Skip to content

Analysis: .class file loading in ojp-libs for SPI implementations#239

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/analyze-scanning-class-files
Draft

Analysis: .class file loading in ojp-libs for SPI implementations#239
Copilot wants to merge 4 commits intomainfrom
copilot/analyze-scanning-class-files

Conversation

Copy link
Contributor

Copilot AI commented Jan 8, 2026
edited
Loading

Analyzed feasibility of scanning individual .class files (not JARs) in ojp-libs for SPI implementations, as customers implementing a single SPI might prefer avoiding JAR creation.

Recommendation: Do Not Implement

Loading loose .class files introduces unacceptable tradeoffs:

  • Security: No code signing, individual file tampering, wider attack surface
  • Complexity: Custom ClassLoader, manual ServiceLoader discovery, dependency resolution
  • UX: Package structure errors, missing dependencies, unclear error messages
  • Ecosystem: Breaks standard Java tooling (IDEs, build systems, debuggers)

Alternative Solution: Helper Script

Provides create-spi-jar.sh that makes JAR creation trivial:

# Compile and package in one command
javac -cp ojp-datasource-api.jar com/example/MyProvider.java
./create-spi-jar.sh com/example/MyProvider.class \
    org.openjproxy.datasource.ConnectionPoolProvider
cp MyProvider.jar ojp-libs/

Script automatically:

  • Extracts package structure from class file path
  • Creates proper JAR directory layout
  • Generates META-INF/services/ registration file
  • Includes inner classes
  • Produces deployment-ready JAR

Deliverables

  • Comprehensive Analysis (33KB): Technical challenges, security analysis, 4 alternatives evaluated, implementation guide if proceeding
  • Executive Summary (14KB): Decision maker overview, risk assessment, success metrics
  • Working Script (tested): One-command JAR creation with error handling
  • Developer Guide: Quick reference with examples

Result: 95% of convenience without security compromise or core changes.

Original prompt

Do an analysis on what would be required to scan .class files as well in ojp-lib folder to load in the classpath. These are expected to be implementations of the SPIs OJP defines. The idea is that if a customer just implements a single SPI it might not make sense to build a JAR for it.

Add your opinion, concerns, questions, and suggestions.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@rrobetti
Add comprehensive analysis and tooling for SPI development
5c96986 
Co-authored-by: rrobetti <7221783+rrobetti@users.noreply.github.com>
@rrobetti
Copy link
Contributor

rrobetti commented Jan 8, 2026

Putting this on hold as per it seems a good idea to have the script to facilitate JAR creation but this script needs to be testes as per it can be trusted that it will "just work".

Copilot AI and others added 2 commits January 8, 2026 22:41
@rrobetti
Fix create-spi-jar.sh script to handle package paths correctly
76ea9a6 
Co-authored-by: rrobetti <7221783+rrobetti@users.noreply.github.com>
@rrobetti
Add executive summary for class file loading analysis
85f5634 
Co-authored-by: rrobetti <7221783+rrobetti@users.noreply.github.com>
Copilot AI changed the title [WIP] Analyze requirements for scanning .class files in ojp-lib folder Analysis: .class file loading in ojp-libs for SPI implementations Jan 8, 2026
Copilot AI requested a review from rrobetti January 8, 2026 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rrobetti rrobetti Awaiting requested review from rrobetti

Assignees

@rrobetti rrobetti

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rrobetti