On 03/09/2013 13:24, Nick Williams wrote:
:
As regards frameworks using sun.reflect.Reflection.getCallerClass directly then
it's as I said previously, they are probably not run with a security manager
very often (at least not unless the policy is configured to allow direct access
to sun.*).
I'd argue that Logback, Log4j, and Groovy, three of the most common Java
framework around, are very likely used with security managers quite often. It
doesn't cause any problems because we don't misuse the information we obtain
from getCallerClass.
When running with a security manager then access to sun.* is restricted.
My point is that if they folks are using Log4J when running with a
security manager then it can't use the existing
sun.reflect.Reflection.getCallerClass unless permission has been
granted. Once you open up access to sun.* then all bets are off of course.
-Alan
