commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Vernum <Tim.Ver...@macquarie.com>
Subject RE: LogFactoryImpl.java - SecurityException
Date Wed, 27 Mar 2002 02:52:17 GMT
> From: Juozas Baliuka [mailto:baliuka@mwm.lt]

>> Would it be possible for someone to change file LogFactoryImpl.java?
>> It currently has:
>>         } catch (SecurityException e) {
>>         }
>> And it might be better if it had:
>>         } catch (SecurityException e) {
>>                 logClassName = LOG_DEFAULT;
>>         }
>>
>> This would prevent null being passed to loadClass().

> I does not work on this project, but I think it is not the best idea
> to set default logger on security exeption.

I do use the project, and I agree that setting to the default logger
is a bad idea on security exception.

The contact the logging has, is that it will attempt the following:
 * Look a attribute set on Factory
 * Look at system properties
 * Try log4j
 * Try JDK1.4
 * Use Default (no-op?) log

If it fails to get system property, it should try to use log4j, and
*not* automatically use the default log.

> It will be very dificult to find a problem and grant requred permissions
> or to dissable logging if app does not have permissions for logging.

I agree, with the first matter, although the second case isn't really the
issue.

> The most *secure* way not to catch SecurityException at all, or
> rethrow it. It must be not a problem because it is Runtime exception.

Err no.
Then logging (and any component that depends on it) would be useless in
any environment where system properties were protected.

Please see the bug report on this:
  http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7468



NOTICE
This e-mail and any attachments are confidential and may contain copyright material of Macquarie
Bank or third parties. If you are not the intended recipient of this email you should not
read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and
should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any
emails or any attached files. The views or opinions expressed are the author's own and may
not reflect the views or opinions of Macquarie Bank. 


--
To unsubscribe, e-mail:   <mailto:commons-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:commons-dev-help@jakarta.apache.org>


Mime
View raw message