tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chefo <>
Subject Re: Access StandardContext in WebappClassLoader
Date Fri, 27 Aug 2010 11:34:18 GMT
Hi Chris,

thanks for the interest - of course I'll give you an example. Surprisingly
it is not java.lang.Object that I'm trying to hide but the stax api in java
6. I need to do so because of the notorious fault in the
XMLOutputFactory#newInstance(String, ClassLoader). Therefore I'm using using
stax-api 1.0.1 that is available through the equinox my catalina lives in
(mentioned in my first post). I also have a woodstox implementation as a
bundle. The situation is the following - a web application tries to obtain a
factory instance through the api. The XMLOutputFactory class is loaded
through the webapp class loader from the system class loader. The woodstox
implementation is found (as osgi bundle) and it is instantiated. When
the com.ctc.wstx.stax.WstxInputFactory / WstxOutputFactory class is loaded
from the osgi bundle class loader it has been identified correctly as
implementing the XMLInput/OutputFactory loaded from the stax-api bundle
again in the osgi. Thus I end up with the following exception in my web

"java.lang.ClassCastException: com.ctc.wstx.stax.WstxInputFactory cannot be
cast to"

The thing is that osgi runtime in which the catalina lives complicates the
class loading a bit.
Note that this black voodoo magic for configuring restricted system packages
is not something I've invented - I just saw there is such thing in jetty and
was extremely happy to see it could be implemented with little effort in
tomcat as well.

Best regards,

On Thu, Aug 26, 2010 at 8:28 PM, Christopher Schultz <> wrote:

> Hash: SHA1
> Chefo,
> On 8/26/2010 11:24 AM, Chefo wrote:
> > What bothers me in the WebappClassLoader is the fact that before it
> checks
> > its repositories (lib folder and classes) and asks its parent class
> loader,
> > it will first attempt to load a class from the system class loader - from
> > the jvm.
> That's supposed to be how it's done: webapps aren't supposed to be able
> to subvert the JVM by loading their own definitions for, say,
> java.lang.Object.
> > I want to prevent that for certain packages and I
> > want it to be configurable for each web application.
> Can you give me an example of when this would be a good idea?
> - -chris
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAkx2pEMACgkQ9CaO5/Lv0PCQiQCgrrlP1MmzO7zfg+db81i+h82D
> 4eAAn3I5g/Vb1JPpaC24jzfGLNhqMwT7
> =uIHX
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message