When a custom class loader must override the
getPermissions() method, the implementation must consult the default system policy by explicitly invoking the superclass's
getPermissions() method before assigning arbitrary permissions to the code source. A custom class loader that ignores the superclass's
getPermissions() could load untrusted classes with elevated privileges.
ClassLoader is abstract and must not be directly subclassed.
Noncompliant Code Example
This noncompliant code example shows a fragment of a custom class loader that extends the class
URLClassLoader. It overrides the
getPermissions() method but does not call its superclass's more restrictive
getPermissions() method. Consequently, a class defined using this custom class loader has permissions that are completely independent of those specified in the systemwide policy file. In effect, the class's permissions override them.
In this compliant solution, the
getPermissions() method calls
super.getPermissions(). As a result, the default systemwide security policy is applied in addition to the custom policy.
Failure to consult the default system policy while defining a custom class loader violates the tenets of defensive programming and can result in classes defined with unintended permissions.
Violations of this rule can be discovered with a heuristic checker in the style of FindBugs. As with all heuristic checks, achieving a low false-positive rate is essential.
Android Implementation Details
java.security package exists on Android for compatibility purposes only, and it should not be used.