On 9/18/2013 9:20 AM, Nick Williams wrote:
On Sep 9, 2013, at 4:41 PM, Mandy Chung wrote:
>On 9/9/13 10:02 AM, David Chase wrote:
>>Take this lightly informed suggestion with a grain of salt, but why not, for
purposes of performance and security,
>>change the logging-specific getCallerClass methods so that their "class"
references are instead wrapped in some sort of proxy object that only forwards certain
operations quickly without a security check? For example, equals, hashcode, and toString are
probably not security-sensitive.
>
>Most of the information obtained from a class the use cases are interested in
are security-sensitive information (e.g. protection domain, code source, class
loader).
Why?
That's the information Log4j wants to get once it gets a Class object.
The methods getting protection domain, code source, class loader require
permission check.
Mandy
