commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ceki Gülcü <>
Subject Re: [logging] tech.xml - child-first classloading not considered harmful
Date Tue, 03 May 2005 17:16:45 GMT

Parent-last! Nice, simple and so much more accurate than child-first, the 
term everyone, including myself, uses but which is also unfortunately 

As for the lack of security of parent-last class loaders, since a class 
loader can load classes as it wants in the order it wamts, it's hard to see 
how the delegation order matters in the case of a malicious class loader.

At 16:58 5/3/2005, Mike Colbert wrote:

>This sounds reasonable to me.  It would be nice to have something definitive,
>however.  I think it's an interesting topic and I've be following it on this
>list.  So far, all the security risks Simon has referenced (and questioned)
>don't seem to go much beyond hand-waving so I agree with him they are 
>A test case demonstrating some of these alleged security risks would be
>helpful; I can't put my head around them without more detail and context.
>Could be that these risks only affect 1% or real-world apps under a specific
>scenario.  Even if it's 0.01% or entirely theoretical, a test case would be
>useful to even understand what the risk really is supposed to be.
>As an aside, isn't "child-first" really a misnomer and it's more like
>"parent-last"?  Assuming the parent is at the top of the hierarchy, 
>implies (to me), that the heirarchy is walked downwardly from the parent, not
>upwardly from the bottom.
>Mike Colbert

Ceki Gülcü

   The complete log4j manual:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message