You're the top geeks on the world I'm very very proud to have you as my friends, I said this morning to you, I know something you don't know, but I don't remember what it is, Jesus doesn't want to me to remember and doesn't want me to say to you right now; I'm the google cracker :) the first 4 bytes, 4 imput class on a java object must match the firewall code;
"This means making the constructor private or default access ("package-private"), or being in a package controlled by the package.access security property. Immutable classes themselves should declare fields final and protect against any mutable inputs and outputs as described in Guideline 6-2. Construction of immutable objects can be made easier by providing builders (cf. Effective Java [6])."

http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6 

How can I access a private constructor of a class?

One way to bypass the restriction is to use reflections:

import java.lang.reflect.Constructor;

public class Example {
    public static void main(final String[] args) throws Exception {
        Constructor<Foo> constructor = Foo.class.getDeclaredConstructor(new Class[0]);
        constructor.setAccessible(true);
        Foo foo = constructor.newInstance(new Object[0]);
        System.out.println(foo);
    }
}

class Foo {
    private Foo() {
        // private!
    }

    @Override
    public String toString() {
        return "I'm a Foo and I'm alright!";
    }
}

Cisco Crypto ACLs – Do they really need to match?

When starting out with IPsec tunnels it seems to be a common misconception that the crypto ACL, sometimes referred to as the encryption domain or the interesting traffic, must match 100% or be mirrored at both peers or the tunnel won't come up. This isn't strictly true. Whilst the ISAKMP phase 1 and IPsec phase 2 proposals must match, the crypto ACL can be different.
Assume that at the local peer traffic to be encrypted originates from 10.0.0.0/24 and is destined for 192.168.0.0/24. The crypto ACL would be:

Local Peer

access-list crypto_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

1	access-list crypto_acl permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

Remote Peer

access-list crypto_acl permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

1	access-list crypto_acl permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

But what about the following?

Local Peer

access-list crypto_acl deny ip 10.0.0.0 255.255.255.0 host 192.168.0.200 access-list crypto_acl permit ip 10.0.0.0 255.255.255.0 host 192.168.0.100

1 2	access-list crypto_acl deny ip 10.0.0.0 255.255.255.0 host 192.168.0.200 access-list crypto_acl permit ip 10.0.0.0 255.255.255.0 host 192.168.0.100

Remote Peer

access-list crypto_acl permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

1	access-list crypto_acl permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

IPsec phase 2 can still be established even though the crypto ACL isn't mirrored at the local and remove peer. The local peer specifies 10.0.0.0/24 but the remote peer specifies 10.0.0.0/8. In this scenario IPsec phase 2 can only be initiated from the peer that has the larger subnet. This is true for both Cisco ASA and IOS.
And in the example above, in the local peer's ACL there's a deny ACE but none on the remote peer's ACL. In this scenario any traffic originating on the local peer from 10.0.0.0/24 destined to 192.168.0.200/32 won't traverse the tunnel. The device (ASA or IOS router) will look at the next crypto map in the sequence and try to match traffic there. If no crypto maps are found it'll flow unencrypted out of the egress interface.
Obviously be careful with mismatching subnets and using deny ACEs in the crypto ACL because you may end up with traffic trying to enter the wrong tunnel and other strange things happening.

https://0wned.it/2014/10/13/cisco-crypto-acls-do-they-really-need-to-match/