Re: [Jython-users] Using custom class loader to restrict import

[David H. <dav...@gm...>]

On 10/18/07, Dave Kuhlman <dku...@re...> wrote:
> I'm going to try to tell myself that it does not matter that my example is a
> bit impractical.  I'm concerned that people who are thinking about embedding a
> Jython interpreter into a Java application, will want to expose some of the
> Java classes in that application to scripts, but prohibit access to others.
> So, I figure that as long as I show a way to do that screening, I've done what
> I need to do.  You think?

As long as it works, i.e., you can define classes Goodclass1 and
Badclass1 and show that Goodclass1 can be loaded while Badclass1
can't, then it's a good example.  I'm not sure it will work for *any*
Goodclass1, so I think you should make the definition of Goodclass1
part of the example.  If you leave Goodclass1 undefined, some poor
user might attempt the example with an unexpected definition of
Goodclass1 that invalidates the example.  I'm particularly concerned
that if the definition of Goodclass1 requires loading of other classes
that don't appear on the whitelist, and if the JVM attempts to load
them through the custom class loader, the class loader will reject
them, resulting in Goodclass1 failing to load.  My understanding of
class loading is pretty fuzzy, so I'm not sure that my reservations
are valid.  It would be safest to fully specify and test the example,
though.

-David