So a URL class loader that you construct directly will not implement step 1 in the list above, while one obtained from the newInstance method will. Neither implementation provides step 4 calling the checkPackageDefinition method of the security manager. We can construct a URL class loader like this: URL urls[] = new URL[2]; urls[0] = new URLhttp:piccolo.East~sdo; urls[1] = new URLfile:homeclassesLocalClasses.jar; ClassLoader parent = this.getClass.getClassLoader ; URLClassLoader ucl = new URLClassLoaderurls, parent; When we use this class loader to load the class com.sdo.Car , the class loader first attempts to load it via http:piccolo.East~sdocomsdoCar.class; if that fails, it looks for the class in the LocalClasses.jar file. This class loader is the basis of the class loader used by the command−line interpreter. In that case, the array of URLs is created based on the list of URLs that make up the classpath. To implement a URL class loader, we follow the steps listed before.

6.3.4.1 Step 1: Optionally call the checkPackageAccess method

If you need to modify other behavior of the URL class loader, then you cannot use the newInstance method. In that case, in order to use the checkPackageAccess method, you must override the loadClass method like this: public final synchronized Class loadClassString name, boolean resolve throws ClassNotFoundException { First check if we have permission to access the package. SecurityManager sm = System.getSecurityManager ; if sm = null { int i = name.lastIndexOf.; if i = −1 { sm.checkPackageAccessname.substring0, i; } } return super.loadClassname, resolve; }

6.3.4.2 Step 2: Use the previously−defined class, if available

The loadClass method of the ClassLoader class performs this operation for you, which is why weve called the super.loadClass method.

6.3.4.3 Step 3: Defer class loading to the parent

The loadClass method of the ClassLoader class performs this operation.

6.3.4.4 Step 4: Optionally call the checkPackageDefinition method

In order to call the checkPackageDefinition method, you must override the findClass method: protected Class findClassfinal String name throws ClassNotFoundException { First check if we have permission to access the package. SecurityManager sm = System.getSecurityManager ; if sm = null { int i = name.lastIndexOf.; if i = −1 { sm.checkPackageDefinitionname.substring0, i; } } return super.findClassname; }

6.3.4.5 Step 5: Read in the class bytes

The URL class loader performs this operation for you by consulting the URLs that were passed to its constructor. If you need to adjust the way in which the class bytes are read, you should use the SecureClassLoader class instead.

6.3.4.6 Step 6: Create the appropriate protection domain

The URL class loader will create a code source for each class based on the URL from which the class was loaded and the signers if any of the class. The permissions associated with this code source will be obtained by using the getPermissions method of the Policy class, which by default will return the permissions read in from the active policy files. In addition, the URL class loader will add additional permissions to that set: If the URL has a file protocol, it must specify a file permission that allows all files that descend from the URL path to be read. For example, if the URL is file:xyzclasses, then a file permission with a name of xyzclasses− and an action list of read will be added to the set of permissions. If the URL is a jar file file:xyzMyApp.jar, the name file permission will be the URL itself. • If the URL has an HTTP protocol, then a socket permission to connect to or accept from the host will be added. For example, if the URL is http:piccoloclasses, then a socket permission with a name of piccolo:1− and an action list of connect,accept will be added. • If you want to associate different permissions with the class, then you should override the getPermissions method. For example, if we wanted the above rules to apply and also allow the class to exit the virtual machine, wed use this code: protected PermissionCollection getPermissionsCodeSource codesource { PermissionCollection pc = super.getPermissionscodesource; pc.addnew RuntimePermissionexitVM; return pc; } We could completely change the permissions associated with the class bypassing the Policy class altogether by constructing a new permission collection in this method rather than calling super.getPermissions . The URL class loader will use whatever permissions are returned from this getPermissions method to define the protection domain that will be associated with the class.

6.3.4.7 Steps 7−8: Define the class, verify it, and resolve it

These steps are handled internally by the URL class loader.

6.3.5 Using the SecureClassLoader Class

If you need to load bytes from a source that is not a URL or from a URL for which you dont have a protocol handler, like FTP, then youll need to extend the SecureClassLoader class. A subclass is required because the constructors of this class are protected, and in any case you need to override the findClass