On 12/17/2013 06:43 PM, Mandy Chung wrote:
Can you check what methods are called by the constructors whose access
are denied in the current implementation but granted in the patch? I
have to take another look to make sure but I believe they only calls
the methods in the handler classes that calls Handler.checkPermission.
Mandy
Methods that are called by various Handler constructors and would be
elevated by doPrivileged are:
- Handler's own setters, protected by Handler.checkPermission -
"control" permission required,
- LogManager.getLevelProperty - no special permission required
- LogManager.getFilterProperty - loads class configured in properties
from system class loader and instantiates it. (since this is done by
system class - LogManager, no special permission required besides those
that might be imposed by constructor of the Filter (sub)class)
- LogManager.getFormatterProperty - the same as getFilterProperty
- LogManager.getStringProperty,getIntProperty - no special permission
required
That's about it. So the only methods that are not known and would be
elevated by doPrivileged are no-args constructors of Filter and
Formatter subclasses the names of which are obtained from logging
properties and which must be loadable by system class loader.
Regards, Peter
