Checking patch integrity

Question

Hello all, I am working on j2ee web application and we have the following requirement: it should be impossible to install application patch with arbitrary classes. Right now patches are done by manually adding jars with fixes or even individual classes to server classpath or to application EAR. We also cannot use signed jars since it is impossible to overwrite later classes from them. Can you suggest a solution for these requirements?
Clarefication: the requirement come from PCI PA-DSS standard.
The current patching procidure works as follows: for example one of our jars is loaded from system classpath. During the standard patch procedure additional jar is added to classpath before the original one. As a result all classes existing in both jars are loaded from the new one, since classes are searched in jars consequently. According to requirement application has to validate that all loaded classes are coming from trustworthy source, but currently it is at least theoretically possible for hacker to overwrite application class and open backdoor etc.

Answer 1

Looks like you dont trust your admins to update files in an exploded .war/.ear file.

Well, depending on your app server, you can turn off exploded deployment, set permissions on the 'work' or 'tmp' folders that the app server uses to explode your app onto disk. These permssions must be 'write' for the 'user' running the appserver and 'read' for the admin user.