6bad2dd657
This was a (minor) security flaw. Instead, behaviour is reverted to pre-1.1 behaviour where no AccessController is used, and a new private method getContextClassloaderInternal has been created. The chance of breaking valid user code is extremely small here. Note that this forces subclass LogFactoryImpl to provide its own copy of getContextClassloaderInternal, as the parent no longer exposes the (restricted) context classloader object. * Get system properties using an AccessController so they are accessable by a trusted JCL lib called from untrusted code. * Revert recent patch to run entire static initializer under an AccessController, as the chances of creating a security flaw are too high. The specific problem this patch was intended to fix has been addressed by fetching specific system properties via an AccessController. git-svn-id: https://svn.apache.org/repos/asf/jakarta/commons/proper/logging/trunk@424063 13f79535-47bb-0310-9956-ffa450edef68