在自定義類加載器必須覆蓋getPermissions()函數時,在具體實現時,在為代碼源分配任意權限前,需要調用超類的getPermissions()函數,以顧及與遵循系統的默認安全策略。忽略了超類getPermissions()方法的自定義類加載器可能會加載權限提升了的非受信類。自定義類加載器時不要直接繼承抽象的ClassLoader類。
public class MyClassLoader extends URLClassLoader {
public MyClassLoader(URL[] urls) {
super(urls);
}
@Override
protected PermissionCollection getPermissions(CodeSource cs) {
PermissionCollection pc = super.getPermissions(cs);
// allow exit from the VM anytime
pc.add(new RuntimePermission("exitVM"));
return pc;
}
public static void main(String[] args) throws MalformedURLException, IllegalAccessException, InstantiationException, ClassNotFoundException {
URL[] urls = new URL[]{new URL("file://D:\\cxp\\code\\hello\\src\\")};
MyClassLoader myClassLoader = new MyClassLoader(urls);
Class<?> clazz = myClassLoader.loadClass("com.company.Student");
Object obj = clazz.newInstance();
System.out.println(obj);
System.out.println(obj.getClass().getClassLoader());
}
}
getPermissions()函數調用了super.getPermissions()。結果,除了自定義策略外,系統全局的默認安全策略也被應用。
上面代碼運行結果
Student:
name = null
age = null
score = null
com.test.MyClassLoader@3764951d