On Tue, Feb 24, 2026 at 3:56 PM Alan Bateman <[email protected]> wrote:
> I agree. Remote class loading was very interesting in a world of > distributed objects, security managers and sandboxing. I don't think we > have data to know how widely used URLClassLoader is with http/https in > modern applications and deployments. If something compelling comes up that > has performance issues then they could be looked at then. > If HTTP in URLClassLoader has little current use, then perhaps it could make sense to gate this feature somehow? To have remote code loading enabled by default in a core library like this seems a little bit risky in the age of integrity by default and with xperiences from remote code loading in the LDAP area in recent years in mind. But that's perhaps something for security teams to discuss. Eirik.
