--- jdk/src/share/lib/security/java.security 2013-04-16 14:57:04.075141879 +0100 +++ jdk/src/share/lib/security/java.security 2013-04-16 14:58:37.884647607 +0100 @@ -128,10 +128,7 @@ # corresponding RuntimePermission ("accessClassInPackage."+package) has # been granted. package.access=sun.,\ - com.sun.xml.internal.bind.,\ - com.sun.xml.internal.org.jvnet.staxex.,\ - com.sun.xml.internal.stream.,\ - com.sun.xml.internal.ws.,\ + com.sun.xml.internal.,\ com.sun.imageio.,\ com.sun.istack.internal.,\ com.sun.jmx.,\ @@ -164,10 +161,7 @@ # checkPackageDefinition. # package.definition=sun.,\ - com.sun.xml.internal.bind.,\ - com.sun.xml.internal.org.jvnet.staxex.,\ - com.sun.xml.internal.stream.,\ - com.sun.xml.internal.ws.,\ + com.sun.xml.internal.,\ com.sun.imageio.,\ com.sun.istack.internal.,\ com.sun.jmx.,\ --- jdk/src/share/lib/security/java.security-solaris 2013-04-16 14:57:04.075141879 +0100 +++ jdk/src/share/lib/security/java.security-solaris 2013-04-16 15:00:01.509990145 +0100 @@ -129,10 +129,7 @@ # corresponding RuntimePermission ("accessClassInPackage."+package) has # been granted. package.access=sun.,\ - com.sun.xml.internal.bind.,\ - com.sun.xml.internal.org.jvnet.staxex.,\ - com.sun.xml.internal.stream.,\ - com.sun.xml.internal.ws.,\ + com.sun.xml.internal.,\ com.sun.imageio. com.sun.istack.internal.,\ com.sun.jmx.,\ @@ -165,10 +162,7 @@ # checkPackageDefinition. # package.definition=sun.,\ - com.sun.xml.internal.bind.,\ - com.sun.xml.internal.org.jvnet.staxex.,\ - com.sun.xml.internal.stream.,\ - com.sun.xml.internal.ws.,\ + com.sun.xml.internal.,\ com.sun.imageio. com.sun.istack.internal.,\ com.sun.jmx.,\ --- jdk/src/share/lib/security/java.security-windows 2013-04-16 14:57:04.075141879 +0100 +++ jdk/src/share/lib/security/java.security-windows 2013-04-16 15:00:24.790356811 +0100 @@ -129,10 +129,7 @@ # corresponding RuntimePermission ("accessClassInPackage."+package) has # been granted. package.access=sun.,\ - com.sun.xml.internal.bind.,\ - com.sun.xml.internal.org.jvnet.staxex.,\ - com.sun.xml.internal.stream.,\ - com.sun.xml.internal.ws.,\ + com.sun.xml.internal.,\ com.sun.imageio. com.sun.istack.internal.,\ com.sun.jmx.,\ @@ -165,10 +162,7 @@ # checkPackageDefinition. # package.definition=sun.,\ - com.sun.xml.internal.bind.,\ - com.sun.xml.internal.org.jvnet.staxex.,\ - com.sun.xml.internal.stream.,\ - com.sun.xml.internal.ws.,\ + com.sun.xml.internal.,\ com.sun.imageio. com.sun.istack.internal.,\ com.sun.jmx.,\ --- /dev/null 2013-04-25 15:02:13.000000000 -0400 +++ jaxws/patches/jaxws_src/8005432.patch 2013-04-25 15:09:37.000000000 -0400 @@ -0,0 +1,430 @@ +--- src/com/sun/xml/internal/bind/v2/model/impl/ModelBuilder.java 2013-04-16 14:56:58.235048158 +0100 ++++ src/com/sun/xml/internal/bind/v2/model/impl/ModelBuilder.java 2013-04-16 14:58:37.884647607 +0100 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -235,7 +235,7 @@ + String pkg = nav.getPackageName(ci.getClazz()); + if(!registries.containsKey(pkg)) { + // insert the package's object factory +- C c = nav.findClass(pkg + ".ObjectFactory",ci.getClazz()); ++ C c = loadObjectFactory(ci, pkg); + if(c!=null) + addRegistry(c,(Locatable)p); + } +@@ -264,6 +264,15 @@ + return r; + } + ++ private C loadObjectFactory(ClassInfoImpl ci, String pkg) { ++ try { ++ return nav.findClass(pkg + ".ObjectFactory", ci.getClazz()); ++ } catch (SecurityException ignored) { ++ // treat SecurityException in same way as ClassNotFoundException in this case ++ return null; ++ } ++ } ++ + /** + * Checks the uniqueness of the type name. + */ +--- src/com/sun/xml/internal/ws/client/WSServiceDelegate.java 2013-04-16 14:56:58.419051111 +0100 ++++ src/com/sun/xml/internal/ws/client/WSServiceDelegate.java 2013-04-16 14:58:37.884647607 +0100 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -22,7 +22,6 @@ + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +- + package com.sun.xml.internal.ws.client; + + import com.sun.istack.internal.NotNull; +@@ -45,8 +44,8 @@ + import com.sun.xml.internal.ws.client.HandlerConfigurator.AnnotationConfigurator; + import com.sun.xml.internal.ws.client.HandlerConfigurator.HandlerResolverImpl; + import com.sun.xml.internal.ws.client.sei.SEIStub; +-import com.sun.xml.internal.ws.developer.WSBindingProvider; + import com.sun.xml.internal.ws.developer.UsesJAXBContextFeature; ++import com.sun.xml.internal.ws.developer.WSBindingProvider; + import com.sun.xml.internal.ws.model.AbstractSEIModelImpl; + import com.sun.xml.internal.ws.model.RuntimeModeler; + import com.sun.xml.internal.ws.model.SOAPSEIModel; +@@ -59,7 +58,6 @@ + import com.sun.xml.internal.ws.util.JAXWSUtils; + import com.sun.xml.internal.ws.util.ServiceConfigurationError; + import com.sun.xml.internal.ws.util.ServiceFinder; +-import static com.sun.xml.internal.ws.util.xml.XmlUtil.createDefaultCatalogResolver; + import com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser; + import org.xml.sax.SAXException; + +@@ -74,16 +72,18 @@ + import javax.xml.ws.handler.HandlerResolver; + import javax.xml.ws.soap.AddressingFeature; + import java.io.IOException; ++import java.lang.RuntimePermission; + import java.lang.reflect.Proxy; + import java.net.MalformedURLException; + import java.net.URL; +-import java.security.AccessController; +-import java.security.PrivilegedAction; ++import java.security.*; + import java.util.*; + import java.util.concurrent.Executor; + import java.util.concurrent.Executors; + import java.util.concurrent.ThreadFactory; + ++import static com.sun.xml.internal.ws.util.xml.XmlUtil.createDefaultCatalogResolver; ++ + /** + * Service objects provide the client view of a Web service. + * +@@ -613,7 +613,7 @@ + } + } + +- private T createEndpointIFBaseProxy(@Nullable WSEndpointReference epr,QName portName, Class portInterface, ++ private T createEndpointIFBaseProxy(@Nullable WSEndpointReference epr,QName portName, final Class portInterface, + WebServiceFeature[] webServiceFeatures, SEIPortInfo eif) { + //fail if service doesnt have WSDL + if (wsdlService == null) +@@ -627,14 +627,37 @@ + BindingImpl binding = eif.createBinding(webServiceFeatures,portInterface); + SEIStub pis = new SEIStub(this, binding, eif.model, createPipeline(eif, binding), epr); + +- T proxy = portInterface.cast(Proxy.newProxyInstance(portInterface.getClassLoader(), +- new Class[]{portInterface, WSBindingProvider.class, Closeable.class}, pis)); ++ T proxy = createProxy(portInterface, pis); ++ + if (serviceInterceptor != null) { + serviceInterceptor.postCreateProxy((WSBindingProvider)proxy, portInterface); + } + return proxy; + } + ++ private T createProxy(final Class portInterface, final SEIStub pis) { ++ ++ // accessClassInPackage privilege needs to be granted ... ++ RuntimePermission perm = new RuntimePermission("accessClassInPackage.com.sun." + "xml.internal.*"); ++ PermissionCollection perms = perm.newPermissionCollection(); ++ perms.add(perm); ++ ++ return AccessController.doPrivileged( ++ new PrivilegedAction() { ++ @Override ++ public T run() { ++ Object proxy = Proxy.newProxyInstance(portInterface.getClassLoader(), ++ new Class[]{portInterface, WSBindingProvider.class, Closeable.class}, pis); ++ return portInterface.cast(proxy); ++ } ++ }, ++ new AccessControlContext( ++ new ProtectionDomain[]{ ++ new ProtectionDomain(null, perms) ++ }) ++ ); ++ } ++ + /** + * Lists up the port names in WSDL. For error diagnostics. + */ +--- src/javax/xml/soap/FactoryFinder.java 2013-04-16 14:56:58.667055090 +0100 ++++ src/javax/xml/soap/FactoryFinder.java 2013-04-16 14:58:37.888647671 +0100 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -50,20 +50,12 @@ + throws SOAPException + { + try { +- Class spiClass; +- if (classLoader == null) { +- spiClass = Class.forName(className); +- } else { +- spiClass = classLoader.loadClass(className); +- } ++ Class spiClass = safeLoadClass(className, classLoader); + return spiClass.newInstance(); + } catch (ClassNotFoundException x) { +- throw new SOAPException( +- "Provider " + className + " not found", x); ++ throw new SOAPException("Provider " + className + " not found", x); + } catch (Exception x) { +- throw new SOAPException( +- "Provider " + className + " could not be instantiated: " + x, +- x); ++ throw new SOAPException("Provider " + className + " could not be instantiated: " + x, x); + } + } + +@@ -83,6 +75,61 @@ + static Object find(String factoryId) + throws SOAPException + { ++ return find(factoryId, null, false); ++ } ++ ++ /** ++ * Finds the implementation Class object for the given ++ * factory name, or if that fails, finds the Class object ++ * for the given fallback class name. The arguments supplied must be ++ * used in order. If using the first argument is successful, the second ++ * one will not be used. ++ *

++ * This method is package private so that this code can be shared. ++ * ++ * @return the Class object of the specified message factory; ++ * may be null ++ * ++ * @param factoryId the name of the factory to find, which is ++ * a system property ++ * @param fallbackClassName the implementation class name, which is ++ * to be used only if nothing else ++ * is found; null to indicate that ++ * there is no fallback class name ++ * @exception SOAPException if there is a SOAP error ++ */ ++ static Object find(String factoryId, String fallbackClassName) ++ throws SOAPException ++ { ++ return find(factoryId, fallbackClassName, true); ++ } ++ ++ /** ++ * Finds the implementation Class object for the given ++ * factory name, or if that fails, finds the Class object ++ * for the given default class name, but only if tryFallback ++ * is true. The arguments supplied must be used in order ++ * If using the first argument is successful, the second one will not ++ * be used. Note the default class name may be needed even if fallback ++ * is not to be attempted, so certain error conditions can be handled. ++ *

++ * This method is package private so that this code can be shared. ++ * ++ * @return the Class object of the specified message factory; ++ * may not be null ++ * ++ * @param factoryId the name of the factory to find, which is ++ * a system property ++ * @param defaultClassName the implementation class name, which is ++ * to be used only if nothing else ++ * is found; null to indicate ++ * that there is no default class name ++ * @param tryFallback whether to try the default class as a ++ * fallback ++ * @exception SOAPException if there is a SOAP error ++ */ ++ static Object find(String factoryId, String defaultClassName, ++ boolean tryFallback) throws SOAPException { + ClassLoader classLoader; + try { + classLoader = Thread.currentThread().getContextClassLoader(); +@@ -140,49 +187,56 @@ + } catch( Exception ex ) { + } + +- return null; ++ // If not found and fallback should not be tried, return a null result. ++ if (!tryFallback) ++ return null; ++ ++ // We didn't find the class through the usual means so try the default ++ // (built in) factory if specified. ++ if (defaultClassName == null) { ++ throw new SOAPException( ++ "Provider for " + factoryId + " cannot be found", null); ++ } ++ return newInstance(defaultClassName, classLoader); + } + + /** +- * Finds the implementation Class object for the given +- * factory name, or if that fails, finds the Class object +- * for the given fallback class name. The arguments supplied must be +- * used in order. If using the first argument is successful, the second +- * one will not be used. +- *

+- * This method is package private so that this code can be shared. +- * +- * @return the Class object of the specified message factory; +- * may not be null +- * +- * @param factoryId the name of the factory to find, which is +- * a system property +- * @param fallbackClassName the implementation class name, which is +- * to be used only if nothing else +- * is found; null to indicate that +- * there is no fallback class name +- * @exception SOAPException if there is a SOAP error ++ * Loads the class, provided that the calling thread has an access to the ++ * class being loaded. If this is the specified default factory class and it ++ * is restricted by package.access we get a SecurityException and can do a ++ * Class.forName() on it so it will be loaded by the bootstrap class loader. + */ +- static Object find(String factoryId, String fallbackClassName) +- throws SOAPException +- { +- +- Object obj = find(factoryId); +- if (obj != null) +- return obj; ++ private static Class safeLoadClass(String className, ++ ClassLoader classLoader) ++ throws ClassNotFoundException { ++ try { ++ // make sure that the current thread has an access to the package of the given name. ++ SecurityManager s = System.getSecurityManager(); ++ if (s != null) { ++ int i = className.lastIndexOf('.'); ++ if (i != -1) { ++ s.checkPackageAccess(className.substring(0, i)); ++ } ++ } + +- ClassLoader classLoader; +- try { +- classLoader = Thread.currentThread().getContextClassLoader(); +- } catch (Exception x) { +- throw new SOAPException(x.toString(), x); +- } ++ if (classLoader == null) ++ return Class.forName(className); ++ else ++ return classLoader.loadClass(className); ++ } catch (SecurityException se) { ++ // (only) default implementation can be loaded ++ // using bootstrap class loader ... ++ if (isDefaultImplementation(className)) ++ return Class.forName(className); + +- if (fallbackClassName == null) { +- throw new SOAPException( +- "Provider for " + factoryId + " cannot be found", null); ++ throw se; + } ++ } + +- return newInstance(fallbackClassName, classLoader); ++ private static boolean isDefaultImplementation(String className) { ++ return MessageFactory.DEFAULT_MESSAGE_FACTORY.equals(className) || ++ SOAPFactory.DEFAULT_SOAP_FACTORY.equals(className) || ++ SOAPConnectionFactory.DEFAULT_SOAP_CONNECTION_FACTORY.equals(className) || ++ SAAJMetaFactory.DEFAULT_META_FACTORY_CLASS.equals(className); + } + } +--- src/javax/xml/soap/MessageFactory.java 2013-04-16 14:56:58.667055090 +0100 ++++ src/javax/xml/soap/MessageFactory.java 2013-04-16 14:58:37.888647671 +0100 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -72,7 +72,7 @@ + */ + public abstract class MessageFactory { + +- static private final String DEFAULT_MESSAGE_FACTORY ++ static final String DEFAULT_MESSAGE_FACTORY + = "com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl"; + + static private final String MESSAGE_FACTORY_PROPERTY +@@ -105,11 +105,14 @@ + public static MessageFactory newInstance() + throws SOAPException { + try { +- MessageFactory factory = (MessageFactory) +- FactoryFinder.find(MESSAGE_FACTORY_PROPERTY); ++ MessageFactory factory = (MessageFactory) FactoryFinder.find( ++ MESSAGE_FACTORY_PROPERTY, ++ DEFAULT_MESSAGE_FACTORY, ++ false); + +- if (factory != null) ++ if (factory != null) { + return factory; ++ } + + return newInstance(SOAPConstants.SOAP_1_1_PROTOCOL); + } catch (Exception ex) { +--- src/javax/xml/soap/SAAJMetaFactory.java 2013-04-16 14:56:58.667055090 +0100 ++++ src/javax/xml/soap/SAAJMetaFactory.java 2013-04-16 14:58:37.888647671 +0100 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -50,7 +50,7 @@ + public abstract class SAAJMetaFactory { + static private final String META_FACTORY_CLASS_PROPERTY = + "javax.xml.soap.MetaFactory"; +- static private final String DEFAULT_META_FACTORY_CLASS = ++ static final String DEFAULT_META_FACTORY_CLASS = + "com.sun.xml.internal.messaging.saaj.soap.SAAJMetaFactoryImpl"; + + /** +--- src/javax/xml/soap/SOAPConnectionFactory.java 2013-04-16 14:56:58.667055090 +0100 ++++ src/javax/xml/soap/SOAPConnectionFactory.java 2013-04-16 14:58:37.888647671 +0100 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -44,7 +44,7 @@ + * A constant representing the default value for a SOAPConnection + * object. The default is the point-to-point SOAP connection. + */ +- static private final String DEFAULT_SOAP_CONNECTION_FACTORY ++ static final String DEFAULT_SOAP_CONNECTION_FACTORY + = "com.sun.xml.internal.messaging.saaj.client.p2p.HttpSOAPConnectionFactory"; + + /** +--- src/javax/xml/soap/SOAPFactory.java 2013-04-16 14:56:58.671055155 +0100 ++++ src/javax/xml/soap/SOAPFactory.java 2013-04-16 14:58:37.888647671 +0100 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -61,6 +61,12 @@ + "javax.xml.soap.SOAPFactory"; + + /** ++ * Class name of default SOAPFactory implementation. ++ */ ++ static final String DEFAULT_SOAP_FACTORY ++ = "com.sun.xml.internal.messaging.saaj.soap.ver1_1.SOAPFactory1_1Impl"; ++ ++ /** + * Creates a SOAPElement object from an existing DOM + * Element. If the DOM Element that is passed in + * as an argument is already a SOAPElement then this method +@@ -262,7 +268,7 @@ + throws SOAPException + { + try { +- SOAPFactory factory = (SOAPFactory) FactoryFinder.find(SOAP_FACTORY_PROPERTY); ++ SOAPFactory factory = (SOAPFactory) FactoryFinder.find(SOAP_FACTORY_PROPERTY, DEFAULT_SOAP_FACTORY, false); + if (factory != null) + return factory; + return newInstance(SOAPConstants.SOAP_1_1_PROTOCOL);