On Tuesday 07 December 2004 08:33, Mark Wielaard wrote: > All this painfully points out how fragile the security mechanism is in > the face of user defined ClassLoaders. After reading the above I am not > so sure the way some applications overload ClassLoader.loadClass() is > done correctly (unfortunately this seems a common technique in the J2EE > world).
Basically you cannot trust a user-defined loadClass() to do anything right. Nor is it just theoretical �- I've seen some user-defined class loaders, and they were not pleasant to read. The runtime can prevent some of the worst excesses by invoking the system class loader directly whenever the class name begins with "java." or "<foo>.", by-passing the virtual method lookup. That should be easy to implement on most VMs, and shouldn't break any code which would otherwise work. (As far as the slash/dot issue is concerned, you just have to decide which one you are going to use internally, and always convert the other form at the boundary. Tolerating both in the same context is going to get you into trouble one way or another). -- Chris Gray /k/ Embedded Java Solutions Embedded & Mobile Java, OSGi http://www.kiffer.be/k/ [EMAIL PROTECTED] +32 3 216 0369 Visit us at�Embedded World 2005 <http://www.embedded-world.de/> 22--24 Feb. 2005 at the N�rnberg Messe (Germany), booth 10-133 _______________________________________________ Classpath mailing list [EMAIL PROTECTED] http://lists.gnu.org/mailman/listinfo/classpath
