Is it OK to modify rt.jar?

Question

I'm creating an application that launches the JVM (using a copy of the JRE). If I edit rt.jar, for example to remove functionality that users shouldn't have access to, will it somehow break the JRE?

EDIT: The application involves downloading code onto a user's machine, so it would be restricting the code rather than the user. I probably should have clarified that.

Answer 1

There's a good chance you would break something that won't be noticeable until runtime.

But perhaps more important is the licensing problem: your app is shipping its own version of the JRE, which you're allowed to do, except you cannot modify the JRE you're distributing, as per the J2SE license :

[...] (a) you distribute the Software complete and unmodified and only bundled as part of Your applets and applications ("Programs"),

It's also questionable what is meant by "to remove functionality that users shouldn't have access to". Your application is executing in the context of a user account, and whatever functionality you removed from the JRE:

• If the OS allows that particular action in the context of that user's session, then there's another way to do it - hence you're in the same position you were in before messing with rt.jar . Your user can just make a system call.

• If the OS doesn't allow that action in the context of the user's session, then the JVM won't be able to do it either, whether the classes are present or not, so the whole question is moot.

Answer 2

Usually, the best way to remove functionality is to use a SecurityManager. This allows you to control what can be accessed or key action can be performed.

Answer 3

Completely depends on what you "remove". But its possible. As long as you dont break anything, remove dependencies etc...

And if you want to do something security wise. How can you ensure that you and only you have full control over the users JRE?

And if this is the case. What benefit would your doing do what you can't do in your application?

But its possible and a valid thought for some reasons. But they are mostly benchmarking, developing, debugging. For example dumping unencrypted bytecode

Also be aware of the licensing problem. You probably won't be legally able to sell or ship this.

Answer 4

why do you ask, you might potentially break some agreement/license, other than that it's ok.

I don't do so that but change the bootstrap loader's classpath to load my classes before rt.jar, etc. This is legal :)

In the end: Getting NoClassDefFoundError aint cool, no matter how you look at it.

Answer 5

If you're asking if it's legally okay, I don't know but chances are that it isn't. (If you're intending to sell your product, that is. For research or recreational uses it probably is.)

Is it okay technically? If you know what you're doing, it can be.

Does it make sense though? How hard it is for the client to install another VM or just replace your hacked rt.jar with an unhacked one?

And on a more abstract level: is it a good idea to treat your customers like potential criminals? To assume that the first thing they're going to try is to hack your system. (Mind you, I don't know your customers, so you might as well be right, but the question is worth asking nevertheless.)