[PATCH] 4851444: Exposing sun.reflect.Reflection#getCallerClass as a public API in Java 8

Mandy Chung mandy.chung at oracle.com
Wed Sep 18 16:28:57 UTC 2013


On 9/18/2013 9:20 AM, Nick Williams wrote:
> On Sep 9, 2013, at 4:41 PM, Mandy Chung wrote:
>
>> >On 9/9/13 10:02 AM, David Chase wrote:
>>> >>Take this lightly informed suggestion with a grain of salt, but why not, for purposes of performance and security,
>>> >>change the logging-specific getCallerClass methods so that their "class" references are instead wrapped in some sort of proxy object that only forwards certain operations quickly without a security check?  For example, equals, hashcode, and toString are probably not security-sensitive.
>> >
>> >Most of the information obtained from a class the use cases are interested in are security-sensitive information (e.g. protection domain, code source, class loader).
> Why?
>

That's the information Log4j wants to get once it gets a Class object.  
The methods getting protection domain, code source, class loader require 
permission check.

Mandy



More information about the core-libs-dev mailing list