The FireWallClassLoader is a classloader that can block request from going up
in the classloader hierarchy.
Normally, when a classloader receives a request for a resource, it will
consult its parent class loader first for that resource. The parent class
loader is typically the System ClassLoader. If the parent class loader cannot
provide the requested resource, the child class loader will be consulted for
the request. Note: the parent class loader must not be confused by the
superclass of a certain class loader (e.g. SecureClassLoader). The parent
classloader is identified at constuction time and passed in as an constructor
argument.
Consulting the parent classloader first can be inconvenient for certain
applications that want guarantees about which classloader is used to load a
certain class. This could be because you want to be certain about where the
resource came from, or you want to protect yourself against (other versions)
of the same class that could be served by the System ClassLoader (e.g.
because someone put them on the classpath or in the extensions directory).
For these cases, the FireWallClassLoader can be used.
System ClassLoader | FireWallClassLoader | User's ClassLoader
The FireWallClassLoader is placed between the user's class loader and the
parent class loader. It has a set of filters that define what classes are
allowed to go through. These filters describe (a groups of) packages, or a
specific classes or resources that are allowed through to the parent
classloader. Take as example this filter set:
["com.iona.", "javax.servlet.jsp."]
This will allow requests to any class/resource staring with com.iona. or
javax.servlet.jsp. through to the parent classloader and block all other
requests.
A very common set of filters would be a set that allows nothing through
except the classes used by the JDK. The
JDKFireWallClassLoaderFactoryfactory class can create such FireWallClassLoader.
The FireWallClassLoader does not load any classes.