Merge pull request #1585 from istudens/securitymanager_issue

cowtowncoder · web-flow · commit afcb309b1b97 · 2017-04-12T08:18:29.000-07:00
invoke ServiceLoader.load() inside of a privileged block
diff --git a/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java b/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java
@@ -3,6 +3,8 @@
 import java.io.*;
 import java.lang.reflect.Type;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.text.DateFormat;
 import java.util.*;
 import java.util.concurrent.ConcurrentHashMap;
@@ -967,14 +969,28 @@ public static List<Module> findModules() {
     public static List<Module> findModules(ClassLoader classLoader)
     {
         ArrayList<Module> modules = new ArrayList<Module>();
-        ServiceLoader<Module> loader = (classLoader == null) ?
-                ServiceLoader.load(Module.class) : ServiceLoader.load(Module.class, classLoader);
+        ServiceLoader<Module> loader = secureGetServiceLoader(Module.class, classLoader);
         for (Module module : loader) {
             modules.add(module);
         }
         return modules;
     }
 
+    private static <T> ServiceLoader<T> secureGetServiceLoader(final Class<T> clazz, final ClassLoader classLoader) {
+        final SecurityManager sm = System.getSecurityManager();
+        if (sm == null) {
+            return (classLoader == null) ?
+                    ServiceLoader.load(clazz) : ServiceLoader.load(clazz, classLoader);
+        }
+        return AccessController.doPrivileged(new PrivilegedAction<ServiceLoader<T>>() {
+            @Override
+            public ServiceLoader<T> run() {
+                return (classLoader == null) ?
+                        ServiceLoader.load(clazz) : ServiceLoader.load(clazz, classLoader);
+            }
+        });
+    }
+
     /**
      * Convenience method that is functionally equivalent to:
      *<code>
