Logic (if any) behind Google App Engine excluding standard JDK 1.6 APIs

Question

It looks like GAE has chosen a subset of JDK 1.6 classes, as per:

Google App Engine JDK white list

which is very unfortunate as one gets class linkage errors all over the place with most common java libraries that deal with data binding, reflection, class loading and annotations. Although some omissions may be for deprecated or legacy things, there are others that are not. My specific concern is with streaming pull parsers (javax.xml.stream.*) which was just added to JDK 1.6 after a long delay (API was finalized at about same time as JDK 1.4). Omitting this makes it harder to do scalable high-performance xml processing.

Problem as I understand is that not only are classes missing, but they can not even be added because of security constraints.

So: this is an open-ended philosophical question that probably just GAE devs could answer for sure but... why are some APIs dropped from standard JDK 1.6, seemingly arbitrarily?

UPDATE:

Quick note: thanks for answers. For what it's worth I really do not see how security would have anything to do with not including javax.xml.stream. Security aspects are relevant for great many other things (and I don't need threads, for example, and can see why they are out), so it's understandable boilerplate answer; just not applicable for this one.

Stax API is just a set of interfaces and abstract for crying out loud. But more importantly, it has exactly the same ramifications as including SAX, DOM and JAXP interfaces -- which are included already!

But it looks like this issue has been brought to attention of google devs:

discussion on whitelisting Stax API

so here's hoping that this and similar issues can be resolved swiftly.

Answer 1

It's extremely doubtful that these things were dropped arbitrarily. GAE runs in an extremely security-sensitive environment, and the chances are good that an internal audit of the class libraries found some risks that Google was not willing to take.

Answer 2

GAE is run in a hosted environment with untrusted (and potentially malicious) clients, who often are given access for free.

In that type of environment, security is a very high concern, and APIs which have filesystem access get very heavy scrutiny. I think thats why they've chosen to start pretty conservatively in terms of what they allow.

It wouldn't surprise me at all if more classes find their way into the whitelist as security issues are addressed (and based on demand), though.

But I wouldn't even expect to get threading tools available, eg.

Answer 3

As for your high-performance streaming XML parsers, you could try to find an appropriate library (jar file). Unless it relies on threads or file access (or black-listed API), it should work just as well as the one in the JDK.

There are a lot of (rather complex) libraries that work on GAE.