Class loader system
The class loader is the first defense line of the sandbox. After all, the code is loaded into the JVM, which includes dangerous code. Its security effect is three points:
A protection of good-time code is not affected by malicious code Second Protection The verified class library three-generation code is placed in various protection domains with different behavior restrictions.
The class load system protects the kind of codes from malicious code by using a different type of loader to put the classes in different namespaces.
JVM maintains a namespace for each class loader. For example, if JVM loads a class called Volcano in a certain name space, you cannot load another class also known as Volcano in this name space unless you create another name space. That is, if the JVM has three namespaces, you can load three classes called Volcano, one name space.
In JVM, the class in the same name space is to interact directly, but the class in different namespaces will not be, unless otherwise mechanisms. In this way, the namespace play a role of a barrier.
In Figure 3-1, two namespaces are shown, each having a class loader, each loaded two types, two namespaces have a type called Volcano. The left color deeper class loader loads Type Climber and Volcano, and the shallower-loaded type loader on the right is loaded with Type Bakingsoda and Volcano. The arrows in the figure indicate the names in the namespace to define data in the method area (Method Area). Because of the barrier of the name space, when the Climber references Volcano, it refers to the Volcano in the same name. Although all in the same JVM, it can't know Volcano in another name space. If you want to know how to achieve the separation of the name space, you can see Chapter 8 "Link Mode"
The class loader system protects the security of the credit package by loading the trusted packages and untrusted packages). Although you can develop access controls to the types in the same package, this control works only if it is loaded by the same loader.
Typically, a user-defined class loader needs to rely on other class loaders to complete tasks, at least one class loader created at JVM startup, this class loader is called a start-up class loader. Before the 1.2 version, the class loader must display other class loaders, such as calling the LoadClass method of the other user-defined class loader, or calls the Static Functions of the Bootstrap Class Loader FindsystemClass (). In the 1.2 version, a class loader requires another class loader to load a type of process is standardized as a proxy mode (Parent-Delegation Model:) CHAIN OF RESPONSIBILITY mode)
When a class loader is trying to load a class in its own way, it first defaults to this work to his parent object. This parent object will first hand over this task to his parent object, so this task will pass to the start-up class loader because the start-up class loader is usually the last class of the proxy chain. If the parent class loader loads this type, this type will be returned, otherwise by subclass loader processing. In the implementation of the previous version of the 1.2 version, the built-in loader is responsible for loading the local available class files, typically includes the Java application class file and all the libraries needed for all the applications, although the way the required class file is loaded according to the application Different, many applications searches for the path defined by class path.
In version 1.2, the task loaded with the local available class file is decomposed to a plurality of class loaders. The type loader called the primordage-loader (PRIMORDIAL CLASS Loader) is renamed to the start-up class loader, used to indicate that it is only used to load the core Java API class file, because the core Java API class file is used to start JVM of. The task responsible for loading other class files gives the user-defined class loader (the translator: herein refers to the implementation of the virtual machine), these class files include the application class file, used to install and download. Standard extension class files used to find class files such as libraries in Class Path. Therefore, when 1.2's JVM starts running, it creates at least one user-defined class loader, all of which are stringed into a chain, and the header loader in the chain is the system class. System Class Loader. Prior to 1.2, sometimes it is said that the in-button loader is a system class loader, at 1.2, which is more formally used to refer to the new class loader created by the Java application.
This default parent agent typically loads the initial class of the application, but any user-defined class loader may be changed by the designer of the Java platform. For example, if you write an app, this app needs to install a class loader to load class files downloaded from the network. This app runs on a JVM, and this JVM has two user-defined class loaders, one is to install the extended class loader and the other is the classpath type loader. They are stringed into a chain and the start-up type loader, in turn: Start the class loader, install the extended class loader, class path loader.
As shown in Figure 3-2, the class path loader is designed to be a system class loader, which will be the father of the Java application new type loader. When your application's network-based loader is installed, it sets this system class loader as its father.
If you need to load a class called Volcano in the Java application, your class loader will first hand over this task to its father, class path class loader, to find and load this class file. The classpath loader is also given to our father, install the extended class loader, and complete the task. In this way, this task is finally handed over to the start-up class loader to first try processing.
Assume that the class Volcano is not part of the Java API, nor isn't a part of the installation extension and classpaths. All corresponding class loaders have not returned this type so that they will turn your own class loader. It will download this file from the web so that this class is called part of your application. We continue this example, if a method of Core Volcano is called for the first time later, this method references the class java.util.hashmap in the Java API, and this class is the first reference to this app, so JVM Ask your class loader to load this class. As before, this request finally reached the start-up class loader.
But this time, the start-up class loader can load java.util.hashmap and return it to your class loader. This installing the extended class loader and class path class loader only played a way of delivery, and your class loader does not have to download this class file from the web. Since then, in class Volcano, all references to java.util.hashmap will use this class.
With this background knowledge, we can see how the class loader is used to protect the trusted libraries. The class loader system protects the boundary of the credible class by preventing untrusted classes, preventing potential threats to Java Runtime security. With this chain proxy relationship, we know, to load a class, you need to check the class loader on the chain to check by a specific order, so your defined class loader is always in a lower priority status, if yourself The class loader wants to download a class called Java.lang.integer from the network. It can only use the type from the parent class loader. In this way, the occurrence of trusted code is prevented from replacing the trusted code. But if the code is not prepared to replace a trusted type, just want to insert a new type in the 可 信 包? If in the previous example, your network-based loader wants to load a class called Java.lang.virus. As before, the load-loaded request is passed in the chain until the class loader is started, although the launch class loader is responsible for loading the core Java API class, including a package name called java.lang, but can't find Virus, We assume that this class is also not found in the installation of extended class loaders and classpath type loaders. This way your network loader downloads this class from the web. Suppose you have successfully downloaded class java.lang.virus, and Java has certain privileges for mutual access to classes in the same package. Therefore, because your class loader loads a shameless claim to be part of Java.lang.virus, you must have a certain privilege, thus doing some sinful. However, the class load mechanism stops the occurrence of this matter because the class loading mechanism restricts this privilege only under the premise of loading the same class loader.
Because the credibility class in the Java API's java.lang package is loaded by the startup class loader, the evil java.lang.virus is loaded by your network loader, they don't belong to the same run package (Runtime package) .
Running package This term first introduced in the JVM second edition specification, refers to the same package loaded by the same class loader. The JVM is also confident that the two types are loaded by the same class loader before allowing two types to be accessed in the same package. Therefore, JVM does not allow java.lang.virus to access other types of java.lang packages in the Java API because they are not loaded by the same class loader.
One of the purposes of introducing a run package is to load different types of class files using different class loaders. The start-up class loader is used to load the most trusted core Java API. Installing the extended class loader to load any class files for installation extensions. Although the installation extension is also trustworthy, it has not yet to add a new type of type to the Java API. Similarly, the class loaded by the classpath loader can also access the type of installation extension and the type in the Java API.
The type loader can also simply prohibit loading certain types to protect trusted code.
For example, you may have some packages, some of which you want to load by the class path class loader, not your network loader. Suppose you create a package called AbsolutePower and install it within the access range of the classpath type loader. At the same time, you want to load the class loaded by your class loader to load any classes in the AbsolutePower package. In this way, the first thing in your class loader is that the class that needs to be loaded is not declared as the class in AbsolutePower. If yes, an exception is thrown, not handed over to the parent class loader. In addition to shielding different namespaces, the class loader mechanism is maintained outside the different namespace, and puts each loaded class into a protected domain, and the protection domain has a definition of the activity range of the class.