On Sep 18, 2013, at 11:28 AM, Mandy Chung wrote: > > On 9/18/2013 9:20 AM, Nick Williams wrote: >> On Sep 9, 2013, at 4:41 PM, Mandy Chung wrote: >> >>> >On 9/9/13 10:02 AM, David Chase wrote: >>>> >>Take this lightly informed suggestion with a grain of salt, but why not, >>>> >>for purposes of performance and security, >>>> >>change the logging-specific getCallerClass methods so that their "class" >>>> >>references are instead wrapped in some sort of proxy object that only >>>> >>forwards certain operations quickly without a security check? For >>>> >>example, equals, hashcode, and toString are probably not >>>> >>security-sensitive. >>> > >>> >Most of the information obtained from a class the use cases are interested >>> >in are security-sensitive information (e.g. protection domain, code >>> >source, class loader). >> Why? >> > > That's the information Log4j wants to get once it gets a Class object. The > methods getting protection domain, code source, class loader require > permission check.
My "why" was "why do they require a permission check?" Why are these sensitive? Nick
