[PATCH] 4851444: Exposing sun.reflect.Reflection#getCallerClass as a public API in Java 8

Alan Bateman Alan.Bateman at oracle.com
Tue Sep 3 15:57:34 UTC 2013

On 03/09/2013 13:24, Nick Williams wrote:
> :
>> As regards frameworks using sun.reflect.Reflection.getCallerClass directly then it's as I said previously, they are probably not run with a security manager very often (at least not unless the policy is configured to allow direct access to sun.*).
> I'd argue that Logback, Log4j, and Groovy, three of the most common Java framework around, are very likely used with security managers quite often. It doesn't cause any problems because we don't misuse the information we obtain from getCallerClass.
When running with a security manager then access to sun.* is restricted. 
My point is that if they folks are using Log4J when running with a 
security manager then it can't use the existing 
sun.reflect.Reflection.getCallerClass unless permission has been 
granted. Once you open up access to sun.* then all bets are off of course.


More information about the core-libs-dev mailing list