posted 13 years ago
As stated in section 24.1.2 of the EJB 2.0 spec (p. 496), allowing an enterprise bean to define a class in a package would create a security hole. Note that the word "define" must be taken in the sense of the Classloader.define() method, in which a byte array representing a class can be passed in argument and this action would result in the loading of a class into the JVM. Imagine what could happen if a bean could do that. Since there is no way to trust 100% Bean Providers, the spec makes sure that such things as custom class loading should (must) not happen in order to ensure the integrity of the application server.