[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cp-patches] Re: RFC: gnu.classpath.SystemProperties

From: Chris Gray
Subject: [cp-patches] Re: RFC: gnu.classpath.SystemProperties
Date: Tue, 7 Dec 2004 13:22:15 +0100
User-agent: KMail/1.5.4

On Tuesday 07 December 2004 08:33, Mark Wielaard wrote:

> All this painfully points out how fragile the security mechanism is in
> the face of user defined ClassLoaders. After reading the above I am not
> so sure the way some applications overload ClassLoader.loadClass() is
> done correctly (unfortunately this seems a common technique in the J2EE
> world).

Basically you cannot trust a user-defined loadClass() to do anything right. 
Nor is it just theoretical  - I've seen some user-defined class loaders, and 
they were not pleasant to read.

The runtime can prevent some of the worst excesses by invoking the system 
class loader directly whenever the class name begins with "java." or 
"<foo>.", by-passing the virtual method lookup. That should be easy to 
implement on most VMs, and shouldn't break any code which would otherwise 

(As far as the slash/dot issue is concerned, you just have to decide which one 
you are going to use internally, and always convert the other form at the 
boundary. Tolerating both in the same context is going to get you into 
trouble one way or another).

Chris Gray                      /k/ Embedded Java Solutions
Embedded & Mobile Java, OSGi
address@hidden                         +32 3 216 0369

Visit us at Embedded World 2005 <>
22--24 Feb. 2005 at the Nürnberg Messe (Germany), booth 10-133

reply via email to

[Prev in Thread] Current Thread [Next in Thread]