Perusing the source code at http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/sh are/org/apache/catalina/loader/WebappClassLoader.java, I happened to notice that the loadClass(String, boolean) method calls findLoadedClass(), which is not overridden from the default java.lang.Classloader version. That version calls a private findLoadedClass0() method which scans the whole VM to see if that class has been loaded by ANY classloader. Doesn't this break classloader isolation in the (admittedly rare) case where webapp A loads class cA and webapp B also loads class cA? Won't webapp B end up with webapp A's cA, even if the user has placed a jar containing cA in both webapp's WEB-INF/lib directory? Or will the overridden version of findLoadedClass0()--which relaxes the private security level present in java.lang.ClassLoader to protected and consults its own local cache of what's been loaded--be called? Thanks in advance for setting me straight here. If this is an inappropriate question for this list, I do apologize and welcome Pointers To Elsewhere, Cheerfully Delivered. Best, Laird
