# HG changeset patch # User Elliott Baron # Date 1366665206 14400 # Node ID 148faa0f0f0897a075e75fca370c6bbfb18417a1 # Parent 460828862a9e436de40ad442d43d3643f2e51449 Split 6657673-jaxp-backport-factoryfinder patch into two. 2013-04-22 Elliott Baron * Makefile.am: (ICEDTEA_PATCHES): Removed one patch, split it into two. * patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch: Removed. Split into patches below. * patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch: First part of removed patch. * patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch: Second part of removed patch. diff -r 460828862a9e -r 148faa0f0f08 ChangeLog --- a/ChangeLog Fri Apr 19 14:38:19 2013 -0400 +++ b/ChangeLog Mon Apr 22 17:13:26 2013 -0400 @@ -1,3 +1,14 @@ +2013-04-22 Elliott Baron + + * Makefile.am: + (ICEDTEA_PATCHES): Removed one patch, split it into two. + * patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch: + Removed. Split into patches below. + * patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch: + First part of removed patch. + * patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch: + Second part of removed patch. + 2013-04-19 Elliott Baron * Makefile.am: diff -r 460828862a9e -r 148faa0f0f08 Makefile.am --- a/Makefile.am Fri Apr 19 14:38:19 2013 -0400 +++ b/Makefile.am Mon Apr 22 17:13:26 2013 -0400 @@ -301,7 +301,8 @@ patches/openjdk/8004302-soap_test_failure.patch \ patches/security/20130416/6657673.patch \ patches/security/20130416/6657673-fixup.patch \ - patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch \ + patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch \ + patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch \ patches/openjdk/6669869-queries_per_appcontext.patch \ patches/openjdk/5102804-memory_leak.patch \ patches/openjdk/6963811-deadlock_fix.patch \ diff -r 460828862a9e -r 148faa0f0f08 patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/6657673-factory-finder-parser-transform-internal-packages.patch Mon Apr 22 17:13:26 2013 -0400 @@ -0,0 +1,54 @@ +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:42:32.138748378 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:41:36.033419998 -0400 +@@ -44,7 +44,7 @@ + * @author Santiago.PericasGeertsen@sun.com + */ + class FactoryFinder { +- ++ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; + /** + * Internal debug flag. + */ +@@ -140,6 +140,14 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ // make sure we have access to restricted packages ++ if (System.getSecurityManager() != null) { ++ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { ++ cl = null; ++ useBSClsLoader = true; ++ } ++ } ++ + try { + Class providerClass = getProviderClass(className, cl, doFallback); + Object instance = providerClass.newInstance(); +Only in openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers: FactoryFinder.java.orig +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:42:32.230748906 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:41:41.268451218 -0400 +@@ -44,6 +44,7 @@ + * @author Santiago.PericasGeertsen@sun.com + */ + class FactoryFinder { ++ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xalan.internal."; + + /** + * Internal debug flag. +@@ -140,6 +141,14 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ // make sure we have access to restricted packages ++ if (System.getSecurityManager() != null) { ++ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { ++ cl = null; ++ useBSClsLoader = true; ++ } ++ } ++ + try { + Class providerClass = getProviderClass(className, cl, doFallback); + Object instance = providerClass.newInstance(); diff -r 460828862a9e -r 148faa0f0f08 patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/7133220-factory-finder-parser-transform-useBSClassLoader.patch Mon Apr 22 17:13:26 2013 -0400 @@ -0,0 +1,298 @@ +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:37:39.305820912 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-22 12:28:52.947388255 -0400 +@@ -25,15 +25,12 @@ + + package javax.xml.parsers; + +-import java.io.File; +-import java.io.FileInputStream; +- +-import java.util.Properties; + import java.io.BufferedReader; ++import java.io.File; + import java.io.IOException; + import java.io.InputStream; + import java.io.InputStreamReader; +-import java.net.URL; ++import java.util.Properties; + + /** + *

Implements pluggable Datatypes.

+@@ -42,6 +39,7 @@ + * sync. It is package private for secure class loading.

+ * + * @author Santiago.PericasGeertsen@sun.com ++ * @author Huizhe.Wang@oracle.com + */ + class FactoryFinder { + +@@ -95,18 +93,24 @@ + * If the class loader supplied is null, first try using the + * context class loader followed by the current (i.e. bootstrap) class + * loader. ++ * ++ * Use bootstrap classLoader if cl = null and useBSClsLoader is true + */ + static private Class getProviderClass(String className, ClassLoader cl, +- boolean doFallback) throws ClassNotFoundException ++ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException + { + try { + if (cl == null) { +- cl = ss.getContextClassLoader(); +- if (cl == null) { +- throw new ClassNotFoundException(); +- } +- else { +- return cl.loadClass(className); ++ if (useBSClsLoader) { ++ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); ++ } else { ++ cl = ss.getContextClassLoader(); ++ if (cl == null) { ++ throw new ClassNotFoundException(); ++ } ++ else { ++ return cl.loadClass(className); ++ } + } + } + else { +@@ -131,8 +135,8 @@ + * @param className Name of the concrete class corresponding to the + * service provider + * +- * @param cl ClassLoader to use to load the class, null means to use +- * the bootstrap ClassLoader ++ * @param cl ClassLoader used to load the factory class. If null ++ * current Thread's context classLoader is used to load the factory class. + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl +@@ -140,8 +144,30 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ return newInstance(className, cl, doFallback, false); ++ } ++ ++ /** ++ * Create an instance of a class. Delegates to method ++ * getProviderClass() in order to load the class. ++ * ++ * @param className Name of the concrete class corresponding to the ++ * service provider ++ * ++ * @param cl ClassLoader used to load the factory class. If null ++ * current Thread's context classLoader is used to load the factory class. ++ * ++ * @param doFallback True if the current ClassLoader should be tried as ++ * a fallback if the class is not found using cl ++ * ++ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter ++ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. ++ */ ++ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) ++ throws ConfigurationError ++ { + try { +- Class providerClass = getProviderClass(className, cl, doFallback); ++ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); + Object instance = providerClass.newInstance(); + if (debug) { // Extra check to avoid computing cl strings + dPrint("created new instance of " + providerClass + +@@ -244,6 +270,7 @@ + + // First try the Context ClassLoader + ClassLoader cl = ss.getContextClassLoader(); ++ boolean useBSClsLoader = false; + if (cl != null) { + is = ss.getResourceAsStream(cl, serviceId); + +@@ -251,11 +278,13 @@ + if (is == null) { + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + } else { + // No Context ClassLoader, try the current ClassLoader + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + + if (is == null) { +@@ -293,7 +322,7 @@ + // ClassLoader because we want to avoid the case where the + // resource file was found using one ClassLoader and the + // provider class was instantiated using a different one. +- return newInstance(factoryClassName, cl, false); ++ return newInstance(factoryClassName, cl, false, useBSClsLoader); + } + + // No provider found +diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java +--- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:37:39.312820966 -0400 ++++ openjdk.new/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-22 12:35:08.715478293 -0400 +@@ -25,15 +25,12 @@ + + package javax.xml.transform; + +-import java.io.File; +-import java.io.FileInputStream; +- +-import java.util.Properties; + import java.io.BufferedReader; ++import java.io.File; + import java.io.IOException; + import java.io.InputStream; + import java.io.InputStreamReader; +-import java.net.URL; ++import java.util.Properties; + + /** + *

Implements pluggable Datatypes.

+@@ -42,6 +39,7 @@ + * sync. It is package private for secure class loading.

+ * + * @author Santiago.PericasGeertsen@sun.com ++ * @author Huizhe.Wang@oracle.com + */ + class FactoryFinder { + +@@ -95,18 +93,24 @@ + * If the class loader supplied is null, first try using the + * context class loader followed by the current (i.e. bootstrap) class + * loader. ++ * ++ * Use bootstrap classLoader if cl = null and useBSClsLoader is true + */ + static private Class getProviderClass(String className, ClassLoader cl, +- boolean doFallback) throws ClassNotFoundException ++ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException + { + try { + if (cl == null) { +- cl = ss.getContextClassLoader(); +- if (cl == null) { +- throw new ClassNotFoundException(); +- } +- else { +- return cl.loadClass(className); ++ if (useBSClsLoader) { ++ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); ++ } else { ++ cl = ss.getContextClassLoader(); ++ if (cl == null) { ++ throw new ClassNotFoundException(); ++ } ++ else { ++ return cl.loadClass(className); ++ } + } + } + else { +@@ -131,8 +135,8 @@ + * @param className Name of the concrete class corresponding to the + * service provider + * +- * @param cl ClassLoader to use to load the class, null means to use +- * the bootstrap ClassLoader ++ * @param cl ClassLoader used to load the factory class. If null ++ * current Thread's context classLoader is used to load the factory class. + * + * @param doFallback True if the current ClassLoader should be tried as + * a fallback if the class is not found using cl +@@ -140,8 +144,30 @@ + static Object newInstance(String className, ClassLoader cl, boolean doFallback) + throws ConfigurationError + { ++ return newInstance(className, cl, doFallback, false); ++ } ++ ++ /** ++ * Create an instance of a class. Delegates to method ++ * getProviderClass() in order to load the class. ++ * ++ * @param className Name of the concrete class corresponding to the ++ * service provider ++ * ++ * @param cl ClassLoader used to load the factory class. If null ++ * current Thread's context classLoader is used to load the factory class. ++ * ++ * @param doFallback True if the current ClassLoader should be tried as ++ * a fallback if the class is not found using cl ++ * ++ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter ++ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. ++ */ ++ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) ++ throws ConfigurationError ++ { + try { +- Class providerClass = getProviderClass(className, cl, doFallback); ++ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); + Object instance = providerClass.newInstance(); + if (debug) { // Extra check to avoid computing cl strings + dPrint("created new instance of " + providerClass + +@@ -182,7 +208,7 @@ + String systemProp = ss.getSystemProperty(factoryId); + if (systemProp != null) { + dPrint("found system property, value=" + systemProp); +- return newInstance(systemProp, null, true); ++ return newInstance(systemProp, null, true, false); + } + } + catch (SecurityException se) { +@@ -210,7 +236,7 @@ + + if (factoryClassName != null) { + dPrint("found in $java.home/jaxp.properties, value=" + factoryClassName); +- return newInstance(factoryClassName, null, true); ++ return newInstance(factoryClassName, null, true, false); + } + } + catch (Exception ex) { +@@ -228,7 +254,7 @@ + } + + dPrint("loaded from fallback value: " + fallbackClassName); +- return newInstance(fallbackClassName, null, true); ++ return newInstance(fallbackClassName, null, true, false); + } + + /* +@@ -244,6 +270,7 @@ + + // First try the Context ClassLoader + ClassLoader cl = ss.getContextClassLoader(); ++ boolean useBSClsLoader = false; + if (cl != null) { + is = ss.getResourceAsStream(cl, serviceId); + +@@ -251,11 +278,13 @@ + if (is == null) { + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); +- } ++ useBSClsLoader = true; ++ } + } else { + // No Context ClassLoader, try the current ClassLoader + cl = FactoryFinder.class.getClassLoader(); + is = ss.getResourceAsStream(cl, serviceId); ++ useBSClsLoader = true; + } + + if (is == null) { +@@ -293,7 +322,7 @@ + // ClassLoader because we want to avoid the case where the + // resource file was found using one ClassLoader and the + // provider class was instantiated using a different one. +- return newInstance(factoryClassName, cl, false); ++ return newInstance(factoryClassName, cl, false, useBSClsLoader); + } + + // No provider found diff -r 460828862a9e -r 148faa0f0f08 patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch --- a/patches/security/20130416/6657673-jaxp-backport-factoryfinder.patch Fri Apr 19 14:38:19 2013 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,303 +0,0 @@ -diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java ---- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-19 12:18:45.225000000 -0400 -+++ openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/parsers/FactoryFinder.java 2013-04-19 11:53:01.791879226 -0400 -@@ -25,15 +25,12 @@ - - package javax.xml.parsers; - --import java.io.File; --import java.io.FileInputStream; -- --import java.util.Properties; - import java.io.BufferedReader; -+import java.io.File; - import java.io.IOException; - import java.io.InputStream; - import java.io.InputStreamReader; --import java.net.URL; -+import java.util.Properties; - - /** - *

Implements pluggable Datatypes.

-@@ -42,9 +39,10 @@ - * sync. It is package private for secure class loading.

- * - * @author Santiago.PericasGeertsen@sun.com -+ * @author Huizhe.Wang@oracle.com - */ - class FactoryFinder { -- -+ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xerces.internal"; - /** - * Internal debug flag. - */ -@@ -95,18 +93,24 @@ - * If the class loader supplied is null, first try using the - * context class loader followed by the current (i.e. bootstrap) class - * loader. -+ * -+ * Use bootstrap classLoader if cl = null and useBSClsLoader is true - */ - static private Class getProviderClass(String className, ClassLoader cl, -- boolean doFallback) throws ClassNotFoundException -+ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException - { - try { - if (cl == null) { -- cl = ss.getContextClassLoader(); -- if (cl == null) { -- throw new ClassNotFoundException(); -- } -- else { -- return cl.loadClass(className); -+ if (useBSClsLoader) { -+ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); -+ } else { -+ cl = ss.getContextClassLoader(); -+ if (cl == null) { -+ throw new ClassNotFoundException(); -+ } -+ else { -+ return cl.loadClass(className); -+ } - } - } - else { -@@ -131,8 +135,8 @@ - * @param className Name of the concrete class corresponding to the - * service provider - * -- * @param cl ClassLoader to use to load the class, null means to use -- * the bootstrap ClassLoader -+ * @param cl ClassLoader used to load the factory class. If null -+ * current Thread's context classLoader is used to load the factory class. - * - * @param doFallback True if the current ClassLoader should be tried as - * a fallback if the class is not found using cl -@@ -140,8 +144,38 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ return newInstance(className, cl, doFallback, false); -+ } -+ -+ /** -+ * Create an instance of a class. Delegates to method -+ * getProviderClass() in order to load the class. -+ * -+ * @param className Name of the concrete class corresponding to the -+ * service provider -+ * -+ * @param cl ClassLoader used to load the factory class. If null -+ * current Thread's context classLoader is used to load the factory class. -+ * -+ * @param doFallback True if the current ClassLoader should be tried as -+ * a fallback if the class is not found using cl -+ * -+ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter -+ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. -+ */ -+ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) -+ throws ConfigurationError -+ { -+ // make sure we have access to restricted packages -+ if (System.getSecurityManager() != null) { -+ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { -+ cl = null; -+ useBSClsLoader = true; -+ } -+ } -+ - try { -- Class providerClass = getProviderClass(className, cl, doFallback); -+ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); - Object instance = providerClass.newInstance(); - if (debug) { // Extra check to avoid computing cl strings - dPrint("created new instance of " + providerClass + -@@ -244,6 +278,7 @@ - - // First try the Context ClassLoader - ClassLoader cl = ss.getContextClassLoader(); -+ boolean useBSClsLoader = false; - if (cl != null) { - is = ss.getResourceAsStream(cl, serviceId); - -@@ -251,11 +286,13 @@ - if (is == null) { - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -+ useBSClsLoader = true; - } - } else { - // No Context ClassLoader, try the current ClassLoader - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -+ useBSClsLoader = true; - } - - if (is == null) { -@@ -293,7 +330,7 @@ - // ClassLoader because we want to avoid the case where the - // resource file was found using one ClassLoader and the - // provider class was instantiated using a different one. -- return newInstance(factoryClassName, cl, false); -+ return newInstance(factoryClassName, cl, false, useBSClsLoader); - } - - // No provider found -diff -ur openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java ---- openjdk/jaxp/drop_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-19 12:18:45.225000000 -0400 -+++ openjdk.new/jaxp/openjdk/jaxp/drop_included_included/jaxp_src/src/javax/xml/transform/FactoryFinder.java 2013-04-19 12:13:52.618746094 -0400 -@@ -42,8 +42,10 @@ - * sync. It is package private for secure class loading.

- * - * @author Santiago.PericasGeertsen@sun.com -+ * @author Huizhe.Wang@oracle.com - */ - class FactoryFinder { -+ private static final String DEFAULT_PACKAGE = "com.sun.org.apache.xalan.internal."; - - /** - * Internal debug flag. -@@ -95,18 +97,24 @@ - * If the class loader supplied is null, first try using the - * context class loader followed by the current (i.e. bootstrap) class - * loader. -+ * -+ * Use bootstrap classLoader if cl = null and useBSClsLoader is true - */ - static private Class getProviderClass(String className, ClassLoader cl, -- boolean doFallback) throws ClassNotFoundException -+ boolean doFallback, boolean useBSClsLoader) throws ClassNotFoundException - { - try { - if (cl == null) { -- cl = ss.getContextClassLoader(); -- if (cl == null) { -- throw new ClassNotFoundException(); -- } -- else { -- return cl.loadClass(className); -+ if (useBSClsLoader) { -+ return Class.forName(className, true, FactoryFinder.class.getClassLoader()); -+ } else { -+ cl = ss.getContextClassLoader(); -+ if (cl == null) { -+ throw new ClassNotFoundException(); -+ } -+ else { -+ return cl.loadClass(className); -+ } - } - } - else { -@@ -131,8 +139,8 @@ - * @param className Name of the concrete class corresponding to the - * service provider - * -- * @param cl ClassLoader to use to load the class, null means to use -- * the bootstrap ClassLoader -+ * @param cl ClassLoader used to load the factory class. If null -+ * current Thread's context classLoader is used to load the factory class. - * - * @param doFallback True if the current ClassLoader should be tried as - * a fallback if the class is not found using cl -@@ -140,8 +148,38 @@ - static Object newInstance(String className, ClassLoader cl, boolean doFallback) - throws ConfigurationError - { -+ return newInstance(className, cl, doFallback, false); -+ } -+ -+ /** -+ * Create an instance of a class. Delegates to method -+ * getProviderClass() in order to load the class. -+ * -+ * @param className Name of the concrete class corresponding to the -+ * service provider -+ * -+ * @param cl ClassLoader used to load the factory class. If null -+ * current Thread's context classLoader is used to load the factory class. -+ * -+ * @param doFallback True if the current ClassLoader should be tried as -+ * a fallback if the class is not found using cl -+ * -+ * @param useBSClsLoader True if cl=null actually meant bootstrap classLoader. This parameter -+ * is needed since DocumentBuilderFactory/SAXParserFactory defined null as context classLoader. -+ */ -+ static Object newInstance(String className, ClassLoader cl, boolean doFallback, boolean useBSClsLoader) -+ throws ConfigurationError -+ { -+ // make sure we have access to restricted packages -+ if (System.getSecurityManager() != null) { -+ if (className != null && className.startsWith(DEFAULT_PACKAGE)) { -+ cl = null; -+ useBSClsLoader = true; -+ } -+ } -+ - try { -- Class providerClass = getProviderClass(className, cl, doFallback); -+ Class providerClass = getProviderClass(className, cl, doFallback, useBSClsLoader); - Object instance = providerClass.newInstance(); - if (debug) { // Extra check to avoid computing cl strings - dPrint("created new instance of " + providerClass + -@@ -182,7 +220,7 @@ - String systemProp = ss.getSystemProperty(factoryId); - if (systemProp != null) { - dPrint("found system property, value=" + systemProp); -- return newInstance(systemProp, null, true); -+ return newInstance(systemProp, null, true, false); - } - } - catch (SecurityException se) { -@@ -210,7 +248,7 @@ - - if (factoryClassName != null) { - dPrint("found in $java.home/jaxp.properties, value=" + factoryClassName); -- return newInstance(factoryClassName, null, true); -+ return newInstance(factoryClassName, null, true, false); - } - } - catch (Exception ex) { -@@ -228,7 +266,7 @@ - } - - dPrint("loaded from fallback value: " + fallbackClassName); -- return newInstance(fallbackClassName, null, true); -+ return newInstance(fallbackClassName, null, true, false); - } - - /* -@@ -244,6 +282,7 @@ - - // First try the Context ClassLoader - ClassLoader cl = ss.getContextClassLoader(); -+ boolean useBSClsLoader = false; - if (cl != null) { - is = ss.getResourceAsStream(cl, serviceId); - -@@ -251,11 +290,13 @@ - if (is == null) { - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -- } -+ useBSClsLoader = true; -+ } - } else { - // No Context ClassLoader, try the current ClassLoader - cl = FactoryFinder.class.getClassLoader(); - is = ss.getResourceAsStream(cl, serviceId); -+ useBSClsLoader = true; - } - - if (is == null) { -@@ -293,7 +334,7 @@ - // ClassLoader because we want to avoid the case where the - // resource file was found using one ClassLoader and the - // provider class was instantiated using a different one. -- return newInstance(factoryClassName, cl, false); -+ return newInstance(factoryClassName, cl, false, useBSClsLoader); - } - - // No provider found