[External] : Re: Observations: URLClassPath and HTTP request
Eirik Bjørsnøs
eirbjo at gmail.com
Tue Feb 24 15:45:04 UTC 2026
On Tue, Feb 24, 2026 at 3:56 PM Alan Bateman <alan.bateman at oracle.com>
wrote:
> I agree. Remote class loading was very interesting in a world of
> distributed objects, security managers and sandboxing. I don't think we
> have data to know how widely used URLClassLoader is with http/https in
> modern applications and deployments. If something compelling comes up that
> has performance issues then they could be looked at then.
>
If HTTP in URLClassLoader has little current use, then perhaps it could
make sense to gate this feature somehow? To have remote code loading
enabled by default in a core library like this seems a little bit risky in
the age of integrity by default and with xperiences from remote code
loading in the LDAP area in recent years in mind.
But that's perhaps something for security teams to discuss.
Eirik.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/net-dev/attachments/20260224/3a30bd8e/attachment.htm>
More information about the net-dev
mailing list