Best approach for dynamic class loading in java webapp?

Question

I´m working in the design of a java web application capable of executing custom code or precompiled classes uploaded by the users, focused mostly in simple validations of datasets. The custom class must be constrained to a predefined interface and only some libraries and classes must be available to the custom class.

My first solution is to use a custom Classloader capable of loading .jar files from a defined directory in the file system. This approach seems to work but i´m concerned about the security and compatibility of this solution.

Is possible to limit the classes that can be imported by the custom class and run the code in a sandbox in order to avoid some actions like opening files or sockets?

When the loaded class will be unloaded?

application Servers like Weblogic have some restriction about using custom classloaders?

I have evaluated another solutions like OSGi Bundles, but it looks really complex and the support is limited in some applications server also i´m not really sure if OSGi is the right technology for this particular usage. Embedded Scripting Languages like Groovy o Javascript are discarded because the project owner wants the custom code precompiled and written in Java.

What would you recommend for this problem?

Answer 1

OSGi is a good fit for an application that wishes to accept external code (plugins). All the requirements you mention (predefined interfaces, loading jars, mutiple classloaders) are all covered by OSGi services and bundle management. Bundles can be installed, started, stopped, uninstalled, etc, including in runtime.

OSGi support in web application servers is not really that limited. You could even considered embedding an OSGi framework.

Security-wise you will need a solution around security managers.