Hi All,
The following paragraph is from the "xdocs/tech.xml" document:
<quote>
Parent-first loading has been the standard mechanism in the JDK
class loader, at least since Java 1.2 introduced hierarchical
classloaders.
The primary reason for this is safety -- parent-first
makes it impossible for malicious code to trick the JVM into
replacing a core class (say, <code>java.security.SecurityManager</code>)
with a class of the same name loaded from a child classloader.
</quote>
I believe this to be incorrect. I don't believe that such substitution
leads to any kind of security issue at all, and think this paragraph
should be removed from the document.
Can anyone show any real security issues resulting from child-first
loading?
Notes:
(1) it *is* a security issue for users to be able to define their own
ClassLoaders, because java *trusts* a ClassLoader to truly indicate the
source-location, signatures and permissions of each loaded class.
(2) Properly written child-first classloaders never load any classes in
the "java.*" or "javax.*" domains anyway - they always delegate for
these domains.
(3) Even if a child-first classloader did accidentally load something
such as a hacked java.security.SecurityManager:
(a) it wouldn't be able to pass it to any system library (ie
impersonate the real class) because the receiver (loaded via the
bootclassloader) would have resolved at startup time to
[EMAIL PROTECTED], which is a completely different
class to [EMAIL PROTECTED] Attempting to pass
the latter to something expecting the former will generate an
exception.
(b) as long as the classloader has associated the correct permissions
with the class when it was loaded (ie the perms associated with the
webapp source location) then the class can't do any secure operations
directly. And if the classloader has misrepresented the security
perms on the class, then security is wide-open anyway regardless of
whether the loaded class is called SecurityManager or MachineTrasher.
Assuming no-one can show my arguments here to be false, then the
question remains: what is the purpose of parent-first classloading? I've
been trying to find an answer to this for a while....
Comments?
Simon
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
