views:

58

answers:

2

I am writing a container framework that can dynamically deploy a Jar file containing user developed classes in the container, and then using a web interface execute certain classes from the Jar file.

Everything else is well set, including the validations. However, a requirement is to only allow access to certain JDK and other library classes from the user developed class. Clearly, this is due to the fact that the container will need an assurance that someone (intentionally or otherwise) ends up running a piece of Java code that results in a "bad" behavior.

Generally, I find stuff on Google on almost all topics. In this case, I just could not :(

+2  A: 

Note that a custom classloader is not enough against a malicious person - he/she can access a parent classloader and load the restricted classes through it. In addition to a custom classloader, you should set a security manager and revoke the getClassLoader permission (and, perhaps, some other permissions too).

axtavt
Some pseudo-code maybe?
Chris Kaminski