Why aren't unsigned applets allowed to create custom ClassLoaders?

Java applets don't allow you to write a custom ClassLoader, unless you sign your applet. Why is this so? A custom ClassLoader is just a tool for finding classes. 开发者_如何学PythonYou can't actually load the class except for by calling the private "defineClass" method, which is "trusted" code in the sense that it is written and controlled by the VM, not by your applet. It's not like you gain any more permissions than the ability to dynamically load a class... Which really is nothing at all.

I guess as a side question: Is there any other way to dynamically go from

byte[] => Class

which is allowed by unsigned applets?

defineClass has a ProtectionDomain parameter that you could pass with a PermissionCollection containing AllPermission, which would allow you to do basically anything to the host machine.

Note, you can create a ClassLoader with java.net.URLClassLoader.newInstance. As pointed out by bkail, a custom ClassLoader could create classes with arbitrary permissions, as well as bypass other security constraints. As to why there isn't there isn't anything more general than java.net.URLClassLoader.newInstance, well there just isn't.