Package org.glassfish.web.loader

Class WebappClassLoader

  • All Implemented Interfaces:
    DDPermissionsLoader, Closeable, AutoCloseable, JarFileResourcesProvider, InstrumentableClassLoader, ResourceClassLoader, org.glassfish.hk2.api.PreDestroy, Reloader
    public class WebappClassLoader
extends URLClassLoader
implements Reloader, ResourceClassLoader, InstrumentableClassLoader, org.glassfish.hk2.api.PreDestroy, DDPermissionsLoader, JarFileResourcesProvider
    Specialized web application class loader.

    This class loader is a full reimplementation of the URLClassLoader from the JDK. It is designed to be fully compatible with a normal URLClassLoader, although its internal behavior may be completely different.

    IMPLEMENTATION NOTE - This class loader faithfully follows the delegation model recommended in the specification. The system class loader will be queried first, then the local repositories, and only then delegation to the parent class loader will occur. This allows the web application to override any shared class except the classes from J2SE. Special handling is provided from the JAXP XML parser interfaces, the JNDI interfaces, and the classes from the servlet API, which are never loaded from the webapp repository.

    IMPLEMENTATION NOTE - Due to limitations in Jasper compilation technology, any repository which contains classes from the servlet API will be ignored by the class loader.

    IMPLEMENTATION NOTE - The class loader generates source URLs which include the full JAR URL when a class is loaded from a JAR file, which allows setting security permission at the class level, even when a class is contained inside a JAR.

    IMPLEMENTATION NOTE - Local repositories are searched in the order they are added via the initial constructor and/or any subsequent calls to addRepository() or addJar().

    IMPLEMENTATION NOTE - No check for sealing violations or security is made unless a security manager is present.

    Version:
    $Revision: 1.1.2.1 $ $Date: 2007/08/17 15:46:27 $
    Author:
    Remy Maucherat, Craig R. McClanahan

    • Field Detail

      • resources

        protected DirContext resources
        Associated directory context giving access to the resources in this webapp.

      • resourceEntries

        protected ConcurrentHashMap<String,​ResourceEntry> resourceEntries
        The cache of ResourceEntry for classes and resources we have loaded, keyed by resource name.

      • debug

        protected int debug
        The debugging detail level of this component.

      • delegate

        protected boolean delegate
        Should this class loader delegate to the parent class loader before searching its own repositories (i.e. the usual Java2 delegation model)? If set to false, this class loader will search its own repositories first, and delegate to the parent only if the class or resource is not found locally.

      • lastJarAccessed

        protected long lastJarAccessed
        Last time a JAR was accessed.

      • repositories

        protected String[] repositories
        The list of local repositories, in the order they should be searched for locally loaded classes or resources.

      • repositoryURLs

        protected URL[] repositoryURLs
        Repositories URLs, used to cache the result of getURLs.

      • files

        protected File[] files
        Repositories translated as path in the work directory (for Jasper originally), but which is used to generate fake URLs should getURLs be called.

      • jarFiles

        protected JarFile[] jarFiles
        The list of JARs, in the order they should be searched for locally loaded classes or resources.

      • jarFilesLock

        protected final Object jarFilesLock
        Lock to synchronize closing, opening and accessing of jar

      • jarRealFiles

        protected File[] jarRealFiles
        The list of JARs, in the order they should be searched for locally loaded classes or resources.

      • jarPath

        protected String jarPath
        The path which will be monitored for added Jar files.

      • jarNames

        protected List<String> jarNames
        The list of JARs, in the order they should be searched for locally loaded classes or resources.

      • lastModifiedDates

        protected long[] lastModifiedDates
        The list of JARs last modified dates, in the order they should be searched for locally loaded classes or resources.

      • paths

        protected String[] paths
        The list of resources which should be checked when checking for modifications.

      • loaderDir

        protected File loaderDir
        Path where resources loaded from JARs will be extracted.

      • canonicalLoaderDir

        protected String canonicalLoaderDir

      • started

        protected boolean started
        Has this component been started?

      • hasExternalRepositories

        protected boolean hasExternalRepositories
        Has external repositories.

    • Constructor Detail

      • WebappClassLoader

        public WebappClassLoader​(Application application)
        Construct a new ClassLoader with no defined repositories and no parent ClassLoader.
        Parameters:
        application -

      • WebappClassLoader

        public WebappClassLoader​(ClassLoader parent,
                         Application application)
        Construct a new ClassLoader with the given parent ClassLoader, but no defined repositories.
        Parameters:
        parent -
        application -

      • WebappClassLoader

        public WebappClassLoader​(ClassLoader parent,
                         Application application,
                         boolean hotDeploy)
        Construct a new ClassLoader with the given parent ClassLoader, but no defined repositories.
        Parameters:
        parent -
        application -
        hotDeploy -

      • WebappClassLoader

        public WebappClassLoader​(ClassLoader parent)
        for use in OSGi loader
        Parameters:
        parent -

      • WebappClassLoader

        public WebappClassLoader​(URL[] urls,
                         ClassLoader parent,
                         Application application)
        Construct a new ClassLoader with the given parent ClassLoader and defined repositories.
        Parameters:
        urls -
        parent -
        application -

    • Method Detail

      • addOverridablePackage

        public void addOverridablePackage​(String packageName)
        Adds the given package name to the list of packages that may always be overriden, regardless of whether they belong to a protected namespace

      • getResources

        @Deprecated
public DirContext getResources()
        Deprecated.
        Unused. Always returns null - See CVE-2022-22965 Get associated resources.

      • setResources

        public void setResources​(DirContext resources)
        Set associated resources.

      • getContextName

        public String getContextName()
        Return the context name for this class loader.
        Returns:

      • getDebug

        public int getDebug()
        Return the debugging detail level for this component.

      • setDebug

        public void setDebug​(int debug)
        Set the debugging detail level for this component.
        Parameters:
        debug - The new debugging detail level

      • getDelegate

        public boolean getDelegate()
        Return the "delegate first" flag for this class loader.

      • setDelegate

        public void setDelegate​(boolean delegate)
        Set the "delegate first" flag for this class loader.
        Parameters:
        delegate - The new "delegate first" flag

      • getAntiJARLocking

        public boolean getAntiJARLocking()
        Returns:
        Returns the antiJARLocking.

      • setAntiJARLocking

        public void setAntiJARLocking​(boolean antiJARLocking)
        Parameters:
        antiJARLocking - The antiJARLocking to set.

      • addPermission

        public void addPermission​(String path)
        If there is a Java SecurityManager create a read FilePermission or JndiPermission for the file directory path.
        Parameters:
        path - file directory path

      • addPermission

        public void addPermission​(URL url)
        If there is a Java SecurityManager create a read FilePermission or JndiPermission for URL.
        Parameters:
        url - URL for a file or directory on local system

      • addPermission

        public void addPermission​(Permission permission)
        If there is a Java SecurityManager create a Permission.
        Parameters:
        permission - permission to add

      • getJarPath

        public String getJarPath()
        Return the JAR path.

      • setJarPath

        public void setJarPath​(String jarPath)
        Change the Jar path.

      • setWorkDir

        public void setWorkDir​(File workDir)
        Change the work directory.

      • setUseMyFaces

        public void setUseMyFaces​(boolean useMyFaces)

      • getClearReferencesStatic

        public boolean getClearReferencesStatic()
        Return the clearReferencesStatic flag for this Context.

      • setClearReferencesStatic

        public void setClearReferencesStatic​(boolean clearReferencesStatic)
        Set the clearReferencesStatic feature for this Context.
        Parameters:
        clearReferencesStatic - The new flag value

      • addRepository

        public void addRepository​(String repository)
        Add a new repository to the set of places this ClassLoader can look for classes to be loaded.
        Specified by:
        addRepository in interface Reloader
        Parameters:
        repository - Name of a source of classes to be loaded, such as a directory pathname, a JAR file pathname, or a ZIP file pathname
        Throws:
        IllegalArgumentException - if the specified repository is invalid or does not exist

      • addRepository

        public void addRepository​(URL url)

      • addRepository

        public void addRepository​(String repository,
                          File file)
        Add a new repository to the set of places this ClassLoader can look for classes to be loaded.
        Parameters:
        repository - Name of a source of classes to be loaded, such as a directory pathname, a JAR file pathname, or a ZIP file pathname
        Throws:
        IllegalArgumentException - if the specified repository is invalid or does not exist

      • modified

        public boolean modified()
        Have one or more classes or resources been modified so that a reload is appropriate?
        Specified by:
        modified in interface Reloader

      • toString

        public String toString()
        Render a String representation of this object.
        Overrides:
        toString in class Object

      • findResource

        public URL findResource​(String name)
        Find the specified resource in our local repository, and return a URL referring to it, or null if this resource cannot be found.
        Overrides:
        findResource in class URLClassLoader
        Parameters:
        name - Name of the resource to be found

      • findResources

        public Enumeration<URL> findResources​(String name)
                               throws IOException
        Return an enumeration of URLs representing all of the resources with the given name. If no resources with this name are found, return an empty enumeration.
        Overrides:
        findResources in class URLClassLoader
        Parameters:
        name - Name of the resources to be found
        Throws:
        IOException - if an input/output error occurs

      • getResource

        public URL getResource​(String name)
        Find the resource with the given name. A resource is some data (images, audio, text, etc.) that can be accessed by class code in a way that is independent of the location of the code. The name of a resource is a "/"-separated path name that identifies the resource. If the resource cannot be found, return null.

        This method searches according to the following algorithm, returning as soon as it finds the appropriate URL. If the resource cannot be found, returns null.

        • If the delegate property is set to true, call the getResource() method of the parent class loader, if any.
        • Call findResource() to find this resource in our locally defined repositories.
        • Call the getResource() method of the parent class loader, if any.
        Overrides:
        getResource in class ClassLoader
        Parameters:
        name - Name of the resource to return a URL for

      • getResourceAsStream

        public InputStream getResourceAsStream​(String name)
        Find the resource with the given name, and return an input stream that can be used for reading it. The search order is as described for getResource(), after checking to see if the resource data has been previously cached. If the resource cannot be found, return null.
        Overrides:
        getResourceAsStream in class URLClassLoader
        Parameters:
        name - Name of the resource to return an input stream for

      • loadClass

        public Class<?> loadClass​(String name)
                   throws ClassNotFoundException
        Load the class with the specified name. This method searches for classes in the same manner as loadClass(String, boolean) with false as the second argument.
        Overrides:
        loadClass in class ClassLoader
        Parameters:
        name - Name of the class to be loaded
        Throws:
        ClassNotFoundException - if the class was not found

      • loadClass

        protected Class<?> loadClass​(String name,
                             boolean resolve)
                      throws ClassNotFoundException
        Load the class with the specified name, searching using the following algorithm until it finds and returns the class. If the class cannot be found, returns ClassNotFoundException.
        • Call findLoadedClass(String) to check if the class has already been loaded. If it has, the same Class object is returned.
        • If the delegate property is set to true, call the loadClass() method of the parent class loader, if any.
        • Call findClass() to find this class in our locally defined repositories.
        • Call the loadClass() method of our parent class loader, if any.
        If the class was found using the above steps, and the resolve flag is true, this method will then call resolveClass(Class) on the resulting Class object.
        Overrides:
        loadClass in class ClassLoader
        Parameters:
        name - Name of the class to be loaded
        resolve - If true then resolve the class
        Returns:
        class
        Throws:
        ClassNotFoundException - if the class was not found

      • getPermissions

        protected PermissionCollection getPermissions​(CodeSource codeSource)
        Get the Permissions for a CodeSource. If this instance of WebappClassLoader is for a web application context, add read FilePermission or JndiPermissions for the base directory (if unpacked), the context URL, and jar file resources.
        Overrides:
        getPermissions in class URLClassLoader
        Parameters:
        codeSource - where the code was loaded from
        Returns:
        PermissionCollection for CodeSource

      • getURLs

        public URL[] getURLs()
        Returns the search path of URLs for loading classes and resources. This includes the original list of URLs specified to the constructor, along with any URLs subsequently appended by the addURL() method.
        Overrides:
        getURLs in class URLClassLoader
        Returns:
        the search path of URLs for loading classes and resources.

      • start

        public void start()
        Start the class loader.

      • isStarted

        public boolean isStarted()

      • preDestroy

        public void preDestroy()
        Specified by:
        preDestroy in interface org.glassfish.hk2.api.PreDestroy

      • stop

        public void stop()
          throws Exception
        Stop the class loader.
        Throws:
        LifecycleException - if a lifecycle error occurs
        Exception

      • closeJARs

        public void closeJARs​(boolean force)
        Used to periodically signal to the classloader to release JAR resources.

      • clearReferences

        protected void clearReferences()
        Clear references.

      • nullInstance

        protected void nullInstance​(Object instance)

      • openJARs

        protected boolean openJARs()
        Used to periodically signal to the classloader to release JAR resources.

      • findResourceInternal

        protected ResourceEntry findResourceInternal​(String name,
                                             String path)
        Attempts to find the specified resource in local repositories.
        Returns:
        the loaded resource, or null if the resource isn't found

      • getExtractedResourcePath

        public File getExtractedResourcePath​(String path)

      • isPackageSealed

        protected boolean isPackageSealed​(String name,
                                  Manifest man)
        Returns true if the specified package name is sealed according to the given manifest.

      • findLoadedResource

        protected InputStream findLoadedResource​(String name)
        Finds the resource with the given name if it has previously been loaded and cached by this class loader, and return an input stream to the resource data. If this resource has not been cached, return null.
        Parameters:
        name - Name of the resource to return

      • findLoadedClass0

        protected Class<?> findLoadedClass0​(String name)
        Finds the class with the given name if it has previously been loaded and cached by this class loader, and return the Class object. If this class has not been cached, return null.
        Parameters:
        name - Name of the resource to return

      • refreshPolicy

        protected void refreshPolicy()
        Refresh the system policy file, to pick up eventual changes.

      • filter

        protected boolean filter​(String name)
        Filter classes.
        Parameters:
        name - class name
        Returns:
        true if the class should be filtered

      • validate

        protected boolean validate​(String name)
        Validate a classname. As per SRV.9.7.2, we must restrict loading of classes from J2SE (java.*) and classes of the servlet API (jakarta.servlet.*). That should enhance robustness and prevent a number of user error (where an older version of servlet.jar would be present in /WEB-INF/lib).
        Parameters:
        name - class name
        Returns:
        true if the name is valid

      • deleteDir

        protected static void deleteDir​(File dir)
        Delete the specified directory, including all of its contents and subdirectories recursively.
        Parameters:
        dir - File object representing the directory to be deleted

      • addByteCodePreprocessor

        public void addByteCodePreprocessor​(BytecodePreprocessor preprocessor)

      • copy

        public ClassLoader copy()
        Create and return a temporary loader with the same visibility as this loader. The temporary loader may be used to load resources or any other application classes for the purposes of introspecting them for annotations. The persistence provider should not maintain any references to the temporary loader, or any objects loaded by it.
        Specified by:
        copy in interface InstrumentableClassLoader
        Returns:
        A temporary classloader with the same classpath as this loader

      • addTransformer

        public void addTransformer​(ClassFileTransformer transformer)
        Add a new ClassFileTransformer to this class loader. This transfomer should be called for each class loading event.
        Specified by:
        addTransformer in interface InstrumentableClassLoader
        Parameters:
        transformer - new class file transformer to do byte code enhancement.

      • newInstance

        public static <T> T newInstance​(Class<T> ofClass,
                                Class<?>[] constructorArgTypes,
                                Object[] args)