image.png

Long

伪装的java.lang.Long

  1. package java.lang;
  3. public class Long {
  5.     static {
  6.         System.out.println("I am bad Long.");
  7.     }
  9.     public Long(long value) {
  10.     }
  11. }

LongDemo

  1. package com.javabook.classloader.java.lang.security;
  4. /**
  5.  * @author Summer Lu
  6.  * @email gmluyang@gmail.com
  7.  * @date 2014-8-25
  8.  *
  9.  */
  10. public class LongDemo {
  12.     /**
  13.      * @param args
  14.      */
  15.     public static void main(String[] args) {
  17.         // 实际上代码无法加载这个伪装的Long,最终得到的还是JDK API中提供的Long
  18.         // 类加载器通过双亲委托模式,最终使用启动类加载器得到JDK API中提供的Long
  19.         Long badLong = new Long(1);
  20.         System.out.println("ClassLoader:" + badLong.getClass().getClassLoader());
  21.     }
  22. }

LongDemo Console

  1. ClassLoader:null

Virus

伪装成java.lang下的类

  1. package java.lang;
  3. public class Virus {
  5.     public void whoAmI() {        
  6.         System.out.println("I am " + this.getClass() + 
  7.         ", load by [" + this.getClass().getClassLoader() + "]");
  8.     }
  9. }

VirusDemo

  1. package com.javabook.classloader.java.lang.security;
  4. /**
  5.  * @author Summer Lu
  6.  * @email gmluyang@gmail.com
  7.  * @date 2014-8-25
  8.  *
  9.  */
  10. public class VirusDemo {
  12.     /**
  13.      * @param args
  14.      */
  15.     public static void main(String[] args) {
  17.         // 和伪装的java.lang.Long不同,启动类加载器不能在JDK API中找到到Virus这个类
  18.         // ClassLoader.preDefineClass方法通过判断包路径来决定是否加载或抛出安全异常
  19.         // 当启动类加载器无法在java.*包路径中找以java作为包名的类则抛出安全异常
  20.         Virus virus = new Virus();
  21.         virus.whoAmI();
  22.     }
  23. }

VirusDemo Console

  1. Exception in thread "main" java.lang.SecurityException: Prohibited package name: java.lang
  2.     at java.lang.ClassLoader.preDefineClass(ClassLoader.java:655)
  3.     at java.lang.ClassLoader.defineClass(ClassLoader.java:754)
  4.     at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
  5.     at java.net.URLClassLoader.defineClass(URLClassLoader.java:468)
  6.     at java.net.URLClassLoader.access$100(URLClassLoader.java:74)
  7.     at java.net.URLClassLoader$1.run(URLClassLoader.java:369)
  8.     at java.net.URLClassLoader$1.run(URLClassLoader.java:363)
  9.     at java.security.AccessController.doPrivileged(Native Method)
  10.     at java.net.URLClassLoader.findClass(URLClassLoader.java:362)
  11.     at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
  12.     at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355)
  13.     at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
  14.     at com.javabook.classloader.java.lang.security.VirusDemo.main(VirusDemo.java:20)