commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 9743] New: - Security policy configuration, SimpleLog uses System.getProperties()
Date Mon, 10 Jun 2002 13:03:29 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9743>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9743

Security policy configuration, SimpleLog uses System.getProperties()

           Summary: Security policy configuration, SimpleLog uses
                    System.getProperties()
           Product: Commons
           Version: Nightly Builds
          Platform: PC
        OS/Version: Solaris
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Logging
        AssignedTo: commons-dev@jakarta.apache.org
        ReportedBy: glenn@apache.org


SimpleLog uses System.getProperties to get a list of existing
org.apache.commons.logging.* properties.

If commons-logging is running within an application which uses
the Java SecurityManager such as Tomcat this requires granting
java.util.PropertyPermission "*", "read" to not only
commongs-logging.jar, but all other jar files with classes
on the stack.

This makes it impossible to restrict access to reading properties
for any API's on the stack.

SimpleLog should get each individual property it needs separately.

This would apply to any other code which uses System.getProperties() also.

--
To unsubscribe, e-mail:   <mailto:commons-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:commons-dev-help@jakarta.apache.org>


Mime
View raw message