public class FireWallClassLoader extends SecureClassLoader
Normally, when a classloader receives a request for a resource, it will consult its parent class loader first for that resource. The parent class loader is typically the System ClassLoader. If the parent class loader cannot provide the requested resource, the child class loader will be consulted for the request. Note: the parent class loader must not be confused by the superclass of a certain class loader (e.g. SecureClassLoader). The parent classloader is identified at construction time and passed in as an constructor argument.
Consulting the parent classloader first can be inconvenient for certain applications that want guarantees about which classloader is used to load a certain class. This could be because you want to be certain about where the resource came from, or you want to protect yourself against (other versions) of the same class that could be served by the System ClassLoader (e.g. because someone put them on the classpath or in the extensions directory).
For these cases, the FireWallClassLoader can be used.
System ClassLoader | FireWallClassLoader | User's ClassLoaderThe FireWallClassLoader is placed between the user's class loader and the parent class loader. It has a set of filters that define what classes are allowed to go through. These filters describe (a groups of) packages, or a specific classes or resources that are allowed through to the parent classloader. Take as example this filter set:
["com.iona.", "javax.servlet.jsp."]This will allow requests to any class/resource staring with com.iona. or javax.servlet.jsp. through to the parent classloader and block all other requests.
A very common set of filters would be a set that allows nothing through except the classes used by the JDK. The JDKFireWallClassLoaderFactory factory class can create such FireWallClassLoader.
The FireWallClassLoader does not load any classes.
Constructor and Description |
---|
FireWallClassLoader(ClassLoader parent,
String[] fs)
Constructor.
|
FireWallClassLoader(ClassLoader parent,
String[] fs,
String[] negativeFs)
Constructor.
|
Modifier and Type | Method and Description |
---|---|
String[] |
getFilters()
Returns the list of filters used by this FireWallClassLoader.
|
String[] |
getNegativeFilters()
Returns the list of negative filters used by this FireWallClassLoader.
|
URL |
getResource(String name) |
protected Class<?> |
loadClass(String name,
boolean resolve) |
defineClass, defineClass, getPermissions
clearAssertionStatus, defineClass, defineClass, defineClass, defineClass, definePackage, findClass, findLibrary, findLoadedClass, findResource, findResources, findSystemClass, getClassLoadingLock, getPackage, getPackages, getParent, getResourceAsStream, getResources, getSystemClassLoader, getSystemResource, getSystemResourceAsStream, getSystemResources, loadClass, registerAsParallelCapable, resolveClass, setClassAssertionStatus, setDefaultAssertionStatus, setPackageAssertionStatus, setSigners
public FireWallClassLoader(ClassLoader parent, String[] fs)
parent
- The Parent ClassLoader to use.fs
- A set of filters to let through. The filters and be either in
package form (org.omg.
or org.omg.*
)
or specify a single class (junit.framework.TestCase
).
When the package form is used, all classed in all subpackages of this package are let trough the firewall. When the class form is used, the filter only lets that single class through. Note that when that class depends on another class, this class does not need to be mentioned as a filter, because if the originating class is loaded by the parent classloader, the FireWallClassLoader will not receive requests for the dependant class.
public FireWallClassLoader(ClassLoader parent, String[] fs, String[] negativeFs)
parent
- The Parent ClassLoader to use.fs
- A set of filters to let through. The filters and be either in
package form (org.omg.
or org.omg.*
)
or specify a single class (junit.framework.TestCase
).
When the package form is used, all classed in all subpackages of this package are let trough the firewall. When the class form is used, the filter only lets that single class through. Note that when that class depends on another class, this class does not need to be mentioned as a filter, because if the originating class is loaded by the parent classloader, the FireWallClassLoader will not receive requests for the dependant class.
negativeFs
- List of negative filters to use. Negative filters take
precedence over positive filters. When a class or resource is
requested that matches a negative filter it is not let through
the firewall even if an allowing filter would exist in the
positive filter list.protected Class<?> loadClass(String name, boolean resolve) throws ClassNotFoundException
loadClass
in class ClassLoader
ClassNotFoundException
public URL getResource(String name)
getResource
in class ClassLoader
public String[] getFilters()
public String[] getNegativeFilters()
Apache CXF