logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: Hopefully last RC for 2.1 ?
Date Wed, 15 Oct 2014 14:49:21 GMT
Should we include a Tomcat policy file as a sample in the distro?

Gary

On Wed, Oct 15, 2014 at 2:09 AM, Ralph Goers <ralph.goers@dslextreme.com>
wrote:

> Well this is downright interesting.  I started Tomcat 7 using
> “./startup.sh -security” and both manager and host-manager failed to start,
> although not with access control or security exceptions.  The web app with
> Log4j did fail to start but it failed differently. In this case I think we
> would need to require that the catalina policy file be updated as not being
> able to get a ClassLoader is going to break everything.  I do notice that
> catalina.policy has a bunch of permissions for JULI, including
> setContextClassLoader.
>
> I think we need to document what permissions we require.
>
> Ralph
>
> SEVERE: ContainerBase.addChild: start:
> org.apache.catalina.LifecycleException: Failed to start component
> [StandardEngine[Catalina].StandardHost[localhost].StandardContext[/eztax]]
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
>         at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:901)
>         at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:133)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:156)
>         at
> org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:145)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875)
>         at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:649)
>         at
> org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:1083)
>         at
> org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1880)
>         at
> java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:262)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.ExceptionInInitializerError
>         at
> org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:55)
>         at
> org.apache.logging.log4j.web.Log4jServletContainerInitializer.<clinit>(Log4jServletContainerInitializer.java:37)
>         at java.lang.Class.forName0(Native Method)
>         at java.lang.Class.forName(Class.java:270)
>         at
> org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:187)
>         at
> org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:152)
>         at
> org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1546)
>         at
> org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1268)
>         at
> org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:876)
>         at
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:374)
>         at
> org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
>         at
> org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
>         at
> org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5378)
>         at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
>         ... 14 more
> Caused by: java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
>         at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
>         at
> java.security.AccessController.checkPermission(AccessController.java:559)
>         at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
>         at
> java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1561)
>         at
> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1480)
>         at
> org.apache.logging.log4j.util.LoaderUtil.findUrlResources(LoaderUtil.java:192)
>         at
> org.apache.logging.log4j.util.LoaderUtil.findResources(LoaderUtil.java:183)
>         at
> org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:90)
>         at
> org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:36)
>         ... 28 more
>
>
>
>
>
> On Oct 14, 2014, at 10:07 PM, Ralph Goers <ralph.goers@dslextreme.com>
> wrote:
>
> See the javadoc for Executors.privilegedThreadFactory(). It is documented
> as checking for that permission and throwing an AccessControlException.
> Since it is called in the constructor of DefaultShutdownCallbackRegistry it
> definitely has the potential for throwing an exception, which then causes
> log4j initialization to fail.  That just isn’t acceptable.
>
> Ralph
>
>
> On Oct 14, 2014, at 9:45 PM, Matt Sicker <boards@gmail.com> wrote:
>
> We never use setContextClassLoader though. I'm not sure why that security
> exception appears. I don't think there's any harm in fixing that.
>
> On 14 October 2014 22:59, Ralph Goers <ralph.goers@dslextreme.com> wrote:
>
>> Well darn.  Matt put an Assert.requiredNonNull on the Registry in
>> Log4jContextFactory. So even if the exception is caught it can’t be
>> ignored.  Unless I can find a way around this that commit is going to have
>> to be reverted.
>>
>> Ralph
>>
>> On Oct 14, 2014, at 7:57 PM, ralph.goers @dslextreme.com <
>> ralph.goers@dslextreme.com> wrote:
>>
>> I have an app that I was able to run successfully on a vanilla Tomcat. I
>> need to check the security settings on te server.  Regardless, this should
>> not cause initialization to fail.
>>
>> Ralph
>>
>> On Tuesday, October 14, 2014, Gary Gregory <garydgregory@gmail.com>
>> wrote:
>>
>>> IIRC, it looks something Matt was working on recently and he did mention
>>> working through security issues. Hopefully he will see this message and can
>>> help out.
>>>
>>> It sounds like we need at last one integration tests for Tomcat...
>>>
>>> Gary
>>>
>>> On Tue, Oct 14, 2014 at 8:30 PM, Ralph Goers <ralph.goers@dslextreme.com
>>> > wrote:
>>>
>>>> I am having a bit of trouble with the latest code.  Log4j won’t start
>>>> in tomcat due to a security violation. I am not going to go forward with
>>>> the release until I can determine what the problem is and fix it.
>>>>
>>>> Ralph
>>>>
>>>>  ERROR StatusLogger Unable to create class org.apache.logging.log4j.core.impl.Log4jContextFactory
specified in jar:file:/usr/local/jakarta-tomcat/webapps/NextivaDriveBilling/WEB-INF/lib/log4j-core-2.1-SNAPSHOT.jar!/META-INF/log4j-provider.properties
java.security.AccessControlException: access denied (java.lang.RuntimePermission setContextClassLoader)
>>>>         at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
>>>>         at java.util.concurrent.Executors$PrivilegedThreadFactory.<init>(Executors.java:563)
>>>>         at java.util.concurrent.Executors.privilegedThreadFactory(Executors.java:321)
>>>>         at org.apache.logging.log4j.core.util.DefaultShutdownCallbackRegistry.<init>(DefaultShutdownCallbackRegistry.java:54)
>>>>         at org.apache.logging.log4j.core.impl.Log4jContextFactory.createShutdownCallbackRegistry(Log4jContextFactory.java:117)
>>>>         at org.apache.logging.log4j.core.impl.Log4jContextFactory.<init>(Log4jContextFactory.java:54)
>>>>         at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
>>>>         at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>>>         at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>>         at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>>         at java.lang.Class.newInstance0(Class.java:357)
>>>>         at java.lang.Class.newInstance(Class.java:310)
>>>>         at org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:96)
>>>>         at org.apache.logging.log4j.core.config.Configurator.getFactory(Configurator.java:154)
>>>>         at org.apache.logging.log4j.core.config.Configurator.initialize(Configurator.java:109)
>>>>         at org.apache.logging.log4j.web.Log4jWebInitializerImpl.initializeNonJndi(Log4jWebInitializerImpl.java:157)
>>>>         at org.apache.logging.log4j.web.Log4jWebInitializerImpl.start(Log4jWebInitializerImpl.java:107)
>>>>         at org.apache.logging.log4j.web.Log4jServletContextListener.contextInitialized(Log4jServletContextListener.java:45)
>>>>         at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3795)
>>>>         at org.apache.catalina.core.StandardContext.start(StandardContext.java:4252)
>>>>         at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:760)
>>>>         at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:740)
>>>>         at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:544)
>>>>         at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:884)
>>>>         at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:737)
>>>>         at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:498)
>>>>         at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1203)
>>>>         at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:319)
>>>>         at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:120)
>>>>         at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1022)
>>>>         at org.apache.catalina.core.StandardHost.start(StandardHost.java:736)
>>>>         at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1014)
>>>>         at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
>>>>         at org.apache.catalina.core.StandardService.start(StandardService.java:448)
>>>>         at org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
>>>>         at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
>>>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>         at java.lang.reflect.Method.invoke(Method.java:597)
>>>>         at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
>>>>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
>>>>
>>>> ERROR StatusLogger Log4j2 could not find a logging implementation. Please
add log4j-core to the classpath. Using SimpleLogger to log to the console...
>>>> ERROR StatusLogger LogManager returned an instance of org.apache.logging.log4j.simple.SimpleLoggerContextFactory
which does not implement org.apache.logging.log4j.core.impl.Log4jContextFactory. Unable to
initialize Log4j.
>>>>
>>>>
>>>>
>>>>
>>>> On Oct 14, 2014, at 9:16 AM, Matt Sicker <boards@gmail.com> wrote:
>>>>
>>>> Oh crap, you're right.
>>>>
>>>> On 14 October 2014 11:05, Gary Gregory <garydgregory@gmail.com> wrote:
>>>>
>>>>> Don't you have to login to Nexus to release though?
>>>>>
>>>>> Gary
>>>>>
>>>>> On Tue, Oct 14, 2014 at 11:34 AM, Matt Sicker <boards@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Question: if I start the release process with everything signed,
can
>>>>>> someone else complete it when the vote is done?
>>>>>>
>>>>>> On 13 October 2014 22:26, Ralph Goers <rgoers@apache.org> wrote:
>>>>>>
>>>>>>> Matt can't do it so I will.  It will be in the next couple of
days.
>>>>>>>
>>>>>>> Sent from my iPad
>>>>>>>
>>>>>>> On Oct 13, 2014, at 7:22 PM, Gary Gregory <garydgregory@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Hi All:
>>>>>>>
>>>>>>> I'm sure we are all busy (I am!) but do we have a plan for cutting
>>>>>>> what will hopefully be the last 2.1 RC?
>>>>>>>
>>>>>>> Gary
>>>>>>>
>>>>>>> --
>>>>>>> E-Mail: garydgregory@gmail.com | ggregory@apache.org
>>>>>>> Java Persistence with Hibernate, Second Edition
>>>>>>> <http://www.manning.com/bauer3/>
>>>>>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>>>>>> Spring Batch in Action <http://www.manning.com/templier/>
>>>>>>> Blog: http://garygregory.wordpress.com
>>>>>>> Home: http://garygregory.com/
>>>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Matt Sicker <boards@gmail.com>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> E-Mail: garydgregory@gmail.com | ggregory@apache.org
>>>>> Java Persistence with Hibernate, Second Edition
>>>>> <http://www.manning.com/bauer3/>
>>>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>>>> Spring Batch in Action <http://www.manning.com/templier/>
>>>>> Blog: http://garygregory.wordpress.com
>>>>> Home: http://garygregory.com/
>>>>> Tweet! http://twitter.com/GaryGregory
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Matt Sicker <boards@gmail.com>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> E-Mail: garydgregory@gmail.com | ggregory@apache.org
>>> Java Persistence with Hibernate, Second Edition
>>> <http://www.manning.com/bauer3/>
>>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>>> Spring Batch in Action <http://www.manning.com/templier/>
>>> Blog: http://garygregory.wordpress.com
>>> Home: http://garygregory.com/
>>> Tweet! http://twitter.com/GaryGregory
>>>
>>
>>
>
>
> --
> Matt Sicker <boards@gmail.com>
>
>
>
>


-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Mime
View raw message