Date: Wed, 04 Aug 1999 19:43:21 +0200
From: Gilles Roussel <roussel@univ-mlv.fr>
To: java-security@java.sun.com
Subject: URLClassLoader problem
Hello,
I'm trying to see the difference, concerning security between
URLClassLoder constructor and newInstance static method.
So I wrote the following class.
import java.net.*;
public class URLClassLoaderSecurityManager extends SecurityManager {
public void checkCreateClassLoader() {
System.err.println("create");
super.checkCreateClassLoader();
}
public void checkPackageAccess(String pkg) {
System.err.println("package :" + pkg);
super.checkPackageAccess(pkg);
}
public static void main(String[] args) throws Exception {
System.setSecurityManager(new URLClassLoaderSecurityManager());
if(args.length=3D=3D0)
URLClassLoader cl =3D new URLClassLoader(new URL[]{new
URL("file:/home/roussel/JAVA/src/")});
else
URLClassLoader cl =3D URLClassLoader.newInstance(new URL[]{new
URL("file:/home/roussel/JAVA/src/")});
Class c =3D cl.loadClass("test.Hello");
}
}
When I execute it under Solaris with jdk1.2.1 it produce a core ! Is
this a solved problem in JDK1.2.2 ?
Moreover, if I remove the setSecurityManager call and use the default
security manager with :
java -Djava.security.manager=3D URLClassLoaderSecurityManager
It throws me the expected exception *
RuntimeException createClassLoader
But when I call it with an argument, it works and I don't have the class
test.Hello in my CLASSPATH
I use the following command :
java -Dpackage.access=3D"test" -Djava.security.manager=3D
URClassLoaderSecurityManager arg
So how could I trigger the expected exception ?
Moreover, if it works, what is the advantage each construction ?
Thanks
-- Gilles Roussel Batiment Copernic - Universit=E9 de Marne-la-Vall=E9e - Cit=E9 Descartes 5, boulevard Descartes - Champs sur Marne - 77454 Marne-la-Vall=E9e Cedex= 2 - FRANCE Tel : 01-60-95-75-59 - Fax : 01-60-95-75-57 WWW : http://www-igm.univ-mlv.fr/~roussel