logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bill-lo...@carpenter.ORG (WJCarpenter)
Subject log4j vs the SecurityManager
Date Sat, 27 Nov 2004 03:54:46 GMT
If your JVM runs with a SecurityManager (common in production J2EE
environments), you'll be prevented from doing various otherwise
ordinary things unless the Java security policy has been configured to
let you.  So, you see in log4j various places catching security
exceptions and falling back to something reasonably graceful.  (There
are comments in the source code about some ancient MS JRE version, but
the same thing applies to all modern JREs.)

All well and good.  If you want, for example, to be allowed to read
the value of Java property "log4j.mumble", you have to configure Java
policy to allow it.  What would be great would be:

1.  Some documentation listing all the types of permissions you might
need to configure for various things.  There's the main body of log4j,
but there is also variable details for things like the bundled
appenders (e.g., FileAppender needs permission to write to whatever
file is configured).

2.  Besides catching security exceptions, these "privileged" actions
should be inside AccessController.doPrivileged() blocks.  If you don't
do that (and log4j doesn't in the couple placeds I looked), then you
also have to configure the same privileges for everything up the call
stack.  doPrivileged is a way of reducing it to a need to just
configure for log4j itself.

In case all of the above seems like gibberish, here are some useful
homework assignment links:

Default Policy Implementation and Policy File Syntax.  
<http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html>

Permissions in the JavaTM 2 SDK.  
<http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html>

API for Privileged Blocks.  
<http://java.sun.com/j2se/1.4.2/docs/guide/security/doprivileged>
-- 
bill-log4j@carpenter.ORG (WJCarpenter)    PGP 0x91865119
38 95 1B 69 C9 C6 3D 25    73 46 32 04 69 D6 ED F3


---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message