logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Gregory (JIRA)" <j...@apache.org>
Subject [jira] [Created] (LOG4J2-1110) org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late
Date Fri, 28 Aug 2015 20:45:46 GMT
Gary Gregory created LOG4J2-1110:
------------------------------------

             Summary: org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security
permission too late
                 Key: LOG4J2-1110
                 URL: https://issues.apache.org/jira/browse/LOG4J2-1110
             Project: Log4j 2
          Issue Type: Bug
          Components: JUL adapter
    Affects Versions: 2.3
            Reporter: Gary Gregory


org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late.

The JUL Javadocs https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html#setLevel(java.util.logging.Level)
state:

{quote}
Throws:
SecurityException - if a security manager exists and if the caller does not have LoggingPermission("control").
{quote}

Our impl {{org.apache.logging.log4j.jul.CoreLogger.setLevel(Level)}}:
{code:java}
    @Override
    public void setLevel(final Level level) throws SecurityException {
        logger.setLevel(LevelTranslator.toLevel(level));
        super.doSetLevel(level);
    }
{code}

Checks for perms through {{super.doSetLevel(level)}} which is too late since our logger is
already modified.

The fix is to switch the two calls:

{code:java}
    @Override
    public void setLevel(final Level level) throws SecurityException {
        super.doSetLevel(level);
        logger.setLevel(LevelTranslator.toLevel(level));
    }
{code}





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message