null ClassLoader

Adam Megacz gcj@lists.megacz.com
Wed Dec 19 18:49:00 GMT 2001

• Previous message (by thread): null ClassLoader
• Next message (by thread): null ClassLoader
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Tom Tromey <tromey@redhat.com> writes:
> This all sounds pretty ugly. How important is it that the class
> loader for, say, java.lang.Object be different from the class loader
> for org.user.Whatever?

AFAIK it's the (sketchy) cornerstone of a lot of java security
mechanisms. All classes such that getClassLoader() == null are trusted
as "priviledged", and can do Really Evil Things.
For example, such classes can effectively gain read access to private
fields on arbitrary objects -- see java.io.ObjectOutputStream.enableReplaceObject()
> Equivalently, we could change Class.getClassLoader so it only returns
> `null' for primitive classes.

That would probably do it.
To the best of my understanding, aside from being a simple method for
turning byte[] -> Class, ClassLoaders are also how you create multiple
provably-isolated "virtual sub-VMs" within a single VM.
 - a

---

• Previous message (by thread): null ClassLoader
• Next message (by thread): null ClassLoader
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Java mailing list