Is putting external jars in the JAVA_HOME/lib/ext directory a bad thing?

前端 未结 3 1099
再見小時候
再見小時候 2020-11-28 15:19

We have an application which runs in a JRE environment. The application uses some external jars and we have been putting them in the JAVA_HOME/lib/ext folder. This has w

相关标签:
3条回答
  • 2020-11-28 15:34

    In addition to the answer by weiji (packaging and upgrades to new JVM versions), there are other risks.

    If you are using security manager in any of your applications, the libraries in ext often have a lot more capability by default - they are treated much like the system libraries. You need to be sure that you can trust, in the sense of enforcing security rules, these classes. Did the authors think through what they were exposing correctly? If these classes do not use access control to change the security context then you don't need to worry about this but do you know if they do or do not (e.g. a method that provides access to a file and uses AccessController, does it ensure that the caller has the right file permissions?)

    Can all your applications use the exact same version of the library? What happens when you need to update that library (not just the JVM)? Will you break any of your applications? You will need to retest everything. The libraries in ext are loaded by the extension class loader which, due to parent delegation, has higher precedence than the normal (i.e. CLASSPATH) loader so these are guaranteed to be used by your application and there is no way for an individual application to override the library in ext with a different version.

    If you want to share the libraries across your applications, why not instead provide a separate folder of common libraries that applications can be individually configured (CLASSPATH) to reference. Then if you have problems with one application and a library, you can switch to a different version of the libraries or just for that one, put it earlier in the CLASSPATH (if that works, you must test this too as there may be other dependency issues). This will allow you to have more individual control for each application. But then, bundling all the required libraries with your application is the safest as you can retest and roll-out library upgrades to individual applications.

    0 讨论(0)
  • 2020-11-28 15:34

    Also it looks like JEP-220 is ostensibly deprecating this behavior with some arbitrary means to "possibly replace it" with some other behavior.

    0 讨论(0)
  • 2020-11-28 15:54

    Yes - it's a bad thing. Think about it: the application depends on the JRE and some extra jars. What if you update the JRE? Then you have to remember to copy the files into the new JRE. What if you need to set up the application on a new system? You have to copy the application there, and then also remember to copy the external jars into the JRE on that system.

    Both those issues wouldn't be an issue at all if you just package the application properly together with the external jars it needs. If you don't see this, then maybe it's not an issue at all. But you should still be grateful for the new guy for sharing his opinion.

    0 讨论(0)
提交回复
热议问题