logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ralph Goers <ralph.go...@dslextreme.com>
Subject Re: Security Permissions
Date Tue, 15 Sep 2015 17:02:30 GMT
Yes - if we want to do it at all.

Ralph

> On Sep 15, 2015, at 9:15 AM, Gary Gregory <garydgregory@gmail.com> wrote:
> 
> On Fri, Sep 11, 2015 at 4:41 PM, Gary Gregory <garydgregory@gmail.com <mailto:garydgregory@gmail.com>>
wrote:
> Ah, so you are talking about doing this for all of Log4j, not just something we are missing
in log4j-jul?
> 
> Ping. For 2.5?
> 
> Gary
>  
> 
> Gary
> 
> On Fri, Sep 11, 2015 at 4:32 PM, Ralph Goers <ralph.goers@dslextreme.com <mailto:ralph.goers@dslextreme.com>>
wrote:
> j.u.l.LogManager checks LoggingPermission(“control”) on addPropertyChangeListener,
removePropertyChangeListener, readConfiguration, reset, and checkAccess. j.u.l.Logger checks
LoggingPermission(“control”) on setFilter, addHandler, removeHandler, setUseParentHandlers,
and setParent. j.u.l.MemoryHandler checks LoggingPermission(“control”) on the setPushLevel
method. etc.
> 
> I don’t believe we currently check permissions when application code tries to modify
the configuration. Should we?
> 
> Ralph
> 
>> On Sep 11, 2015, at 2:46 PM, Gary Gregory <garydgregory@gmail.com <mailto:garydgregory@gmail.com>>
wrote:
>> 
>> The last time I looked at that it looked like we were doing the right thing. But
we might be talking about a different part of the code.
>> 
>> Can you be more specific?
>> 
>> Gary
>> 
>> On Fri, Sep 11, 2015 at 1:55 PM, Ralph Goers <ralph.goers@dslextreme.com <mailto:ralph.goers@dslextreme.com>>
wrote:
>> I was noticing the other day in the jul javadoc that operations that modify the configuration
check the security manager for a LoggingPermission. Any thoughts on whether we should also
be checking the same permissions?
>> 
>> Ralph
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org <mailto:log4j-dev-unsubscribe@logging.apache.org>
>> For additional commands, e-mail: log4j-dev-help@logging.apache.org <mailto:log4j-dev-help@logging.apache.org>
>> 
>> 
>> 
>> 
>> -- 
>> E-Mail: garydgregory@gmail.com <mailto:garydgregory@gmail.com> | ggregory@apache.org 
<mailto:ggregory@apache.org>
>> Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/>
>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>> Spring Batch in Action <http://www.manning.com/templier/>
>> Blog: http://garygregory.wordpress.com <http://garygregory.wordpress.com/>

>> Home: http://garygregory.com/ <http://garygregory.com/>
>> Tweet! http://twitter.com/GaryGregory <http://twitter.com/GaryGregory>
> 
> 
> 
> -- 
> E-Mail: garydgregory@gmail.com <mailto:garydgregory@gmail.com> | ggregory@apache.org 
<mailto:ggregory@apache.org>
> Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com <http://garygregory.wordpress.com/> 
> Home: http://garygregory.com/ <http://garygregory.com/>
> Tweet! http://twitter.com/GaryGregory <http://twitter.com/GaryGregory>
> 
> 
> -- 
> E-Mail: garydgregory@gmail.com <mailto:garydgregory@gmail.com> | ggregory@apache.org 
<mailto:ggregory@apache.org>
> Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com <http://garygregory.wordpress.com/> 
> Home: http://garygregory.com/ <http://garygregory.com/>
> Tweet! http://twitter.com/GaryGregory <http://twitter.com/GaryGregory>

Mime
View raw message