• Post Reply Bookmark Topic Watch Topic
  • New Topic

classes in java.lang package  RSS feed

Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Fully realizing it is a security violation to try
and execute a class from the java.* package not written by the folks at java, I am trying to understand how/why java run time throws a
SecurityException when I attempt to load a class written by me as part of the java.lang package.
Consider the following class, part of the java.lang package:
package java.lang;
public class X {
public static void main(String a[]) {
When I attempt to execute this I get:
Exception in thread "main" java.lang.SecurityException: Prohibited
package name: java at java.lang.ClassLoader.defineClass(Unknown Source) at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$1(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClassInternal(Unknown Source)
When I disassemble the class, I see:
javap -c java.lang.X
Compiled from X.java
public class java.lang.X extends java.lang.Object {
public java.lang.X();
public static void main(java.lang.String[]);
But when I disassemble a class from the "official" java.lang package I see:
javap -c java.lang.System
No sourcepublic final class java.lang.System extends java.lang.Object {
Some questions:
1) How does java runtime detect the difference between my class and an "official" class that is part of java.lang?
2) Why does java runtime enforce this SecurityException?
3) Why isn't this enforced for the javax package?
4) What's the "No sourcepublic" all about in the output from javap?
Ranch Hand
Posts: 1873
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
i guess i can try answering the second question.
the reason java.lang package declared by you is not allowed is security. if you are able to create such a package then you can basically make your class behave as a part of java.lang package provided by JVM right? and you can access all the classes with your package level access rights and spoof the functionality of the standard api classes which might have a malicious code. to prevent this they don't allow any package names that are part of API.
javax packages might be allowed as they are java extensions...
others please thro more light...
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!