...
This compliant solution uses the java.beans.Beans API to explicitly specify the class loader that should be used to load the class obtained as the parameter. The attacker is unable to create an instance of the supplied class because the Beans.Instantiateinstantiate() method has more stringent security checks that govern who is allowed reflective access and who is restricted.
...