In order to understand the Java's ClassLoader mechanism, let's first do the following experiments:
Package java.lang; public class test {public static void main (string [] args) {char [] c = "1234567890" .tochararray (); string s = new string (0, 10, c);}}
The String class has a configuration function string (int offset, int layth, char [] array), according to the default access, because Test belongs to the java.lang package, so this constructor should be accessed by theoretically. Compiled! The results are as follows:
Exception in thread "main" java.lang.SecurityException: Prohibited package name: java.lang at java.lang.ClassLoader.defineClass (Unknown Source) at java.security.SecureClassLoader.defineClass (Unknown Source) at java.net.URLClassLoader. defineClass (Unknown Source) at java.net.URLClassLoader.access $ 100 (Unknown Source) at java.net.URLClassLoader $ 1.run (Unknown Source) at java.security.AccessController.doPrivileged (Native Method) at java.net.URLClassLoader. findClass (Unknown Source) at java.lang.ClassLoader.loadClass (Unknown Source) at sun.misc.Launcher $ AppClassLoader.loadClass (Unknown Source) at java.lang.ClassLoader.loadClass (Unknown Source) at java.lang.ClassLoader. LoadClassInternal (unknown Source)
Strange? To clarify why there will be securityException, you must figure out the mechanism of ClassLoader.
Java's ClassLoader is used to dynamically load Class, ClassLoader will only load once for a Class, and the ClassLoad used by JVM has 4:
Start the class loader, standard extension type loader, class path loader, and network loader.
The priority of these four ClassLoaders is from high to low, and the so-called "double-proceeding appraisal model" is used. Specifically, if a network loader is requested to load a java.lang.integer, it first sends the request to the previous class path loader. If the load is loaded, the network loader will not load. This java.lang.integer, if the previous class path loader returns unloaded, it will only load java.lang.integer.
Similarly, the classpath loader receives the request (whether it is directly requested to load or the next class of ClassLoader uploads), it will also send the request to the standard extension loader in the previous level, so that one layer Layer is uploaded, so the start-up loader is highest, if it finds java.lang.integer in its own way, the following ClassLoad cannot be loaded with java.lang.integer, although you wrote a java.lang yourself. INTEGER, Java.lang.integer attempting to replace the core library is impossible, because this class written is not loaded by the lower ClassLoader. Let's talk about Package privileges. Java language regulations, Class in the same package, if there is no modifier, the default is Package Permissions, the Class within the package can be accessed. But this is not accurate enough. Specifically, only Class loaded by the same classloader has the above package privilege. For example, the start-up type loader is loaded with java.lang.string, and the classpath loader loads our own Java.lang.Test that cannot access each other's methods for Package privileges. This prevents the malicious code to access the core class of the Package permission method.
