com.sun.enterprise.loader.ASURLClassLoader Maven / Gradle / Ivy
* Copyright (c) 2022, 2024 Contributors to the Eclipse Foundation
* Copyright (c) 2006, 2021 Oracle and/or its affiliates. All rights reserved.
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
package com.sun.enterprise.loader;
import com.sun.appserv.server.util.PreprocessorUtil;
import com.sun.enterprise.security.integration.PermsHolder;
import com.sun.enterprise.util.CULoggerInfo;
import com.sun.enterprise.util.i18n.StringManager;
import java.io.BufferedInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.lang.instrument.ClassFileTransformer;
import java.lang.instrument.IllegalClassFormatException;
import java.net.JarURLConnection;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLStreamHandler;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.PermissionCollection;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.security.SecureClassLoader;
import java.security.cert.Certificate;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.concurrent.ConcurrentHashMap;
import java.util.jar.Attributes;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import java.util.jar.Manifest;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.zip.ZipEntry;
import org.glassfish.api.deployment.InstrumentableClassLoader;
import org.glassfish.common.util.GlassfishUrlClassLoader;
import org.glassfish.hk2.api.PreDestroy;
import static java.util.logging.Level.INFO;
* Class loader used by the ejbs of an application or stand-alone module.
* This class loader also keeps cache of not found classes and resources.
* @author Nazrul Islam
* @author Kenneth Saks
* @author Sivakumar Thyagarajan
* @since JDK 1.4
public class ASURLClassLoader extends GlassfishUrlClassLoader implements JasperAdapter, InstrumentableClassLoader, PreDestroy {
/** logger for this class */
private static final Logger _logger = CULoggerInfo.getLogger();
* list of url entries of this class loader. Using LinkedHashSet instead of original ArrayList
* for faster search.
private final Set urlSet = Collections.synchronizedSet(new LinkedHashSet<>());
/** cache of not found resources */
private final Map notFoundResources = new ConcurrentHashMap<>();
/** cache of not found classes */
private final Map notFoundClasses = new ConcurrentHashMap<>();
* State flag to track whether this instance has been shut off.
* Note: 'volatile' *does not by itself eliminate a race condition* similar
* to null-check idiom bug.
private volatile boolean doneCalled;
* snapshot of classloader state at the time done was called.
* Must be 'volatile'; not all access is within 'synchronized' eg it is used in toString().
private volatile String doneSnapshot;
private final ArrayList transformers = new ArrayList<>(1);
private final static StringManager sm = StringManager.getManager(ASURLClassLoader.class);
//holder for declared and ee permissions
private final PermsHolder permissionsHolder;
* Constructor.
public ASURLClassLoader() {
super(new URL[0]);
permissionsHolder = new PermsHolder();
_logger.log(Level.FINE, "ClassLoader: {0} is getting created.", this);
* Constructor.
* @param parent parent class loader
public ASURLClassLoader(ClassLoader parent) {
super(new URL[0], parent);
permissionsHolder = new PermsHolder();
public boolean isClosed() {
// method need not by 'synchronized' because 'doneCalled' is 'volatile'.
return doneCalled;
public void preDestroy() {
try {
} catch (IOException ioe) {
_logger.log(Level.SEVERE, "Could not close the classloader " + this, ioe);
* This method should be called to free up the resources.
* It helps garbage collection.
* Must be synchronized for:
* - visibility of variables
- race condition while checking 'doneCalled'
- only one caller should close the zip files,
- done should occur only once and set the flag when done.
- should not return 'true' when a previous thread might still
* be in the process of executing the method.
public void close() throws IOException {
// This works because 'doneCalled' is 'volatile'
if (doneCalled) {
// the above optimized check for 'doneCalled=true' is a race condition.
// The lock must now be acquired, and 'doneCalled' rechecked.
synchronized (this) {
if (doneCalled) {
// Capture the fact that the classloader is now effectively disabled.
// First create a snapshot of our state. This should be called
// before setting doneCalled = true.
doneSnapshot = "ASURLClassLoader.done() called ON " + this
+ "\n AT " + Instant.now() +
" \n BY :" + Arrays.toString(Thread.currentThread().getStackTrace());
// Presumably OK to set this flag now while the rest of the cleanup proceeds,
// because we've taken the snapshot.
doneCalled = true;
// closes the jar handles and sets the url entries to null
for (URLEntry u : this.urlSet) {
if (u.zip != null) {
try {
} catch (IOException ioe) {
_logger.log(INFO, CULoggerInfo.getString(CULoggerInfo.exceptionClosingURLEntry, u.source), ioe);
if (u.table != null) {
u.table = null;
u = null;
// clears out the tables
// Clear all values. Because fields are 'final' (for thread safety), cannot null them
* Adds a URL to the search list, based on the specified File.
* This variant of the method makes sure that the URL is valid, in particular
* encoding special characters (such as blanks) in the file path.
* @param file the File to use in creating the URL
* @throws IOException in case of errors converting the file to a URL
public void appendURL(File file) throws IOException {
try {
} catch (MalformedURLException mue) {
_logger.log(Level.SEVERE, CULoggerInfo.getString(CULoggerInfo.badUrlEntry, file.toURI()), mue);
throw new IOException(mue);
* Appends the specified URL to the list of URLs to search for
* classes and resources.
* @param url the URL to be added to the search path of URLs
public void addURL(URL url) {
* Add an url to the list of urls we search for a class's bytecodes.
* @param url url to be added
public synchronized void appendURL(URL url) {
try {
if (url == null) {
_logger.log(INFO, CULoggerInfo.missingURLEntry);
URLEntry entry = new URLEntry(url);
if (!urlSet.contains(entry)) {
// adds the url entry to the list
if (entry.isJar) {
// checks the manifest if a jar
checkManifest(entry.zip, entry.file);
} else {
_logger.log(Level.FINE, "[ASURLClassLoader] Ignoring duplicate URL: {0}", url);
// Clean up the unused entry or it could hold open a jar file.
if (entry.zip != null) {
try {
} catch (IOException ioe) {
_logger.log(INFO, CULoggerInfo.getString(CULoggerInfo.exceptionClosingDupUrlEntry, url), ioe);
// clears the "not found" cache since we are adding a new url
} catch (IOException ioe) {
_logger.log(Level.SEVERE, CULoggerInfo.getString(CULoggerInfo.badUrlEntry, url), ioe);
* Returns the urls of this class loader.
Method is {@code synchronized} to avoid the thread-unsafe null-check idiom, also
* protects the caller from simultaneous changes while iterating,
* by returning a URL[] (copy) rather than the original. Also protects against
* changes to 'urlSet' while iterating over it.
* @return the urls of this class loader or an empty array
public synchronized URL[] getURLs() {
return urlSet.stream().map(urlEntry -> urlEntry.source).toArray(URL[]::new);
* Returns all the "file" protocol resources of this ASURLClassLoader,
* concatenated to a classpath string.
Notice that this method is called by the setClassPath() method of
* org.apache.catalina.loader.WebappLoader, since this ASURLClassLoader does
* not extend off of URLClassLoader.
* @return Classpath string containing all the "file" protocol resources
* of this ASURLClassLoader
public String getClasspath() {
StringBuilder strBuf = null;
URL[] urls = getURLs();
if (urls != null) {
for (int i = 0; i < urls.length; i++) {
if (urls[i].getProtocol().equals("file")) {
if (strBuf == null) {
strBuf = new StringBuilder();
if (i > 0) {
return strBuf == null ? null : strBuf.toString();
* Refreshes the memory of the class loader. This involves clearing the
* not-found caches and recreating the hash tables for the URLEntries that
* record the files accessible for each.
* Code that creates an ASURLClassLoader and then adds files to a directory
* that is in the loader's classpath should invoke this method after the new
* file(s) have been added in order to update the class loader's data
* structures which optimize class and resource searches.
* @throws IOException in case of errors refreshing the cache
public synchronized void refresh() throws IOException {
public void addTransformer(ClassFileTransformer transformer) {
* Create a new instance of a sibling classloader.
* @return a new instance of a class loader that has the same visibility
* as this class loader
public ClassLoader copy() {
final ASURLClassLoader copyFrom = this;
PrivilegedAction privilegedAction = () -> new DelegatingClassLoader(copyFrom);
return AccessController.doPrivileged(privilegedAction);
* Erases the memory of classes and resources that have been searched for
* but not found.
private void clearNotFoundCaches() {
* Internal implementation of find resource.
* @param res url resource entry
* @param name name of the resource
private URL findResource0(final URLEntry res, final String name) {
PrivilegedAction action = () -> {
if (res.isJar) {
try {
JarEntry jarEntry = res.zip.getJarEntry(name);
if (jarEntry == null) {
return null;
// Use a custom URL with a special stream handler to
// prevent the JDK's JarURLConnection caching from
// locking the jar file until JVM exit.
InternalURLStreamHandler handler = new InternalURLStreamHandler(res, name);
// Create a new sub URL from the resource URL (i.e. res.source). To avoid
// double encoding
// (see https://glassfish.dev.java.net/issues/show_bug.cgi?id=13045)
// use URL constructor instead of first creating a URI and then calling
// toURL().
// If the resource URL is not properly encoded, that's not our problem.
// Whoever has supplied the resource URL is at fault.
URL ret = new URL("jar", null /* host */, -1 /* port */, res.source + "!/" + name, handler);
return ret;
} catch (Throwable thr) {
_logger.log(INFO, CULoggerInfo.exceptionInASURLClassLoader, thr);
} else { // directory
try {
File resourceFile = new File(res.file, name);
if (resourceFile.exists()) {
// If we make it this far,
// the resource is in the directory.
return resourceFile.toURI().toURL();
} catch (IOException e) {
_logger.log(INFO, CULoggerInfo.exceptionInASURLClassLoader, e);
return null;
return AccessController.doPrivileged(action);
public URL findResource(String name) {
// quick that relies on 'doneCalled' being 'volatile'
if (doneCalled) {
_logger.log(Level.WARNING, CULoggerInfo.getString(CULoggerInfo.findResourceAfterDone, name, this),
new Throwable());
return null;
// This code is dubious, because it iterates over items that could
// be changing via another thread. It appears that since 'urlSet' cannot shrink
// that the iteration at least won't go out of bounds. And it's probably OK
// if more than one thread adds the same resource to 'notFoundResources'.
// HOWEVER, there is still a race condition from the check for 'doneCalled' above.
// That's OK for 'notFoundResources', but it could lead to an ArrayIndexOutOfBounds
// exception for 'urlSet', should the set be cleared while looping.
// resource is in the not found list
String nf = notFoundResources.get(name);
if (nf != null && nf.equals(name) ) {
return null;
synchronized(this) {
for (final URLEntry u : this.urlSet) {
if (!u.hasItem(name)) {
final URL url = findResource0(u, name);
if (url != null) {
return url;
// add resource to the not found list
notFoundResources.put(name, name);
return null;
* Returns an enumeration of java.net.URL objects
* representing all the resources with the given name.
* This method is synchronized to avoid
* - race condition checking 'doneCalled',
- changes to contents or length of 'resourcesList' and/or 'notFoundResources' while
* iterating over them,
- thread visibility to all of the above.
public synchronized Enumeration findResources(String name) throws IOException {
if (doneCalled) {
_logger.log(Level.WARNING, CULoggerInfo.doneAlreadyCalled, new Object[] {name, doneSnapshot});
return Collections.emptyEnumeration();
List resourcesList = new ArrayList<>();
// resource is in the not found list
final String nf = notFoundResources.get(name);
if (nf != null && nf.equals(name) ) {
return Collections.emptyEnumeration();
for (URLEntry urlEntry : this.urlSet) {
final URL url = findResource0(urlEntry, name);
if (url != null) {
if (resourcesList.isEmpty()) {
// add resource to the not found list
notFoundResources.put(name, name);
return Collections.enumeration(resourcesList);
* Checks the manifest of the given jar file.
* @param jar the jar file that may contain manifest class path
* @param file file pointer to the jar
* @throws IOException if an i/o error
private void checkManifest(JarFile jar, File file) throws IOException {
if (jar == null || file == null) {
Manifest man = jar.getManifest();
if (man == null) {
synchronized (this) {
String cp = man.getMainAttributes().getValue(Attributes.Name.CLASS_PATH);
if (cp == null) {
StringTokenizer st = new StringTokenizer(cp, " ");
while (st.hasMoreTokens()) {
final String entry = st.nextToken();
final File newFile = new File(file.getParentFile(), entry);
// add to class path of this class loader
try {
} catch (MalformedURLException ex) {
_logger.log(Level.SEVERE, CULoggerInfo.exceptionInASURLClassLoader, ex);
* Internal implementation of load class.
* @param res url resource entry
* @param entryName name of the class
private byte[] loadClassData0(final URLEntry res, final String entryName) {
PrivilegedAction action = () -> {
InputStream classStream = null;
try {
if (res.isJar) { // It is a jarfile.
JarFile zip = res.zip;
JarEntry entry = zip.getJarEntry(entryName);
if (entry != null) {
classStream = zip.getInputStream(entry);
byte[] classData1 = getClassData(classStream);
res.setProtectionDomain(ASURLClassLoader.this, entry.getCertificates());
return classData1;
} else { // Its a directory....
File classFile = new File (res.file, entryName.replace('/', File.separatorChar));
if (classFile.exists()) {
try {
classStream = new FileInputStream(classFile);
byte[] classData2 = getClassData(classStream);
res.setProtectionDomain(ASURLClassLoader.this, null);
return classData2;
} finally {
* Close the stream only if this is a directory. The stream for
* a jar/zip file was opened elsewhere and should remain open after this
* method completes.
if (classStream != null) {
try {
} catch (IOException closeIOE) {
_logger.log(INFO, "loader.excep_in_asurlclassloader", closeIOE);
} catch (IOException ioe) {
_logger.log(INFO, CULoggerInfo.exceptionInASURLClassLoader, ioe);
return null;
return AccessController.doPrivileged(action);
protected PermissionCollection getPermissions(CodeSource codeSource) {
PermissionCollection cachedPc = permissionsHolder.getCachedPerms(codeSource);
if (cachedPc != null) {
return cachedPc;
return permissionsHolder.getPermissions(codeSource, super.getPermissions(codeSource));
* THREAD SAFETY: what happens when more than one thread requests the same class
* and thus works on the same classData? Or defines the same package? Maybe
* the same work just gets done twice, and that's all.
* CAUTION: this method might be overridden, and subclasses must be cautious (also)
* about thread safety.
protected Class> findClass(String name) throws ClassNotFoundException {
ClassData classData = findClassData(name);
// Instruments the classes if the profiler's enabled
if (PreprocessorUtil.isPreprocessorEnabled()) {
// search through the JARs for a file of the form java/lang/Object.class
final String entryName = name.replace('.', '/') + ".class";
classData.setClassBytes(PreprocessorUtil.processClass(entryName, classData.getClassBytes()));
// Define package information if necessary
int lastPackageSep = name.lastIndexOf('.');
if (lastPackageSep != -1) {
String packageName = name.substring(0, lastPackageSep);
if (getDefinedPackage(packageName) == null) {
try {
// There's a small chance that one of our parents
// could define the same package after getPackage
// returns null but before we call definePackage,
// since the parent classloader instances
// are not locked. So, just catch the exception
// that is thrown in that case and ignore it.
// It's unclear where we would get the info to
// set all spec and impl data for the package,
// so just use null. This is consistent will the
// JDK code that does the same.
definePackage(packageName, null, null, null, null, null, null, null);
} catch (IllegalArgumentException iae) {
// duplicate attempt to define same package.
// safe to ignore.
_logger.log(Level.FINE, "duplicate package " + "definition attempt for " + packageName, iae);
// Loop though the transformers here!!
try {
final List xformers = (ArrayList) transformers.clone();
if (!xformers.isEmpty()) {
for (final ClassFileTransformer transformer : xformers) {
// see javadocs of transform().
// It expects class name as java/lang/Object
// as opposed to java.lang.Object
final String internalClassName = name.replace('.', '/');
final byte[] transformedBytes = transformer.transform(this, internalClassName, null,
classData.pd, classData.getClassBytes());
if (transformedBytes != null) { // null indicates no transformation
_logger.log(Level.FINE, CULoggerInfo.actuallyTransformed, name);
} catch (IllegalClassFormatException icfEx) {
throw new ClassNotFoundException(icfEx.toString(), icfEx);
try {
byte[] bytes = classData.getClassBytes();
return defineClass(name, bytes, 0, bytes.length, classData.pd);
} catch (UnsupportedClassVersionError ucve) {
throw new UnsupportedClassVersionError(
sm.getString("ejbClassLoader.unsupportedVersion", name, System.getProperty("java.version")));
* This method is responsible for locating the url from the class bytes
* have to be read and reading the bytes. It does not actually define
* the Class object.
* To preclude a race condition on checking 'doneCalled', as well as transient errors
* if done() is called while running, this method is 'synchronized'.
* @param name class name in java.lang.Object format
* @return class bytes as well protection domain information
* @throws ClassNotFoundException
private synchronized ClassData findClassData(String name) throws ClassNotFoundException {
if (doneCalled) {
ClassNotFoundException exception = new ClassNotFoundException(name);
_logger.log(Level.WARNING, CULoggerInfo.getString(CULoggerInfo.findClassAfterDone, name, this), exception);
throw exception;
String nf = notFoundClasses.get(name);
if (nf != null && nf.equals(name) ) {
throw new ClassNotFoundException(name);
// search through the JARs for a file of the form java/lang/Object.class
String entryName = name.replace('.', '/') + ".class";
for (URLEntry u : this.urlSet) {
if (!u.hasItem(entryName)) {
byte[] result = loadClassData0(u, entryName);
if (result != null) {
if (System.getSecurityManager() == null) {
return new ClassData(result, u.pd);
//recreate the pd to include the declared permissions
CodeSource cs = u.pd.getCodeSource();
PermissionCollection pc = this.getPermissions(cs);
ProtectionDomain pdWithPemissions =
new ProtectionDomain(u.pd.getCodeSource(), pc, u.pd.getClassLoader(), u.pd.getPrincipals());
return new ClassData(result, pdWithPemissions);
// add to the not found classes list
notFoundClasses.put(name, name);
throw new ClassNotFoundException(name);
* Returns the byte array from the given input stream.
* @param istream input stream to the class or resource
* @throws IOException if an i/o error
private byte[] getClassData(InputStream istream) throws IOException {
int num;
byte[] buf = new byte[4096];
try(BufferedInputStream bstream = new BufferedInputStream(istream);
ByteArrayOutputStream bout = new ByteArrayOutputStream()) {
while( (num = bstream.read(buf)) != -1) {
bout.write(buf, 0, num);
return bout.toByteArray();
protected String getClassLoaderName() {
return "ASURLClassLoader";
* Returns a string representation of this class loader
public String toString() {
StringBuilder buffer = new StringBuilder();
buffer.append(getClassLoaderName()).append(" :\n");
if (doneCalled) {
buffer.append("doneCalled = true").append('\n');
buffer.append("doneSnapshot = ").append(doneSnapshot);
} else {
buffer.append("urlSet = ").append(this.urlSet).append('\n');
buffer.append("doneCalled = false").append('\n');
buffer.append(" Parent -> ").append(getParent()).append('\n');
return buffer.toString();
public Enumeration getResources(String name) throws IOException {
final ResourceLocator locator = new ResourceLocator(this, getParentClassLoader(), true);
return locator.getResources(name);
private ClassLoader getParentClassLoader() {
final ClassLoader parent = getParent();
if (parent == null) {
return getSystemClassLoader();
return parent;
* The JarFile objects loaded in the classloader may get exposed to the
* application code (e.g. EJBs) through calls of
* ((JarURLConnection) getResource().openConnection()).getJarFile().
* This class protects the jar file from being closed by such an application.
* @author fkieviet
private static final class ProtectedJarFile extends JarFile {
* Constructor
* @param file File
* @throws IOException from parent
public ProtectedJarFile(File file) throws IOException {
super(file, true, OPEN_READ, Runtime.version());
* Do nothing
* @see java.util.zip.ZipFile#close()
* Byron sez: I wonder what's going on here?!? This looks quite weird.
* Why not just get rid of both reallyClose() and close() and finalize()
* -- and just rely on the superclass?
* At any rate I am not messing with it today, 1/9/2013. Mainly because
* maybe close() is called outside and we do NOT want it to really close?
* Here is what happens at finalize time:
* 1. ASURLClassLoader$ProtectedJarFile.finalize()
* 2. java.util.zip.ZipFile.finalize()
* 3. ASURLClassLoader$ProtectedJarFile.close()
* 4. dumps a WARNING log message
* 5. reallyClose()
* 6. java.util.zip.ZipFile.close()
* I
public void close() {
// do nothing
* Really close the jar file
* @throws IOException from parent
public void reallyClose() throws IOException {
* @see java.lang.Object#finalize()
@Deprecated(since = "6.1.0", forRemoval = true)
protected void finalize() throws IOException {
try {
} catch (Throwable t) {
throw new IOException(t);
* URL entry - keeps track of the url resources.
protected static final class URLEntry {
/** the url, ensure thread visibility by making it 'final' */
final URL source;
* file of the url,
* ensure thread visibility by making it 'volatile'
volatile File file = null;
* jar file if url is a jar else null,
* ensure thread visibility by making it 'volatile'
volatile ProtectedJarFile zip = null;
* true if url is a jar,
* ensure thread visibility by making it 'volatile'
volatile boolean isJar = false;
/** ensure thread visibility by making it 'volatile' */
volatile HashMap table = null;
* ProtectionDomain with signers if jar is signed,
* ensure thread visibility by making it 'volatile'
volatile ProtectionDomain pd = null;
public URLEntry(URL url) throws IOException {
source = url;
private void init() throws IOException {
try {
file = new File(source.toURI());
} catch (URISyntaxException use) {
throw new IOException(use);
isJar = file.isFile();
if (isJar) {
zip = new ProtectedJarFile(file);
table = new HashMap<>();
private void fillTable(File f, HashMap t, String parent) throws IOException {
String localName = parent.isEmpty() ? "" : parent + "/";
File[] children = f.listFiles();
for (File child : children) {
processFile(child, t, localName);
* Adds a file (or, if a directory, the directory's contents) to the table
* of files this loader knows about.
* Invokes fillTable for subdirectories which in turn invokes processFile
* recursively.
* @param fileToProcess the File to be processed
* @param t the HashMap that holds the files the loader knows about
* @param parentLocalName prefix to be used for the full path; should be
* non-empty only for recursive invocations
* @throws IOException in case of errors working with the fileToProcess
private void processFile(File fileToProcess, HashMap t, String parentLocalName) throws IOException {
String key = parentLocalName + fileToProcess.getName();
if (fileToProcess.isFile()) {
t.put(key, key);
} else if (fileToProcess.isDirectory()) {
fillTable(fileToProcess, t, key);
private boolean hasItem(String item) {
// in the case of ejbc stub compilation, ASURLClassLoader is created before stubs
// gets generated, thus we need to return true for this case.
if (table.isEmpty()) {
return true;
* Even with the previous special handling, a file could be created
* in a directory after the loader was created and its table of
* URLEntry names populated. So check the table first and, if
* the target item is not there and this URLEntry is for a directory, look for
* the file. If the file is now present but was not when the loader
* was created, add an entry for the file in the table.
boolean result;
String target = item;
// special handling
if (item.startsWith("./")) {
target = item.substring(2);
result = table.containsKey(target);
if ( ! result && ! isJar) {
* If the file exists now then it has been added to the directory since the
* loader was created. Add it to the table of files we
* know about.
File targetFile = privilegedCheckForFile(target);
if (targetFile != null) {
try {
processFile(targetFile, table, "");
result = true;
} catch (IOException ioe) {
CULoggerInfo.getString(CULoggerInfo.exceptionProcessingFile, target, file.getAbsolutePath()),
return false;
return result;
* Returns a File object for the requested path within the URLEntry.
* Runs privileged because user code could trigger invocations of this method.
* @param targetPath the relative path to look for
* @return File object for the requested file; null if it does not exist or
* in case of error
private File privilegedCheckForFile(final String targetPath) {
* Check for the file existence with privs, because this code can
* be invoked from user code which may not otherwise have access
* to the directories of interest.
try {
PrivilegedExceptionAction action = () -> {
File targetFile = new File(file, targetPath);
if (!targetFile.exists()) {
targetFile = null;
return targetFile;
return AccessController.doPrivileged(action);
} catch (PrivilegedActionException pae) {
*Log any exception and return false.
CULoggerInfo.getString(CULoggerInfo.exceptionCheckingFile, targetPath, file.getAbsolutePath()),
return null;
* Sets ProtectionDomain with CodeSource including Signers in
* Entry for use in call to defineClass.
* @param signers the array of signer certs or null
public void setProtectionDomain (ClassLoader ejbClassLoader, Certificate[] signers) throws MalformedURLException {
if (pd == null) {
pd = new ProtectionDomain(new CodeSource(file.toURL(),signers),null, ejbClassLoader, null );
public String toString() {
return "URLEntry : " + source;
* Returns true if two URL entries has equal URLs.
* @param obj URLEntry to compare against
* @return true if both entry has equal URL
public boolean equals(Object obj) {
if (obj instanceof URLEntry) {
URLEntry e = (URLEntry) obj;
try {
// try comparing URIs
if (source.toURI().equals(e.source.toURI())) {
return true;
} catch (URISyntaxException e1) {
// We should never get here, because we call init() in the constructor and
// init() would have thrown an exception if the URL could not be converted to a
// valid URI.
throw new RuntimeException(e1);
return false;
* Since equals is overridden, we need to override hashCode as well.
public int hashCode() {
try {
return source.toURI().hashCode();
} catch (URISyntaxException e) {
// We should never get here, because we call init() in the constructor and
// init() would have thrown an exception if the URL could not be converted to a
// valid URI.
throw new RuntimeException(e);
* To properly close streams obtained through URL.getResource().getStream():
* this opens the input stream on a JarFile that is already open as part
* of the classloader, and returns a sentinel stream on it.
* @author fkieviet
private class InternalJarURLConnection extends JarURLConnection {
private final URLEntry mRes;
private final String mName;
* Constructor
* @param url the URL that is a stream for
* @param res URLEntry
* @param name String
* @throws MalformedURLException from super class
public InternalJarURLConnection(URL url, URLEntry res, String name)
throws MalformedURLException {
mRes = res;
mName = name;
* @see java.net.JarURLConnection#getJarFile()
public JarFile getJarFile() throws IOException {
return mRes.zip;
* @see java.net.URLConnection#connect()
public void connect() throws IOException {
// Nothing
* @see java.net.URLConnection#getInputStream()
public InputStream getInputStream() throws IOException {
// When there is no entry name specified (this can happen for url like jar:file:///tmp/foo.jar!/),
// we must throw an IOException as that's the behavior of JarURLConnection as well.
if (mName == null || mName.isEmpty()) {
throw new IOException("no entry name specified");
ZipEntry entry = mRes.zip.getEntry(mName);
if (entry == null) {
throw new IOException("no entry called " + mName + " found in " + mRes.source);
return mRes.zip.getInputStream(entry);
* To properly close streams obtained through URL.getResource().getStream():
* an instance of this class is instantiated for each and every URL object
* created by this classloader. It provides a custom JarURLConnection
* (InternalJarURLConnection) so that the stream can be obtained from an already
* open jar file.
* @author fkieviet
private class InternalURLStreamHandler extends URLStreamHandler {
/** must be 'volatile' for thread visibility */
private volatile URL mURL;
private final URLEntry mRes;
* Constructor
* @param res URLEntry
* @param name String
public InternalURLStreamHandler(URLEntry res, String name) {
mRes = res;
* @see java.net.URLStreamHandler#openConnection(java.net.URL)
protected URLConnection openConnection(final URL u) throws IOException {
String path = u.getPath();
int separator = path.lastIndexOf('!');
assert (separator != -1); // we deal with jar urls only
try {
URI jarFileURI = new URI(path.substring(0, separator));
if (!jarFileURI.equals(mRes.file.toURI())) {
throw new IOException("Cannot open a foreign URL; this.url=" + mURL + "; foreign.url=" + u);
String entryName = path.substring(separator + 1);
assert (entryName.startsWith("/"));
entryName = entryName.substring(1);
return new InternalJarURLConnection(u, mRes, entryName);
} catch (URISyntaxException e) {
throw new IOException(e);
* Ties the URL that this handler is associated with to the handler, so
* that it can be asserted that somehow no other URLs are mangled in (this
* is theoretically impossible)
* @param url URL
public void tieUrl(URL url) {
// is it OK to call this twice and whack the variable a second time?
if (mURL != null) {
throw new IllegalStateException("Setting the URL more than once not allowed");
mURL = url;
* This class is used as return value of findClassIntenal method to return
* both class bytes and protection domain.
private static final class ClassData {
// Byron Sez: making classBytes volatile is pointless. That just makes
// the reference to the array volatile. The byte contents are NOT volatile
// I solved this low-level FB issue by:
// 1. don't use the field directly outside of this inner class
// 2. add a getter/setter
// 3. make both the setter and getter synchronized.
private byte[] classBytes;
/** must be 'final' to ensure thread visibility */
private final ProtectionDomain pd;
ClassData(byte[] classBytes, ProtectionDomain pd) {
this.classBytes = classBytes;
this.pd = pd;
private synchronized byte[] getClassBytes() {
return classBytes;
private synchronized void setClassBytes(byte[] newBytes) {
classBytes = newBytes;
* This class loader only provides a new class loading namespace
* so that persistence provider can load classes in that separate
* namespace while scanning annotations.
* This class loader delegates all stream handling (i.e. reading
* actual class/resource data) operations to the application class loader.
* It only defines the Class using the byte codes.
* Motivation behind this class is discussed at
* https://glassfish.dev.java.net/issues/show_bug.cgi?id=237.
private static final class DelegatingClassLoader extends SecureClassLoader {
* The application class loader which is used to read class data.
* Made 'final' to ensure thread visibility.
private final ASURLClassLoader delegate;
* Create a new instance.
* @param applicationCL is the original class loader associated
* with this application. The new class loader uses it to delegate
* stream handling operations. The new class loader also uses
* applicationCL's parent as its own parent.
DelegatingClassLoader(ASURLClassLoader applicationCL) {
super(applicationCL.getParent()); // normal class loading delegation
this.delegate = applicationCL;
* This method uses the delegate to use class bytes and then defines
* the class using this class loader
protected Class> findClass(String name) throws ClassNotFoundException {
ClassData classData = delegate.findClassData(name);
// Define package information if necessary
int lastPackageSep = name.lastIndexOf('.');
if (lastPackageSep != -1) {
String packageName = name.substring(0, lastPackageSep);
if (getDefinedPackage(packageName) == null) {
try {
// There's a small chance that one of our parents
// could define the same package after getPackage
// returns null but before we call definePackage,
// since the parent classloader instances
// are not locked. So, just catch the exception
// that is thrown in that case and ignore it.
// It's unclear where we would get the info to
// set all spec and impl data for the package,
// so just use null. This is consistent will the
// JDK code that does the same.
definePackage(packageName, null, null, null, null, null, null, null);
} catch (IllegalArgumentException iae) {
// duplicate attempt to define same package.
// safe to ignore.
_logger.log(Level.FINE, "duplicate package definition attempt for " + packageName, iae);
try {
final byte[] bytes = classData.getClassBytes();
Class> clazz = defineClass(name, bytes, 0, bytes.length, classData.pd);
return clazz;
} catch (UnsupportedClassVersionError ucve) {
throw new UnsupportedClassVersionError(
sm.getString("ejbClassLoader.unsupportedVersion", name, System.getProperty("java.version")));
protected URL findResource(String name) {
return delegate.findResource(name);
protected Enumeration findResources(String name) throws IOException {
return delegate.findResources(name);