This is confirmed by the post https://forums.oracle.com/thread/2280127
and it is confirmed by Oracle http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/mixed_code.html#trusted_library
"Code in a jar file that is to be marked with the Trusted-Library manifest attribute may need to be modified slightly if it uses calls that are class loader dependent [...] Code in a Trusted-Library can look up the normal loader by invoking Thread.currentThread().getContextClassLoader().[...] Generally, care must be taken to ensure that the code in the trusted library is written in a careful and secure manner and is otherwise compatible with being loaded in a separate class loader instance from any remaining jars which are part of the application and are loaded by the normal loader."
"Thread.currentThread().getContextClassLoader().[...]"
I just did a simple test to call a method from a trusted jar into sandbox jar, I used reflection to do that and it worked.
It seems for every usage of any sandbox jar file classes in the trusted jar file, we have to use reflection ( load the class, invoke the required method ). Is this the way forward. Can somebody confirm this.
private void useReflection() { try {
// using normal class loader
Class<?> clazz = Class.forName("com.abc.bla.bla.SandBox", true, Thread.currentThread().getContextClassLoader());
Constructor<?> constructor = clazz.getConstructor();
Object obj = constructor.newInstance(new Object[] {});
Method method = clazz.getMethod("sayHello", new Class[] {});
method.invoke(obj, new Object[] {});
}
catch (Exception ex)
{
ex.printStackTrace();
}
}
In summary, it seems we have to use reflection in order to load the sandbox jar file (untrusted) to allow the use of normal class loader and to avoid the default one via import statement which is a special one designed for signed (trusted) jar file which is in a mix mode as per manifest additional attribute.