From: Jan Bartel <janb_at_mortbay.com>
Date: Thu, 28 Feb 2008 10:34:41 +1100

FWIW, Jetty uses a configurable mechanism to control which classes can
and can't be seen by a webapp.

Apart from being able to select parent-first or webapp-first delegation
models for classloading on a webapp by webapp basis, one can also control
which packages can and can't be overridden or accessed by a webapp.

To quote from the wiki page (http://docs.codehaus.org/display/JETTY/Classloading):

 + "SystemClasses" cannot be overridden by webapp context classloaders. The defaults are;
     {"java.","javax.servlet.","javax.xml.","org.mortbay.",
      "org.xml.","org.w3c.", "org.apache.commons.logging.",
      "org.apache.log4j."}

 + "ServerClasses" (on the container classpath) cannot be seen by webapp context classloaders
    but can be overridden by the webapp. The defaults are:
    { "-org.mortbay.naming.","-org.mortbay.util.","org.mortbay.", "org.slf4j."};

 Absolute classname can be passed, names ending with . are treated as packages names and
 names starting with - are treated as negative matches and must be listed before

An idea like this may be worthwhile pursuing for the glassfish webapp classloader?

cheers
Jan