Page History

...

As an example of what constitutes the immediate caller and the object, consider the method {{java.lang.Class.newInstance()}}. Here, the immediate caller is the class that contains this method call whereas the object on which the {{newInstance()}} method is being invoked is referred to as the {{Class}} object ({{classObjectName.newInstance()}}). According to the Java Language Specification \[[JLS 2005|AA. Java References#JLS 05]\], sectionSection 4.3.2, "The Class {{Object}}": "The method {{getClass}} returns the {{Class}} object that represents the class of the object.".  

If a security manager is present, untrusted code that does not have the permissions to use the API directly is disallowed from indirectly using trusted code containing the API call, to perform the operation. However, the security manager checks are bypassed if the class loader of the immediate caller is the same as or the delegation ancestor of the class loader of the object on which the API is invoked. Consequently, untrusted callers who do not have the required permissions but are capable of passing the class loader check, are able to perform sensitive operations if the trusted code invokes these APIs on their behalf.

...

This noncompliant code example shows the declaration of a {{Digester}} instance in the {{org.apache.catalina.startup.ContextConfig}} class. "A {{Digester}} processes an XML input stream by matching a series of element nesting patterns to execute Rules that have been added prior to the start of parsing" \[[Tomcat 2009|AA. Java References#Tomcat 09]\]. The method call chain can be traced as the following:

• The createWebDigester() method is responsible for creating the Digester. This method internally calls createWebXMLDigester().
• The method createWebXMLDigester() requests the method DigesterFactory.newDigester() to create a new digester instance and sets a boolean flag useContextClassLoader to true. This means that the context class loader, in this case the WebappClassLoader, is used to create the digester.

...

• Later, when the Digester.getParser() method is internally called by Tomcat to process the web.xml and other files, according to the search rules, the parser installed by the untrusted web application is preferred, ; otherwise, the default parser is used.

...

Bypassing Security manager checks may seriously compromise the security of a Java application.

...