Is putting external jars in the JAVA_HOME/lib/ext directory a bad thing?

Question

We have an application which runs in a JRE environment. The application uses some external jars and we have been putting them in the JAVA_HOME/lib/ext folder. This has worked for us for years but recently a new programmer joined our team and seems emphatic that this is some how a bad thing to do. I can't understand why and I'm trying to do some research before I dig further with this developer. Is there something I'm missing here?

Answer 1

Yes - it's a bad thing. Think about it: the application depends on the JRE and some extra jars. What if you update the JRE? Then you have to remember to copy the files into the new JRE. What if you need to set up the application on a new system? You have to copy the application there, and then also remember to copy the external jars into the JRE on that system.

Both those issues wouldn't be an issue at all if you just package the application properly together with the external jars it needs. If you don't see this, then maybe it's not an issue at all. But you should still be grateful for the new guy for sharing his opinion.

Answer 2

In addition to the answer by weiji (packaging and upgrades to new JVM versions), there are other risks.

If you are using security manager in any of your applications, the libraries in ext often have a lot more capability by default - they are treated much like the system libraries. You need to be sure that you can trust, in the sense of enforcing security rules, these classes. Did the authors think through what they were exposing correctly? If these classes do not use access control to change the security context then you don't need to worry about this but do you know if they do or do not (e.g. a method that provides access to a file and uses AccessController, does it ensure that the caller has the right file permissions?)

Can all your applications use the exact same version of the library? What happens when you need to update that library (not just the JVM)? Will you break any of your applications? You will need to retest everything. The libraries in ext are loaded by the extension class loader which, due to parent delegation, has higher precedence than the normal (i.e. CLASSPATH) loader so these are guaranteed to be used by your application and there is no way for an individual application to override the library in ext with a different version.

If you want to share the libraries across your applications, why not instead provide a separate folder of common libraries that applications can be individually configured (CLASSPATH) to reference. Then if you have problems with one application and a library, you can switch to a different version of the libraries or just for that one, put it earlier in the CLASSPATH (if that works, you must test this too as there may be other dependency issues). This will allow you to have more individual control for each application. But then, bundling all the required libraries with your application is the safest as you can retest and roll-out library upgrades to individual applications.