Why is it possible to create custom ClassLoaders with subscription applets?

Question

Why is it possible to create custom ClassLoaders with subscription applets?

Java applets do not allow you to write custom ClassLoader unless you sign your applet. Why is this so? Custom ClassLoader is just a tool for finding classes. In fact, you do not load the class, except that you call the private method "defineClass", which is the "trusted" code in the sense that it is written and controlled by a virtual machine, not your applet. It's not like you get more permissions than the ability to dynamically load a class ... Which really means nothing.

I think as a side question: is there any other way to dynamically transition from

byte[] => Class

which is allowed with unsigned applets?

+3

java security classloader applet unsigned

Jeremy salwen Feb 05 '11 at 18:50

source share

2 answers

Notice you can create ClassLoaderwith java.net.URLClassLoader.newInstance. As stated in bkail, the user ClassLoadercan create classes with arbitrary permissions, as well as circumvent other security restrictions. As for why not, there is nothing more general than java.net.URLClassLoader.newInstance, well, there simply is not.

0

Tom Hawtin - tackline Feb 16 '11 at 23:58

source share

Bret kail · Accepted Answer · 2011-02-05T19:01:57+0000

defineClass has a ProtectionDomain parameter that you can pass with a PermissionCollection containing AllPermission, which will allow you to do basically anything on the host machine.

Why is it possible to create custom ClassLoaders with subscription applets?

More articles: