This is an automated email from the ASF dual-hosted git repository. amccright pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push: new 2424d91 Fix Java 2 security issues 2424d91 is described below commit 2424d912e92109c3ce08a95347056e825b52c035 Author: Andy McCright <j.andrew.mccri...@gmail.com> AuthorDate: Tue Feb 5 13:02:37 2019 -0600 Fix Java 2 security issues --- .../java/org/apache/cxf/common/classloader/ClassLoaderUtils.java | 6 ++++++ .../main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java | 5 +++-- core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java | 3 ++- core/src/main/java/org/apache/cxf/helpers/JavaUtils.java | 4 +++- .../cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java | 3 ++- 5 files changed, 16 insertions(+), 5 deletions(-) diff --git a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java index e087da1..9514b1c 100644 --- a/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java +++ b/core/src/main/java/org/apache/cxf/common/classloader/ClassLoaderUtils.java @@ -290,6 +290,12 @@ public final class ClassLoaderUtils { } return loadClass2(className, callingClass).asSubclass(type); } + + public static String getClassLoaderName(Class<?> type) { + ClassLoader loader = getClassLoader(type); + return loader == null ? "null" : loader.toString(); + } + private static Class<?> loadClass2(String className, Class<?> callingClass) throws ClassNotFoundException { try { diff --git a/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java b/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java index dd69a13..9b00f99 100644 --- a/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java +++ b/core/src/main/java/org/apache/cxf/common/util/ProxyClassLoaderCache.java @@ -24,6 +24,7 @@ import java.security.PrivilegedAction; import java.util.logging.Level; import java.util.logging.Logger; +import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.common.logging.LogUtils; public class ProxyClassLoaderCache { @@ -42,7 +43,7 @@ public class ProxyClassLoaderCache { LOG.log(Level.FINE, "interface for new created ProxyClassLoader is " + proxyInterface.getName()); LOG.log(Level.FINE, "interface's classloader for new created ProxyClassLoader is " - + proxyInterface.getClassLoader()); + + ClassLoaderUtils.getClassLoaderName(proxyInterface)); return createProxyClassLoader(proxyInterface); } @@ -80,7 +81,7 @@ public class ProxyClassLoaderCache { String ifName = currentInterface.getName(); LOG.log(Level.FINE, "the interface we are checking is " + currentInterface.getName()); LOG.log(Level.FINE, "the interface' classloader we are checking is " - + currentInterface.getClassLoader()); + + getClassLoader(currentInterface)); if (!ifName.startsWith("org.apache.cxf") && !ifName.startsWith("java")) { // cache and retrieve customer interface LOG.log(Level.FINE, "the customer interface is " + currentInterface.getName() diff --git a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java index 04e4ee2..0affeab 100644 --- a/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java +++ b/core/src/main/java/org/apache/cxf/common/util/ProxyHelper.java @@ -25,6 +25,7 @@ import java.lang.reflect.Proxy; import java.util.logging.Level; import java.util.logging.Logger; +import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.common.logging.LogUtils; /** @@ -97,7 +98,7 @@ public class ProxyHelper { private String getSortedNameFromInterfaceArray(Class<?>[] interfaces) { SortedArraySet<String> arraySet = new SortedArraySet<String>(); for (Class<?> currentInterface : interfaces) { - arraySet.add(currentInterface.getName() + currentInterface.getClassLoader()); + arraySet.add(currentInterface.getName() + ClassLoaderUtils.getClassLoaderName(currentInterface)); } return arraySet.toString(); } diff --git a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java index 6224cc4..8d14409 100644 --- a/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java +++ b/core/src/main/java/org/apache/cxf/helpers/JavaUtils.java @@ -23,6 +23,8 @@ import java.util.Arrays; import java.util.HashSet; import java.util.Set; +import org.apache.cxf.common.util.SystemPropertyAction; + public final class JavaUtils { /** Use this character as suffix */ @@ -51,7 +53,7 @@ public final class JavaUtils { private static boolean isJava8Before161; static { - String version = System.getProperty("java.version"); + String version = SystemPropertyAction.getProperty("java.version"); try { isJava8Before161 = version != null && version.startsWith("1.8.0_") && Integer.parseInt(version.substring(6)) < 161; diff --git a/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java b/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java index 14ab55a..81af0ed 100644 --- a/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java +++ b/rt/rs/microprofile-client/src/main/java/org/apache/cxf/microprofile/client/proxy/MicroProfileClientProxyImpl.java @@ -40,6 +40,7 @@ import javax.ws.rs.core.Response; import org.apache.cxf.common.classloader.ClassLoaderUtils; import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.common.util.ReflectionUtil; import org.apache.cxf.helpers.CastUtils; import org.apache.cxf.interceptor.Interceptor; import org.apache.cxf.jaxrs.client.ClientProxyImpl; @@ -82,7 +83,7 @@ public class MicroProfileClientProxyImpl extends ClientProxyImpl { Method m; try { Class<?> jaxrsUtilsClass = Class.forName("org.apache.cxf.jaxrs.utils.JAXRSUtils"); - m = jaxrsUtilsClass.getDeclaredMethod("getCurrentMessage"); + m = ReflectionUtil.getDeclaredMethod(jaxrsUtilsClass, "getCurrentMessage"); } catch (Throwable t) { // expected in non-JAX-RS server environments if (LOG.isLoggable(Level.FINEST)) {