Re: [platform-core-dev] Bug 29007: Classloading enhancements for "endors

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries

From: John_Arthorne@xxxxxxxxxx
Date: Tue, 21 Jan 2003 10:59:46 -0500
Delivered-to: platform-core-dev@xxxxxxxxxxx
List-archive: <http://dev.eclipse.org/pipermail/platform-core-dev/>
List-help: <mailto:platform-core-dev-request@eclipse.org?subject=help>
List-subscribe: <http://dev.eclipse.org/mailman/listinfo/platform-core-dev>, <mailto:platform-core-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <http://dev.eclipse.org/mailman/listinfo/platform-core-dev>, <mailto:platform-core-dev-request@eclipse.org?subject=unsubscribe>

Igor,

I would like to discourage you from taking this route. A fundamental rule of class loading is that the primordial class loader (the default or system loader) is given the first chance to load classes. This prevents spoofing of critical classes such as SecurityManager, ClassLoader (which handles byte code verification), etc. If we added this, I believe it would be impossible to have any form of security in Eclipse. Although this isn't an issue for most desktop apps, it would probably be an issue for things like the update manager which allows code on a website to hook into Eclipse. This is one of the reasons why Sun introduced the endorsed standards override mechanism: to allow overriding certain non-core packages in a controlled way. Here is a reference for more background reading on the java security model, and the required class loader algorithm:

http://www.securingjava.com/chapter-two/chapter-two-7.html

and:

http://java.sun.com/j2se/1.4/docs/guide/security/spec/security-spec.doc5.html

While I recognize the problems you point out with the override mechanism (we have similar problems due to our use of xerces), I don't think re-implementing the override mechanism in Eclipse is the best answer. Perhaps you could explore bundling a pre-configured JRE with your application, writing an install program that configures the override mechanism in the JRE, or even porting your application to use the W3C APIs bundled with the JDK?

---

Igor Malinin <igor@xxxxxxxxxxxx>
Sent by: platform-core-dev-admin@xxxxxxxxxxx

01/20/2003 05:01 PM
Please respond to platform-core-dev

To: platform-core-dev@xxxxxxxxxxx
cc:
Subject: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries

http://bugs.eclipse.org/bugs/show_bug.cgi?id=29007

I'm the reporter for this bug and would like to help implementing this
feature if no one of core developers doing this. Before starting
implementation I like to discuss with core developers and plugin
developers how to do it better, what is required, plugin.xml changes, e.t.c.

I monitor this bug and hope to start implementation as soon as some
agreement will be reached.

_______________________________________________
platform-core-dev mailing list
platform-core-dev@xxxxxxxxxxx
http://dev.eclipse.org/mailman/listinfo/platform-core-dev

Follow-Ups:
- Re: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries
  - From: Igor Malinin
- Re: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries
  - From: Igor Malinin

Prev by Date: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries
Next by Date: Re: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries
Previous by thread: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries
Next by thread: Re: [platform-core-dev] Bug 29007: Classloading enhancements for "endorsed" libraries
Index(es):
- Date
- Thread

Breadcrumbs