Re: RFC: gnu.classpath.SystemProperties

[Chris Gray]

On Tuesday 07 December 2004 08:33, Mark Wielaard wrote:

> All this painfully points out how fragile the security mechanism is in
> the face of user defined ClassLoaders. After reading the above I am not
> so sure the way some applications overload ClassLoader.loadClass() is
> done correctly (unfortunately this seems a common technique in the J2EE
> world).

Basically you cannot trust a user-defined loadClass() to do anything right. 
Nor is it just theoretical  - I've seen some user-defined class loaders, and 
they were not pleasant to read.

The runtime can prevent some of the worst excesses by invoking the system 
class loader directly whenever the class name begins with "java." or 
"<foo>.", by-passing the virtual method lookup. That should be easy to 
implement on most VMs, and shouldn't break any code which would otherwise 
work.

(As far as the slash/dot issue is concerned, you just have to decide which one 
you are going to use internally, and always convert the other form at the 
boundary. Tolerating both in the same context is going to get you into 
trouble one way or another).

-- 
Chris Gray                      /k/ Embedded Java Solutions
Embedded & Mobile Java, OSGi        http://www.kiffer.be/k/
address@hidden                         +32 3 216 0369

Visit us at Embedded World 2005 <http://www.embedded-world.de/>
22--24 Feb. 2005 at the Nürnberg Messe (Germany), booth 10-133