Hi Cameron,
Cameron McCormack <[EMAIL PROTECTED]> wrote on 03/23/2006 08:17:53 PM:
> Cameron McCormack:
> > I think that is it, too. I don't know how easy it is to share a class
> > loader but have different URL restrictions for the different jar files
> > loaded, but I will investigate.
>
> It seems to be easy enough to have a single class loader that will look
> up all of the jar files referenced in the document (just a change to
> DocumentJarClassLoader so it can specify multiple jar file URLs).
>
> But the main problem is that in allowing all the classes to be defined
> by the same class loader, there is the possibility of conflicts.
I'm not that worried about accidental conflicts (that is why we
use packages right?). I wonder a little if it might make additional
attacks possible (rather than getting the intended class it might get
another implementation of the class from a second jar). Still unless
one of the jars has elevated privileges I don't see what could be done...
> This could also be with resources in the jars. A specific example is
that to
> get the manifest file out to find the SVG-Handler-Class entry separate
> class loaders are needed.
Is it really? I would think that ClassLoader.getResources would find
all of the manifest files. You might then have to do some filtering
to figure out which one needs to be read...
> Afterwards, a single class loader could be used for defining the
classes.
>
> Do you think this is acceptable?
>
> --
> Cameron McCormack ICQ: 26955922
> cam (at) mcc.id.au MSN: cam (at) mcc.id.au
> http://mcc.id.au/ JBR: heycam (at) jabber.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
