Hi Chris, thanks for the interest - of course I'll give you an example. Surprisingly it is not java.lang.Object that I'm trying to hide but the stax api in java 6. I need to do so because of the notorious fault in the XMLOutputFactory#newInstance(String, ClassLoader). Therefore I'm using using stax-api 1.0.1 that is available through the equinox my catalina lives in (mentioned in my first post). I also have a woodstox implementation as a bundle. The situation is the following - a web application tries to obtain a factory instance through the api. The XMLOutputFactory class is loaded through the webapp class loader from the system class loader. The woodstox implementation is found (as osgi bundle) and it is instantiated. When the com.ctc.wstx.stax.WstxInputFactory / WstxOutputFactory class is loaded from the osgi bundle class loader it has been identified correctly as implementing the XMLInput/OutputFactory loaded from the stax-api bundle again in the osgi. Thus I end up with the following exception in my web application:
"java.lang.ClassCastException: com.ctc.wstx.stax.WstxInputFactory cannot be cast to javax.xml.stream.XMLInputFactory" The thing is that osgi runtime in which the catalina lives complicates the class loading a bit. Note that this black voodoo magic for configuring restricted system packages is not something I've invented - I just saw there is such thing in jetty and was extremely happy to see it could be implemented with little effort in tomcat as well. Best regards, Stefan On Thu, Aug 26, 2010 at 8:28 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chefo, > > On 8/26/2010 11:24 AM, Chefo wrote: > > What bothers me in the WebappClassLoader is the fact that before it > checks > > its repositories (lib folder and classes) and asks its parent class > loader, > > it will first attempt to load a class from the system class loader - from > > the jvm. > > That's supposed to be how it's done: webapps aren't supposed to be able > to subvert the JVM by loading their own definitions for, say, > java.lang.Object. > > > I want to prevent that for certain packages and I > > want it to be configurable for each web application. > > Can you give me an example of when this would be a good idea? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkx2pEMACgkQ9CaO5/Lv0PCQiQCgrrlP1MmzO7zfg+db81i+h82D > 4eAAn3I5g/Vb1JPpaC24jzfGLNhqMwT7 > =uIHX > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >