Page History

As an example of what constitutes the immediate caller and the object, consider the method {{java.lang.Class.newInstance()}}. Here, the immediate caller is the class that contains this method call whereas the object on which the {{newInstance()}} method is being invoked is referred to as the {{Class}} object ({{classObjectName.newInstance()}}). According to the Java Language Specification \[[JLS 2005|AA. Java References#JLSBibliography#JLS 05]\], Section 4.3.2, "The Class {{Object}}": "The method {{getClass}} returns the {{Class}} object that represents the class of the object."  

This noncompliant code example shows the declaration of a {{Digester}} instance in the {{org.apache.catalina.startup.ContextConfig}} class. "A {{Digester}} processes an XML input stream by matching a series of element nesting patterns to execute Rules that have been added prior to the start of parsing" \[[Tomcat 2009|AA. Java References#TomcatBibliography#Tomcat 09]\]. The method call chain can be traced as the following:

\[[Gong 2003|AA. Java References#GongBibliography#Gong 03]\] Section 4.3.2, Class Loader Delegation Hierarchy
\[[SCG 2007|AA. Java References#SCGBibliography#SCG 07]\] Guideline 6-2 Safely invoke standard APIs that bypass SecurityManager checks depending on the immediate caller's class loader
\[[Tomcat 2009|AA. Java References#TomcatBibliography#Tomcat 09]\] [Bug ID 29936|https://issues.apache.org/bugzilla/show_bug.cgi?id=29936], API Class {{org.apache.tomcat.util.digester.Digester}}, [Security fix in v 6.0.20|http://tomcat.apache.org/security-6.html]
\[[CVE 2008|AA. Java References#CVEBibliography#CVE 08]\] [CVE-2009-0783|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783]