8038970: Deprivilege JAX-WS/JAF code
Summary: Changes to prepare for granting minimal set of permissions to JAX-WS code.
Reviewed-by: mchung
--- a/jaxws/src/share/jaf_classes/javax/activation/CommandMap.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaf_classes/javax/activation/CommandMap.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -93,10 +93,11 @@
// otherwise, we also allow it if this code and the
// factory come from the same (non-system) class loader (e.g.,
// the JAF classes were loaded with the applet classes).
- if (CommandMap.class.getClassLoader() == null ||
- CommandMap.class.getClassLoader() !=
- commandMap.getClass().getClassLoader())
+ ClassLoader cl = CommandMap.class.getClassLoader();
+ if (cl == null || cl.getParent() == null ||
+ cl != commandMap.getClass().getClassLoader()) {
throw ex;
+ }
}
}
// remove any per-thread-context-class-loader CommandMap
--- a/jaxws/src/share/jaf_classes/javax/activation/FileTypeMap.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaf_classes/javax/activation/FileTypeMap.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -96,9 +96,9 @@
// otherwise, we also allow it if this code and the
// factory come from the same (non-system) class loader (e.g.,
// the JAF classes were loaded with the applet classes).
- if (FileTypeMap.class.getClassLoader() == null ||
- FileTypeMap.class.getClassLoader() !=
- fileTypeMap.getClass().getClassLoader())
+ ClassLoader cl = FileTypeMap.class.getClassLoader();
+ if (cl == null || cl.getParent() == null ||
+ cl != fileTypeMap.getClass().getClassLoader())
throw ex;
}
}
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/model/nav/ReflectionNavigator.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/model/nav/ReflectionNavigator.java Fri Jul 18 19:14:38 2014 +0200
@@ -35,6 +35,8 @@
import java.lang.reflect.Type;
import java.lang.reflect.TypeVariable;
import java.lang.reflect.WildcardType;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collection;
@@ -264,20 +266,38 @@
return clazz.getSimpleName();
}
- public Collection<? extends Field> getDeclaredFields(Class clazz) {
- return Arrays.asList(clazz.getDeclaredFields());
+ public Collection<? extends Field> getDeclaredFields(final Class clazz) {
+ Field[] fields = AccessController.doPrivileged(new PrivilegedAction<Field[]>() {
+ @Override
+ public Field[] run() {
+ return clazz.getDeclaredFields();
+ }
+ });
+ return Arrays.asList(fields);
}
- public Field getDeclaredField(Class clazz, String fieldName) {
- try {
- return clazz.getDeclaredField(fieldName);
- } catch (NoSuchFieldException e) {
- return null;
- }
+ public Field getDeclaredField(final Class clazz, final String fieldName) {
+ return AccessController.doPrivileged(new PrivilegedAction<Field>() {
+ @Override
+ public Field run() {
+ try {
+ return clazz.getDeclaredField(fieldName);
+ } catch (NoSuchFieldException e) {
+ return null;
+ }
+ }
+ });
}
- public Collection<? extends Method> getDeclaredMethods(Class clazz) {
- return Arrays.asList(clazz.getDeclaredMethods());
+ public Collection<? extends Method> getDeclaredMethods(final Class clazz) {
+ Method[] methods =
+ AccessController.doPrivileged(new PrivilegedAction<Method[]>() {
+ @Override
+ public Method[] run() {
+ return clazz.getDeclaredMethods();
+ }
+ });
+ return Arrays.asList(methods);
}
public Class getDeclaringClassForField(Field field) {
@@ -565,7 +585,7 @@
return method.isBridge();
}
- public boolean isOverriding(Method method, Class base) {
+ public boolean isOverriding(Method method, final Class base) {
// this isn't actually correct,
// as the JLS considers
// class Derived extends Base<Integer> {
@@ -576,22 +596,30 @@
// }
// to be overrided. Handling this correctly needs a careful implementation
- String name = method.getName();
- Class[] params = method.getParameterTypes();
+ final String name = method.getName();
+ final Class[] params = method.getParameterTypes();
+
+ return AccessController.doPrivileged(
+ new PrivilegedAction<Boolean>() {
- while (base != null) {
- try {
- if (base.getDeclaredMethod(name, params) != null) {
- return true;
+ @Override
+ public Boolean run() {
+ Class clazz = base;
+ while (clazz != null) {
+ try {
+ Method m = clazz.getDeclaredMethod(name, params);
+ if (m != null) {
+ return Boolean.TRUE;
+ }
+ } catch (NoSuchMethodException ignored) {
+ // recursively go into the base class
+ }
+ clazz = clazz.getSuperclass();
+ }
+ return Boolean.FALSE;
+ }
}
- } catch (NoSuchMethodException e) {
- // recursively go into the base class
- }
-
- base = base.getSuperclass();
- }
-
- return false;
+ );
}
public boolean isInterface(Class clazz) {
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/JaxBeanInfo.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/JaxBeanInfo.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,8 @@
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
@@ -415,6 +417,15 @@
private static final Class[] unmarshalEventParams = { Unmarshaller.class, Object.class };
private static Class[] marshalEventParams = { Marshaller.class };
+ private Method[] getDeclaredMethods(final Class<BeanT> c) {
+ return AccessController.doPrivileged(new PrivilegedAction<Method[]>() {
+ @Override
+ public Method[] run() {
+ return c.getDeclaredMethods();
+ }
+ });
+ }
+
/**
* use reflection to determine which of the 4 object lifecycle methods exist on
* the JAXB bound type.
@@ -428,7 +439,7 @@
}
while (jt != null) {
- for (Method m : jt.getDeclaredMethods()) {
+ for (Method m : getDeclaredMethods(jt)) {
String name = m.getName();
if (lcm.beforeUnmarshal == null) {
@@ -468,7 +479,7 @@
} catch (SecurityException e) {
// this happens when we don't have enough permission.
logger.log(Level.WARNING, Messages.UNABLE_TO_DISCOVER_EVENTHANDLER.format(
- jaxbType.getName(), e));
+ jaxbType.getName(), e), e);
}
}
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/Accessor.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/Accessor.java Fri Jul 18 19:14:38 2014 +0200
@@ -229,8 +229,7 @@
if (!Modifier.isPublic(mod) || Modifier.isFinal(mod) || !Modifier.isPublic(f.getDeclaringClass().getModifiers())) {
try {
// attempt to make it accessible, but do so in the security context of the calling application.
- // don't do this in the doPrivilege block, as that would create a security hole for anyone
- // to make any field accessible.
+ // don't do this in the doPrivilege block
f.setAccessible(true);
} catch (SecurityException e) {
if ((!accessWarned) && (!supressAccessorWarnings)) {
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/opt/Injector.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/reflect/opt/Injector.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -146,26 +146,31 @@
private static final Method findLoadedClass;
static {
+ Method[] m = AccessController.doPrivileged(
+ new PrivilegedAction<Method[]>() {
+ @Override
+ public Method[] run() {
+ return new Method[]{
+ getMethod(ClassLoader.class, "defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE),
+ getMethod(ClassLoader.class, "resolveClass", Class.class),
+ getMethod(ClassLoader.class, "findLoadedClass", String.class)
+ };
+ }
+ }
+ );
+ defineClass = m[0];
+ resolveClass = m[1];
+ findLoadedClass = m[2];
+ }
+
+ private static Method getMethod(final Class<?> c, final String methodname, final Class<?>... params) {
try {
- defineClass = ClassLoader.class.getDeclaredMethod("defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE);
- resolveClass = ClassLoader.class.getDeclaredMethod("resolveClass", Class.class);
- findLoadedClass = ClassLoader.class.getDeclaredMethod("findLoadedClass", String.class);
+ Method m = c.getDeclaredMethod(methodname, params);
+ m.setAccessible(true);
+ return m;
} catch (NoSuchMethodException e) {
- // impossible
throw new NoSuchMethodError(e.getMessage());
}
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
-
- @Override
- public Void run() {
- // TODO: check security implication
- // do these setAccessible allow anyone to call these methods freely?s
- defineClass.setAccessible(true);
- resolveClass.setAccessible(true);
- findLoadedClass.setAccessible(true);
- return null;
- }
- });
}
private Injector(ClassLoader parent) {
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/api/streaming/XMLStreamWriterFactory.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/api/streaming/XMLStreamWriterFactory.java Fri Jul 18 19:14:38 2014 +0200
@@ -42,6 +42,8 @@
import java.io.StringWriter;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.logging.Level;
import java.util.logging.Logger;
@@ -91,8 +93,6 @@
}
} catch (XMLStreamException ex) {
Logger.getLogger(XMLStreamWriterFactory.class.getName()).log(Level.INFO, null, ex);
- } catch (NoSuchMethodException ex) {
- Logger.getLogger(XMLStreamWriterFactory.class.getName()).log(Level.INFO, null, ex);
}
}
@@ -282,17 +282,31 @@
return new Zephyr(xof,clazz);
} catch (XMLStreamException e) {
return null; // impossible
- } catch (NoSuchMethodException e) {
- return null; // this xof wasn't Zephyr
}
}
- private Zephyr(XMLOutputFactory xof, Class clazz) throws NoSuchMethodException {
+ private Zephyr(XMLOutputFactory xof, Class clazz) {
this.xof = xof;
zephyrClass = clazz;
- setOutputMethod = clazz.getMethod("setOutput", StreamResult.class, String.class);
- resetMethod = clazz.getMethod("reset");
+ setOutputMethod = getMethod(clazz, "setOutput", StreamResult.class, String.class);
+ resetMethod = getMethod(clazz, "reset");
+ }
+
+ private static Method getMethod(final Class<?> c, final String methodname, final Class<?>... params) {
+ return AccessController.doPrivileged(
+ new PrivilegedAction<Method>() {
+ @Override
+ public Method run() {
+ try {
+ return c.getMethod(methodname, params);
+ } catch (NoSuchMethodException e) {
+ // impossible
+ throw new NoSuchMethodError(e.getMessage());
+ }
+ }
+ }
+ );
}
/**
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/MetroConfigLoader.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -42,13 +42,12 @@
import javax.xml.stream.XMLInputFactory;
import javax.xml.ws.WebServiceException;
import java.lang.reflect.Method;
-import java.lang.reflect.ReflectPermission;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
-import java.security.*;
-import java.util.PropertyPermission;
+import java.security.AccessController;
+import java.security.PrivilegedExceptionAction;
import java.util.logging.Level;
/**
@@ -258,24 +257,13 @@
public JAXBContext run() throws Exception {
return JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
}
- }, createSecurityContext()
- );
+ });
} else {
// usage from JAX-WS/Metro/Glassfish
return JAXBContext.newInstance(MetroConfig.class.getPackage().getName());
}
}
- private static AccessControlContext createSecurityContext() {
- PermissionCollection perms = new Permissions();
- perms.add(new RuntimePermission("accessClassInPackage.com" + ".sun.xml.internal.ws.runtime.config")); // avoid repackaging
- perms.add(new ReflectPermission("suppressAccessChecks"));
- return new AccessControlContext(
- new ProtectionDomain[]{
- new ProtectionDomain(null, perms),
- });
- }
-
private static boolean isJDKInternal() {
// avoid "string repackaging"
return MetroConfigLoader.class.getName().startsWith("com." + "sun.xml.internal.ws");
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubeCreator.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubeCreator.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -49,7 +49,7 @@
try {
Class<?> factoryClass;
if (isJDKInternal(className)) {
- factoryClass = Class.forName(className, true, null);
+ factoryClass = Class.forName(className, true, TubeCreator.class.getClassLoader());
} else {
factoryClass = Class.forName(className, true, tubeFactoryClassLoader);
}
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubelineAssemblyController.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/assembler/TubelineAssemblyController.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -109,11 +109,12 @@
}
private Collection<TubeCreator> initializeTubeCreators(TubeFactoryList tfl) {
- final ClassLoader contextClassLoader = Thread.currentThread().getContextClassLoader();
+ ClassLoader tccl = Thread.currentThread().getContextClassLoader();
+ ClassLoader classLoader = tccl != null ? tccl : TubelineAssemblyController.class.getClassLoader();
LinkedList<TubeCreator> tubeCreators = new LinkedList<TubeCreator>();
for (TubeFactoryConfig tubeFactoryConfig : tfl.getTubeFactoryConfigs()) {
- tubeCreators.addFirst(new TubeCreator(tubeFactoryConfig, contextClassLoader));
+ tubeCreators.addFirst(new TubeCreator(tubeFactoryConfig, classLoader));
}
return tubeCreators;
}
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/client/WSServiceDelegate.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/client/WSServiceDelegate.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -91,7 +91,8 @@
import java.lang.reflect.Proxy;
import java.net.MalformedURLException;
import java.net.URL;
-import java.security.*;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
@@ -715,11 +716,6 @@
final ClassLoader loader = getDelegatingLoader(portInterface.getClassLoader(),
WSServiceDelegate.class.getClassLoader());
- // accessClassInPackage privilege needs to be granted ...
- RuntimePermission perm = new RuntimePermission("accessClassInPackage.com.sun." + "xml.internal.*");
- PermissionCollection perms = perm.newPermissionCollection();
- perms.add(perm);
-
return AccessController.doPrivileged(
new PrivilegedAction<T>() {
@Override
@@ -728,12 +724,8 @@
new Class[]{portInterface, WSBindingProvider.class, Closeable.class}, pis);
return portInterface.cast(proxy);
}
- },
- new AccessControlContext(
- new ProtectionDomain[]{
- new ProtectionDomain(null, perms)
- })
- );
+ });
+
}
private WSDLService getWSDLModelfromSEI(final Class sei) {
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/fault/SOAPFaultBuilder.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -58,12 +58,8 @@
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
-import java.lang.reflect.ReflectPermission;
-import java.security.AccessControlContext;
import java.security.AccessController;
-import java.security.Permissions;
import java.security.PrivilegedAction;
-import java.security.ProtectionDomain;
import java.util.Iterator;
import java.util.Map;
import java.util.logging.Level;
@@ -569,9 +565,6 @@
// in jdk runtime doPrivileged is necessary since JAX-WS internal classes are in restricted packages
if (isJDKRuntime()) {
- Permissions permissions = new Permissions();
- permissions.add(new RuntimePermission("accessClassInPackage.com.sun." + "xml.internal.ws.fault"));
- permissions.add(new ReflectPermission("suppressAccessChecks"));
return AccessController.doPrivileged(
new PrivilegedAction<JAXBContext>() {
@Override
@@ -582,9 +575,7 @@
throw new Error(e);
}
}
- },
- new AccessControlContext(new ProtectionDomain[]{new ProtectionDomain(null, permissions)})
- );
+ });
} else {
try {
--- a/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/model/Injector.java Tue Apr 15 10:31:11 2014 -0400
+++ b/jaxws/src/share/jaxws_classes/com/sun/xml/internal/ws/model/Injector.java Fri Jul 18 19:14:38 2014 +0200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2014, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -50,28 +50,36 @@
private static final Method definePackage;
static {
+ Method[] m = AccessController.doPrivileged(
+ new PrivilegedAction<Method[]>() {
+ @Override
+ public Method[] run() {
+ return new Method[]{
+ getMethod(ClassLoader.class, "defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE),
+ getMethod(ClassLoader.class, "resolveClass", Class.class),
+ getMethod(ClassLoader.class, "getPackage", String.class),
+ getMethod(ClassLoader.class, "definePackage",
+ String.class, String.class, String.class, String.class,
+ String.class, String.class, String.class, URL.class)
+ };
+ }
+ }
+ );
+ defineClass = m[0];
+ resolveClass = m[1];
+ getPackage = m[2];
+ definePackage = m[3];
+ }
+
+ private static Method getMethod(final Class<?> c, final String methodname, final Class<?>... params) {
try {
- defineClass = ClassLoader.class.getDeclaredMethod("defineClass",String.class,byte[].class,Integer.TYPE,Integer.TYPE);
- resolveClass = ClassLoader.class.getDeclaredMethod("resolveClass",Class.class);
- getPackage = ClassLoader.class.getDeclaredMethod("getPackage", String.class);
- definePackage = ClassLoader.class.getDeclaredMethod("definePackage",
- String.class, String.class, String.class, String.class,
- String.class, String.class, String.class, URL.class);
+ Method m = c.getDeclaredMethod(methodname, params);
+ m.setAccessible(true);
+ return m;
} catch (NoSuchMethodException e) {
// impossible
throw new NoSuchMethodError(e.getMessage());
}
- AccessController.doPrivileged(new PrivilegedAction<Void>() {
- public Void run() {
- // TODO: check security implication
- // do these setAccessible allow anyone to call these methods freely?s
- defineClass.setAccessible(true);
- resolveClass.setAccessible(true);
- getPackage.setAccessible(true);
- definePackage.setAccessible(true);
- return null;
- }
- });
}
static synchronized Class inject(ClassLoader cl, String className, byte[] image) {