Understanding plug-in interactions/security
Hi,
This is more of a why question (low priority) than a how question:
Background: I am developing a plug in for intellij that I am hoping to make as resistant as possible to interference from other plug-ins. In short, I would like to reduce the possibility of other plugins accessing its classes while it is running.
Approach: Where possible, I have made classes and their attributes package-private (removed the public keyword). This prevents code from other plugins (whose code is in a differently name package) from accessing the classes.
Test: I have created a second “tester” plugin that tries to access the code of the first plugin when both are loaded in the IDE. The test confirmed that making classes package-private in the first plug-in makes them inaccessible to the second plug-in.
The fun part: To push this further, i use identical package names for both plug-ins. Yet, even with identical package names, the tester plug-in cannot access the package-private classes of the first plug=in. This is the desired behaviour. Note, I checked the manifest in the jar files and the packages are not sealed.
Question: Does Intellij do anything special to enforce this separation between plug-ins even when they have the same package name? My assumption is that it provides its own class loader which does additional checks to limit access to nonpublic classes from other jar files.
Thanks!
Sincerely,
Alex
Please sign in to leave a comment.
Please read this article: https://plugins.jetbrains.com/docs/intellij/plugin-class-loaders.html#classes-from-plugin-dependencies
Source code: com.intellij.ide.plugins.cl.PluginClassLoader.kt in the IDEA Community source code repo.
It resembles a traditional Java EE web app class loading, which can reload modules at runtime, and classes with the same package will be isolated by the class loader.
If you want to protect your plugin code, you may consider using your encrypted classloader, eg: https://github.com/search?q=encrypted+classloader&type=repositories
Please read this article: https://plugins.jetbrains.com/docs/intellij/plugin-class-loaders.html#classes-from-plugin-dependencies
Source code: com.intellij.ide.plugins.cl.PluginClassLoader.kt in the IDEA Community source code repo.
It resembles a traditional Java EE web app class loading, which can reload modules at runtime, and classes with the same package will be isolated by the class loader.
If you want to protect your plugin code, you may consider using your encrypted classloader, eg: https://github.com/search?q=encrypted+classloader&type=repositories
Thanks Jacky Liu that was very helpful!