setContextClassLoader(classLoader);
-                return null;
-            }
-        });
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            AccessController.doPrivileged(new PrivilegedAction<Object>() {
+                public Object run() {
+                    Thread.currentThread().setContextClassLoader(classLoader);
+                    return null;
+                }
+            });
+        } else {
+            Thread.currentThread().setContextClassLoader(classLoader);
+        }
+    }
+
+    private static ClassLoader getContextClassLoader() {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        }
+        return Thread.currentThread().getContextClassLoader();
+    }
+
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
     }
 
     /**

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
index 413098c..3b69faa 100644
--- a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
+++ b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java
@@ -22,6 +22,8 @@ package org.apache.cxf.common.util;
 import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.Method;
 import java.lang.reflect.Proxy;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 /**
  * 
@@ -55,17 +57,40 @@ public class ProxyHelper {
      * @param interfaces
      * @return classloader that sees all interfaces
      */
-    private ClassLoader getClassLoaderForInterfaces(ClassLoader loader, Class<?>[]
interfaces) {
+    private ClassLoader getClassLoaderForInterfaces(final ClassLoader loader, final Class<?>[]
interfaces) {
         if (canSeeAllInterfaces(loader, interfaces)) {
             return loader;
         }
-        ProxyClassLoader combined = new ProxyClassLoader(loader, interfaces);
+        ProxyClassLoader combined;
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm == null) {
+            combined = new ProxyClassLoader(loader, interfaces);
+        } else {
+            combined = AccessController.doPrivileged(new PrivilegedAction<ProxyClassLoader>()
{
+                @Override
+                public ProxyClassLoader run() {
+                    return new ProxyClassLoader(loader, interfaces);
+                }
+            });
+        }
         for (Class<?> currentInterface : interfaces) {
-            combined.addLoader(currentInterface.getClassLoader());
+            combined.addLoader(getClassLoader(currentInterface));
         }
         return combined;
     }
 
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
     private boolean canSeeAllInterfaces(ClassLoader loader, Class<?>[] interfaces)
{
         for (Class<?> currentInterface : interfaces) {
             String ifName = currentInterface.getName();

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
index 66c70a2..43a4d69 100644
--- a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
@@ -21,6 +21,8 @@ package org.apache.cxf.helpers;
 
 import java.io.IOException;
 import java.io.StringReader;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.LinkedHashSet;
@@ -62,9 +64,9 @@ public final class DOMUtils {
     }
 
     private static DocumentBuilder getDocumentBuilder() throws ParserConfigurationException
{
-        ClassLoader loader = Thread.currentThread().getContextClassLoader();
+        ClassLoader loader = getContextClassLoader();
         if (loader == null) {
-            loader = DOMUtils.class.getClassLoader();
+            loader = getClassLoader(DOMUtils.class);
         }
         if (loader == null) {
             return DocumentBuilderFactory.newInstance().newDocumentBuilder();
@@ -78,7 +80,31 @@ public final class DOMUtils {
         }
         return factory;
     }
-    
+
+    private static ClassLoader getContextClassLoader() {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        }
+        return Thread.currentThread().getContextClassLoader();
+    }
+
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
     /**
      * Creates a new Document object
      * @throws ParserConfigurationException

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java b/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java
index cb67d4a..ec3e06c 100644
--- a/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/XPathUtils.java
@@ -19,6 +19,8 @@
 
 package org.apache.cxf.helpers;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Map;
 
 import javax.xml.namespace.NamespaceContext;
@@ -58,8 +60,8 @@ public class XPathUtils {
     }
 
     public Object getValue(String xpathExpression, Node node, QName type) {
-        ClassLoaderHolder loader 
-            = ClassLoaderUtils.setThreadContextClassloader(xpath.getClass().getClassLoader());
+        ClassLoaderHolder loader
+            = ClassLoaderUtils.setThreadContextClassloader(getClassLoader(xpath.getClass()));
         try {
             return xpath.evaluate(xpathExpression, node, type);
         } catch (Exception e) {
@@ -84,4 +86,16 @@ public class XPathUtils {
         return getValue(xpathExpression, node, type) != null;
     }
 
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/core/src/main/java/org/apache/cxf/resource/URIResolver.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/cxf/resource/URIResolver.java b/core/src/main/java/org/apache/cxf/resource/URIResolver.java
index ed42fd1..43c7272 100644
--- a/core/src/main/java/org/apache/cxf/resource/URIResolver.java
+++ b/core/src/main/java/org/apache/cxf/resource/URIResolver.java
@@ -30,6 +30,8 @@ import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLDecoder;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.logging.Level;
@@ -132,10 +134,14 @@ public class URIResolver {
             // It is possible that spaces have been encoded.  We should decode them first.
             uriStr = uriStr.replaceAll("%20", " ");
 
-            File uriFile = new File(uriStr);
-            
-            
-            uriFile = new File(uriFile.getAbsolutePath());
+            final File uriFileTemp = new File(uriStr);
+
+            File uriFile = new File(AccessController.doPrivileged(new PrivilegedAction<String>()
{
+                @Override
+                public String run() {
+                    return uriFileTemp.getAbsolutePath();
+                }
+            }));
             if (!SecurityActions.fileExists(uriFile, CXFPermissions.RESOLVE_URI)) {
                 try {
                     URI urif = new URI(URLDecoder.decode(orig, "ASCII"));

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java
----------------------------------------------------------------------
diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java
b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java
index 23327e8..f537574 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/SOAPBindingUtil.java
@@ -21,6 +21,8 @@ package org.apache.cxf.binding.soap;
 
 import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.Proxy;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -87,14 +89,15 @@ public final class SOAPBindingUtil {
          */
         Object proxy = null;
         try {
-            proxy = Proxy.newProxyInstance(Thread.currentThread().getContextClassLoader(),
+            proxy = Proxy.newProxyInstance(getContextClassLoader(),
                                               new Class[] {cls}, ih);
         } catch (Throwable ex) {
-            // Using cls classloader as a fallback to make it work within OSGi  
-            ClassLoader contextLoader = Thread.currentThread().getContextClassLoader();
-            if (contextLoader != cls.getClassLoader()) {
-                proxy = Proxy.newProxyInstance(cls.getClassLoader(),
-                                              new Class[] {cls}, ih);
+            // Using cls classloader as a fallback to make it work within OSGi
+            ClassLoader contextLoader = getContextClassLoader();
+            final ClassLoader clsClassLoader = getClassLoader(cls);
+            if (contextLoader != clsClassLoader) {
+                proxy = Proxy.newProxyInstance(clsClassLoader,
+                                               new Class[] {cls}, ih);
             } else {
                 if (ex instanceof RuntimeException) {
                     throw (RuntimeException)ex;
@@ -105,6 +108,30 @@ public final class SOAPBindingUtil {
         return cls.cast(proxy);
     }
 
+    private static ClassLoader getContextClassLoader() {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        }
+        return Thread.currentThread().getContextClassLoader();
+    }
+
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
     public static boolean isSOAPBinding(Binding binding) {
         for (Object obj : binding.getExtensibilityElements()) {
             if (isSOAPBinding(obj)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java
----------------------------------------------------------------------
diff --git a/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java
b/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java
index b72a721..879ffd3 100644
--- a/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java
+++ b/rt/frontend/jaxws/src/main/java/org/apache/cxf/jaxws/handler/AnnotationHandlerChainBuilder.java
@@ -20,6 +20,8 @@
 package org.apache.cxf.jaxws.handler;
 
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.ResourceBundle;
@@ -74,7 +76,7 @@ public class AnnotationHandlerChainBuilder extends HandlerChainBuilder {
     public List<Handler> buildHandlerChainFromClass(Class<?> clz, List<Handler>
existingHandlers,
                                                     QName portQName, QName serviceQName,
String bindingID) {
         LOG.fine("building handler chain");
-        classLoader = clz.getClassLoader();
+        classLoader = getClassLoader(clz);
         HandlerChainAnnotation hcAnn = findHandlerChainAnnotation(clz, true);
         List<Handler> chain = null;
         if (hcAnn == null) {
@@ -139,6 +141,18 @@ public class AnnotationHandlerChainBuilder extends HandlerChainBuilder
{
         return sortHandlers(chain);
     }
 
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
     private void processHandlerChainElement(Element el, List<Handler> chain,
                                             QName portQName, QName serviceQName, String bindingID)
{
         Node node = el.getFirstChild();

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java
----------------------------------------------------------------------
diff --git a/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java
b/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java
index 7564407..8fde6b0 100644
--- a/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java
+++ b/rt/frontend/simple/src/main/java/org/apache/cxf/frontend/ClientProxyFactoryBean.java
@@ -19,6 +19,8 @@
 package org.apache.cxf.frontend;
 
 import java.io.Closeable;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
@@ -171,8 +173,7 @@ public class ClientProxyFactoryBean extends AbstractBasicInterceptorProvider
{
             ClientProxy handler = clientClientProxy(c);
     
             Class<?> classes[] = getImplementingClasses();
-            
-            Object obj = ProxyHelper.getProxy(clientFactoryBean.getServiceClass().getClassLoader(),
+            Object obj = ProxyHelper.getProxy(getClassLoader(clientFactoryBean.getServiceClass()),
                                               classes,
                                               handler);
     
@@ -186,6 +187,18 @@ public class ClientProxyFactoryBean extends AbstractBasicInterceptorProvider
{
         }
     }
 
+    private static ClassLoader getClassLoader(final Class<?> clazz) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>()
{
+                public ClassLoader run() {
+                    return clazz.getClassLoader();
+                }
+            });
+        }
+        return clazz.getClassLoader();
+    }
+
     protected Class<?>[] getImplementingClasses() {
         Class<?> cls = clientFactoryBean.getServiceClass();
         return new Class[] {cls, Closeable.class, Client.class};

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java
index 7a29374..14f532b 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/CXFAuthenticator.java
@@ -50,7 +50,7 @@ public class CXFAuthenticator extends Authenticator {
         if (instance == null) {
             instance = new CXFAuthenticator();
             Authenticator wrapped = null;
-            for (final Field f : Authenticator.class.getDeclaredFields()) {
+            for (final Field f : ReflectionUtil.getDeclaredFields(Authenticator.class)) {
                 if (f.getType().equals(Authenticator.class)) {
                     ReflectionUtil.setAccessible(f);
                     try {
@@ -74,9 +74,7 @@ public class CXFAuthenticator extends Authenticator {
                             return new URLClassLoader(new URL[0], ClassLoader.getSystemClassLoader());
                         }
                     }, null);
-                
-                
-                Method m = ClassLoader.class.getDeclaredMethod("defineClass", String.class,

+                Method m = ReflectionUtil.getDeclaredMethod(ClassLoader.class, "defineClass",
String.class,
                                                                byte[].class, Integer.TYPE,
Integer.TYPE);
                 
                 InputStream ins = ReferencingAuthenticator.class
@@ -102,7 +100,7 @@ public class CXFAuthenticator extends Authenticator {
                 }
                 try {
                     //clear the acc field that can hold onto the webapp classloader
-                    Field f = loader.getClass().getDeclaredField("acc");
+                    Field f = ReflectionUtil.getDeclaredField(loader.getClass(), "acc");
                     ReflectionUtil.setAccessible(f).set(loader, null);
                 } catch (Throwable t) {
                     //ignore

http://git-wip-us.apache.org/repos/asf/cxf/blob/45a04b3e/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java
----------------------------------------------------------------------
diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java
b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java
index a429ddf..00fb97b 100644
--- a/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java
+++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/http/URLConnectionHTTPConduit.java
@@ -30,6 +30,9 @@ import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLConnection;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.logging.Level;
 
 import javax.net.ssl.HttpsURLConnection;
@@ -254,7 +257,21 @@ public class URLConnectionHTTPConduit extends HTTPConduit {
             OutputStream cout = null;
             try {
                 try {
-                    cout = connection.getOutputStream();
+//                    cout = connection.getOutputStream();
+                    if (System.getSecurityManager() != null) {
+                        try {
+                            cout = AccessController.doPrivileged(new PrivilegedExceptionAction<OutputStream>()
{
+                                @Override
+                                public OutputStream run() throws IOException {
+                                    return connection.getOutputStream();
+                                }
+                            });
+                        } catch (PrivilegedActionException e) {
+                            throw (IOException) e.getException();
+                        }
+                    } else {
+                        cout = connection.getOutputStream();
+                    }
                 } catch (ProtocolException pe) {
                     Boolean b =  (Boolean)outMessage.get(HTTPURL_CONNECTION_METHOD_REFLECTION);
                     cout = connectAndGetOutputStream(b); 


Mime
View raw message