Home/ Questions/Q 8396413
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-09T20:31:45+00:00

I have a javaagent that prints out names of all classes that get loaded,

  • 0

I have a javaagent that prints out names of all classes that get loaded, and their source (where they are from).

public byte[] transform(ClassLoader loader, String className, Class redefiningClass, ProtectionDomain domain, byte[] bytes) throws IllegalClassFormatException {
        System.out.print("Loading class: " + className + "\t");
        if (domain != null) {
          final CodeSource cs = domain.getCodeSource();
          if (cs != null) {
            System.out.println(cs.getLocation());
          }
        }
        System.out.println();
        return bytes;
    }

For some classes, it prints out “null” (meaning cs.getLocation() is null). Why is this, and is there anyway to see where those classes are from? Note, I am not doing this on my own Java app, so I have no knowledge of any custom ClassLoaders it uses.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    According to Jetty 7.0.0RC4, it appears a null CodeSource reflects that the class has global permissions.

    // 1) if protection domain codesource is null, it is the global permissions (grant {})

    This behavior is documented in the specification of ClassLoader.defineClass, so it isn’t arbitrary 😉

    This method assigns a default ProtectionDomain to the newly defined class. The ProtectionDomain is effectively granted the same set of permissions returned when Policy.getPolicy().getPermissions(new CodeSource(null, null)) is invoked. The default domain is created on the first invocation of defineClass, and re-used on subsequent invocations.

    Actually, looking closer, I believe this is the work of SecureClassLoader.defineClass

    If a non-null CodeSource is supplied a ProtectionDomain is constructed and associated with the class being defined.

    • 0