Class Loader HOW-TO
Table of Contents
Overview
Like many server applications, Tomcat installs a variety of class loaders
(that is, classes that implement java.lang.ClassLoader
) to allow
different portions of the container, and the web applications running on the
container, to have access to different repositories of available classes and
resources. This mechanism is used to provide the functionality defined in the
Servlet Specification, version 2.4 — in particular, Sections 9.4
and 9.6.
In a Java environment, class loaders are arranged in a parent-child tree. Normally, when a class loader is asked to load a particular class or resource, it delegates the request to a parent class loader first, and then looks in its own repositories only if the parent class loader(s) cannot find the requested class or resource. Note, that the model for web application class loaders differs slightly from this, as discussed below, but the main principles are the same.
When Tomcat is started, it creates a set of class loaders that are organized into the following parent-child relationships, where the parent class loader is above the child class loader:
Bootstrap
|
System
|
Common
/ \
Webapp1 Webapp2 ...
The characteristics of each of these class loaders, including the source of classes and resources that they make visible, are discussed in detail in the following section.
Class Loader Definitions
As indicated in the diagram above, Tomcat creates the following class loaders as it is initialized:
Bootstrap — This class loader contains the basic runtime classes provided by the Java Virtual Machine, plus any classes from JAR files present in the System Extensions directory (
$JAVA_HOME/jre/lib/ext
). Note: some JVMs may implement this as more than one class loader, or it may not be visible (as a class loader) at all.System — This class loader is normally initialized from the contents of the
CLASSPATH
environment variable. All such classes are visible to both Tomcat internal classes, and to web applications. However, the standard Tomcat startup scripts ($CATALINA_HOME/bin/catalina.sh
or%CATALINA_HOME%\bin\catalina.bat
) totally ignore the contents of theCLASSPATH
environment variable itself, and instead build the System class loader from the following repositories:$CATALINA_HOME/bin/bootstrap.jar — Contains the main() method that is used to initialize the Tomcat server, and the class loader implementation classes it depends on.
$CATALINA_BASE/bin/tomcat-juli.jar or $CATALINA_HOME/bin/tomcat-juli.jar — Logging implementation classes. These include enhancement classes to
java.util.logging
API, known as Tomcat JULI, and a package-renamed copy of Apache Commons Logging library used internally by Tomcat. See logging documentation for more details.If
tomcat-juli.jar
is present in $CATALINA_BASE/bin, it is used instead of the one in $CATALINA_HOME/bin. It is useful in certain logging configurations$CATALINA_HOME/bin/commons-daemon.jar — The classes from Apache Commons Daemon project. This JAR file is not present in the
CLASSPATH
built bycatalina.bat
|.sh
scripts, but is referenced from the manifest file of bootstrap.jar.
Common — This class loader contains additional classes that are made visible to both Tomcat internal classes and to all web applications.
Normally, application classes should NOT be placed here. The locations searched by this class loader are defined by the
common.loader
property in $CATALINA_BASE/conf/catalina.properties. The default setting will search the following locations in the order they are listed:- unpacked classes and resources in
$CATALINA_BASE/lib
- JAR files in
$CATALINA_BASE/lib
- unpacked classes and resources in
$CATALINA_HOME/lib
- JAR files in
$CATALINA_HOME/lib
By default, this includes the following:
- annotations-api.jar — JavaEE annotations classes.
- catalina.jar — Implementation of the Catalina servlet container portion of Tomcat.
- catalina-ant.jar — Tomcat Catalina Ant tasks.
- catalina-ha.jar — High availability package.
- catalina-storeconfig.jar — Generation of XML configuration files from current state
- catalina-tribes.jar — Group communication package.
- ecj-*.jar — Eclipse JDT Java compiler.
- el-api.jar — EL 3.0 API.
- jasper.jar — Tomcat Jasper JSP Compiler and Runtime.
- jasper-el.jar — Tomcat Jasper EL implementation.
- jsp-api.jar — JSP 2.3 API.
- servlet-api.jar — Servlet 3.1 API.
- tomcat-api.jar — Several interfaces defined by Tomcat.
- tomcat-coyote.jar — Tomcat connectors and utility classes.
- tomcat-dbcp.jar — Database connection pool implementation based on package-renamed copy of Apache Commons Pool and Apache Commons DBCP.
- tomcat-i18n-**.jar — Optional JARs containing resource bundles for other languages. As default bundles are also included in each individual JAR, they can be safely removed if no internationalization of messages is needed.
- tomcat-jdbc.jar — An alternative database connection pool implementation, known as Tomcat JDBC pool. See documentation for more details.
- tomcat-util.jar — Common classes used by various components of Apache Tomcat.
- tomcat-websocket.jar — WebSocket 1.1 implementation
- websocket-api.jar — WebSocket 1.1 API
- unpacked classes and resources in
WebappX — A class loader is created for each web application that is deployed in a single Tomcat instance. All unpacked classes and resources in the
/WEB-INF/classes
directory of your web application, plus classes and resources in JAR files under the/WEB-INF/lib
directory of your web application, are made visible to this web application, but not to other ones.
As mentioned above, the web application class loader diverges from the default Java delegation model (in accordance with the recommendations in the Servlet Specification, version 2.4, section 9.7.2 Web Application Classloader). When a request to load a class from the web application's WebappX class loader is processed, this class loader will look in the local repositories first, instead of delegating before looking. There are exceptions. Classes which are part of the JRE base classes cannot be overridden. There are some exceptions such as the XML parser components which can be overridden using the appropriate JVM feature which is the endorsed standards override feature for Java <= 8 and the upgradeable modules feature for Java 9+. Lastly, the web application class loader will always delegate first for JavaEE API classes for the specifications implemented by Tomcat (Servlet, JSP, EL, WebSocket). All other class loaders in Tomcat follow the usual delegation pattern.
Therefore, from the perspective of a web application, class or resource loading looks in the following repositories, in this order:
- Bootstrap classes of your JVM
- /WEB-INF/classes of your web application
- /WEB-INF/lib/*.jar of your web application
- System class loader classes (described above)
- Common class loader classes (described above)
If the web application class loader is
configured with
<Loader delegate="true"/>
then the order becomes:
- Bootstrap classes of your JVM
- System class loader classes (described above)
- Common class loader classes (described above)
- /WEB-INF/classes of your web application
- /WEB-INF/lib/*.jar of your web application
XML Parsers and Java
Starting with Java 1.4 a copy of JAXP APIs and an XML parser are packed inside the JRE. This has impacts on applications that wish to use their own XML parser.
In old versions of Tomcat, you could simply replace the XML parser in the Tomcat libraries directory to change the parser used by all web applications. However, this technique will not be effective when you are running modern versions of Java, because the usual class loader delegation process will always choose the implementation inside the JDK in preference to this one.
Java <= 8 supports a mechanism called the "Endorsed Standards Override Mechanism" to allow replacement of APIs created outside of the JCP (i.e. DOM and SAX from W3C). It can also be used to update the XML parser implementation. For more information, see: http://docs.oracle.com/javase/1.5.0/docs/guide/standards/index.html. For Java 9+, use the upgradeable modules feature.
Note that overriding any JRE component carries risk. If the overriding component does not provide a 100% compatible API (e.g. the API provided by Xerces is not 100% compatible with the XML API provided by the JRE) then there is a risk that Tomcat and/or the deployed application will experience errors.
Running under a security manager
When running under a security manager the locations from which classes are permitted to be loaded will also depend on the contents of your policy file. See Security Manager HOW-TO for further information.