ClassLoaders in JEE 5 Specifications
I have been reading the proposed final draft of the Java Platform Enterprise Edition 5 Specification (aka JSR 244) and noticed again that nothing has changed in the classloading area (OK, I did not send any feedback to the JSR group, so I’m guilty too). It is as vague as it has always been and do not impose anything which would clearly protect the deployed applications from server implementation libraries, otherwise known as class leaking.
From EE.6.2.4.7 Context Class Loader:
The classes used by an application will typically be loaded by a hierarchy of class loaders. There may be a top level application class loader, an extension class loader, and so on, down to a system class loader. The top level application class loader delegates to the lower class loaders as needed. Classes loaded by lower class loaders, such as portable EJB system value classes, need to be able to discover the top level application class loader used to dynamically load application classes.
This is clearly an insufficient requirement.
I clearly don’t want any class used within the container internals to leak until my applications.
So please just be more strict on these classloading requirements.
As a default, I want my container to just and only expose JSE and JEE APIs. Not more.
Otherwise you have NO guarantee that you are working in a strict isolated environment for each application.
Assume that your container is using commons-xxx-1.0 internally.
Within a most app. server classloader hierarchies, this will be made visible to your applications.
Now, assume that you have an application that also uses commons-xxx-1.0
For some reasons, the packaging messed up the ear (s* happens) and it is not included…it just work by accident.. maybe until you decide to upgrade your container to the next update that uses commons-xxx-2.0 and everything just stop working..or worth will introduce invisible erratic behavior in your application.
Assume your application ships with its own commons-xxx-2.0 jar, how do you know which one your application is using ? Which classloading model is your container using for your application ? Is it parent first (Java2 delegation model) ? or child first (servlet 2.3+ compliance) ?
You’ll know very well which model your container is using if, for instance, your application uses a commons-xxx-2.0 which is not API-compatible with commons-xxx-1.0. Everything will just break in your application, and any attempt to swap your 1.0 with 2.0 will just break your server internals too. This is guarantee to keep the lambda administrator busy for a while.
Assume your commons-xxx jar.. has a singleton in its API, and your application is doing bad things on it (write access) oops, you’re just messing with your server and all other applications. (No, Java security is not an option due to complexity)
JBoss AS has this well-know flat classloading mechanism as a default called: Unified ClassLoaders
People who have been working on it extensively know fairly well how such sneaky system is just plainly wrong and can create havoc in production if the people in charge do not know much about it (as a matter of fact, few developpers know about it, so you can imagine for administrators)
For example, I was just called recently by a friend whose customer has hundreds of JBoss server running (and incidentally is also a major JBoss Group customer), a couple of servers running a new web application could not be deployed without all the too commons errors (ClassCast, NoSuchMethod, etc…). My friend is a very competent administrator and knows also Java pretty well, but sure enough, this kind of issues was beyond his initial knowledge and now, he has to communicate all the way up to the developpers…and document the issue to potentially do something about the hundred of applications that are deployed and miraculously working !
To my knowledge (which is I admit out of date as I haven’t keep up with the latest dev, so please committers, feel free to comment if necessary), JOnAS and Geronimo are also suffering from exposing internals to their applications. Fortunately they don’t have this flat broken mechanism which is bound to create more problems. Details should probably be worth an entry of its own, meanwhile you can read about the Geronimo Classloader hierarchy here and the JOnAS one here
I tried to check a few months ago what was the Glassfish behavior but it actually was difficult to read the uncommented code, so I gave up, will do when I will have more time in my hands. But interestingly, there seems to be a bug in Sun AS8 (which hierarchy is detailed here)which prevents you to deploy 2 identical applications that have the same display-name. It assumes it is unique within the app. server and lookup where it should not… See this post.
As a matter of fact, I think the JEE specification must be more precise about Classloading hierarchy and require perfect isolation from server internals.
What should be the default delegation model within an EAR ? Good question. Here are my thoughts:
For the classloader to loads EJBs (and dependencies via the Class-Path extension mechanism) it should be servlet-2.3+ delegation model. This is to protect the application from potential accidental class leaking if you decide to use the extension mechanism of your container for other applications (generally dropping some jar files into a common/lib or similar)
For a WAR file, as a standalone file, servlet specifications obviouslly require a servlet-2.3+ delegation model.
Why should it be different if the WAR file is located within an EAR ? I cannot see any reason.
If you have many WAR files that have a lot of libraries in common between them, you MAY want to move the jar files up one level so that they be loaded by the parent classloader (that is, the classloader that loaded the EJB and its dependencies). You could save both disk space, memory and be able to communicate quickly within WAR by references rather than by value (serialization cost), but this is far from being a common case and this is a dangerous slope.
Same can be said about EAR files, at the container level, you could eventually move everything worthwile (don’t do that for stateful singletons eh ?) to your container commons/lib
This must clearly be an ‘optimization’ which could only be done if you really need and want it.
In short I would definitely favor safe and isolated applications as a default rather than worrying about speed or disk space or memory. If you need all that, you could use, if it exists, your container ability to change the delegation model to java2 and move everything up one level or directly into your container common/lib if you know what you are doing, but I would prevent that as a default, it must not be transparent as well to avoid mistakes and each EAR classloader MUST be configurable to expose the container common/lib .
To sum up:
- An application classloader must only expose the JEE API as a default.
- An application classloader must be configurable to expose the container content of commons/lib (must be off as a default, see above)
- Application classloader must use servlet 2.3+ delegation model as a default (but configurable to java2)
- WAR classloader must use servlet 2.3+ delegation model as a default (but configurable to java2)
Any comments ?
You have to remember that those appserver people want to offer added value stuff, because that is how they differentiate their server/lock in users.
Maybe the provisioning of those features should be different, for example you could ask a JMX manager for an MBean of a specific interface, and you’d get back that particular (remote?) interface. No classpath injection, just interfaces at build time and proxies you get at runtime by asking for specific versions.
-steve
Comment by Steve Loughran — November 25, 2005 @ 2:30 pm
Steve, any app server is free to offer added value stuff, but what is important is that the specification can at least specify a standard expected behavior in this area to avoid all sort of custom interpretation. I think JEE developers/administrator pay a hard price in production otherwise. If it’s not standard, behavior is also bound to change any time (like JBoss does with the isolation mechanism) and creates more havoc when upgrading.
I’m also afraid to not to really get the JMX mechanism you are thinking about.
Comment by stephane — November 25, 2005 @ 3:06 pm
Amen brother,
I too tire of the different default implementations of classloaders.
I find that the concept of classloader hiearchies is enough to
blow most developers minds. Then you throw in the differing
default implementations and you have mass confusion. I can’t
just say “put all your jars in the WEB-INF/lib directory for you application”.
Comment by Rajesh Patel — November 29, 2005 @ 5:37 pm
BTW, Websphere defaults to parent first classloading, which is just
as bad as the unified classloader.
Comment by Rajesh Patel — November 29, 2005 @ 5:38 pm
Did more reading, JBoss is not using the FLAT model anymore:
http://jira.jboss.com/jira/browse/JBAS-1691
Comment by Rajesh Patel — November 29, 2005 @ 5:48 pm
I agree that the class loading model in Java EE 5 is problematic, but this is because there has been no consideration for how class loading should work in a multi-user/multi-application server environment. With components that allow call by reference semantics and containers that allow for customization of container component call level pathways(interceptors, valves, aspects), its a non-trivial problem. This is an issue that should be raised in the context of the JSR-277 (a jdk7 timeframe spec) as well as Java EE 6.
Comment by Scott M Stark — November 29, 2005 @ 9:19 pm
Thanks for your feedback Scott. I agree that scope wise this is a non trivial problem. But one should also not forget that there is at least the need for a minimal standard on which people can rely to deploy confidentely on any application server. As of today, there is none and it is a big issue. An application can be deployed and ‘work’ accidentally.
I also don’t think that it is tied to JSR-277 which is a bit of another issue. In the Java EE case we must simply be strict about a the existence of (at least) a default behavior which is as of now NO such big deal to implement..as it already exists. Every application server available on the market is certainly is able to do it now. Some will break their default behavior, but it’s up to them to provide a painless migration step.
For Java EE and JSR-277, there is something that is an interesting use case. I have seen several times at customers the WEB-INF/lib of WARs serving as a dumping ground for every jar. You could then find in it 3 different versions of a the same jar. The jar picked up, thus mostly depends on the app. server, JDK and filesystem.
Comment by stephane — November 29, 2005 @ 10:05 pm