Parent-last! Nice, simple and so much more accurate than child-first, the term everyone, including myself, uses but which is also unfortunately incorrect.
As for the lack of security of parent-last class loaders, since a class loader can load classes as it wants in the order it wamts, it's hard to see how the delegation order matters in the case of a malicious class loader.
At 16:58 5/3/2005, Mike Colbert wrote:
This sounds reasonable to me. It would be nice to have something definitive,
however. I think it's an interesting topic and I've be following it on this
list. So far, all the security risks Simon has referenced (and questioned)
don't seem to go much beyond hand-waving so I agree with him they are dubious.
A test case demonstrating some of these alleged security risks would be
helpful; I can't put my head around them without more detail and context.
Could be that these risks only affect 1% or real-world apps under a specific
scenario. Even if it's 0.01% or entirely theoretical, a test case would be
useful to even understand what the risk really is supposed to be.
As an aside, isn't "child-first" really a misnomer and it's more like
"parent-last"? Assuming the parent is at the top of the hierarchy, child-first
implies (to me), that the heirarchy is walked downwardly from the parent, not
upwardly from the bottom.
Mike Colbert
-- Ceki Gülcü
The complete log4j manual: http://www.qos.ch/log4j/
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
