What is a purpose of the SecureClassLoader?

Question

I was exploring Java classloaders then I faced the SecureClassLoader.

After a reviewing of its source code and reading some articles I realized that I am not able to understand it's secure feature and a scope of utilizing.

Could anyone explain what the SecureClassLoader is used for?

Why is it "secure"?

Thank you.

Answer 1

The Java security model is based on classes having specific permissions.

When some method attempts to perform a privileged action (for example, open a file on the file system or open a network socket), each class on the call stack is checked to determine if it has the appropriate permissions.

Permissions are granted to classes in one of two ways:

1. Statically, when the class is defined.
2. Dynamically, based on the current security policy (but only if the class is defined to have a dynamic policy).

In both cases, the permissions are granted via the ProtectionDomain passed to ClassLoader.defineClass. A ProtectionDomain has two pieces: the permissions statically granted to the class, and the "code source" (the location where the classes are loaded from, typically a JAR or directory) or "code signers" (classes guaranteed to have been come from a specific source). The code source (or signers) is dynamically matched against the current security policy to determine if additional permissions should be granted (for example, "classes loaded from this specific JAR can read files from this specific directory) if the class loader creates a protection domain that allows a dynamic security policy.

SecureClassLoader has a utility defineClass method that takes a CodeSource, and it maintains a cache of lazily created ProtectionDomain for each CodeSource (allowing your subclass to override getPermissions if you want to define static permissions) so that your ClassLoader only has to remember CodeSource rather than ProtectionDomain. In practice, most ClassLoader implementations have a predefined classpath, so they can easily create and store the ProtectionDomain themselves, so the class itself isn't particularly useful.

Answer 2

From http://www.securingjava.com/chapter-two/chapter-two-7.html:

Secure Class Loaders allow classes to be loaded only from those directories specified in Java's java.app.class.path property. Secure Class Loaders can only be used by classes found in the java.security package and are extensively used by the Java 2 access control mechanisms.

So its secure because it can not load classes from any origin but only from restricted directories.