logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ceki Gulcu <...@urbanet.ch>
Subject Re: need signed version of log4j.jar...
Date Thu, 11 Jan 2001 11:13:23 GMT

Ted,

The act of signing is not a problem. However, wouldn't the public signer's 
key need to be registered somewhere? Otherwise Ali could claim to be Ahmet. 
What is Java's security model? Is something signed deemed good as long as 
it is signed regardless of who the identity of the signed? That would be 
pretty silly.

My question is really do I (or Apache) need to register with some CA? Any 
enlightenment on this issue would be appreciated. Ceki




At 16:43 10.01.2001 -0600, you wrote:
>Hi,
>
>Since this is my first post to the log4j list I would first like to say
>THANK YOU for making this tool available.  It is very fine work.
>
>Basically, this post is a request that you distribute digitally signed
>versions of log4j.jar and log4j-core.jar.
>
>Here's why...
>I have just started using Log4J in an application that I intend to
>distribute using Java Web Start (http://java.sun.com/products/javawebstart).
>
>Java Web Start basically downloads applications to a client machine and runs
>the applications in a sandbox, much like a browser runs applets.
>My application is distributed in a signed jar and because my application's
>jar is signed my application can request that it be given all permissions on
>the client machine on which it is running.
>Third-party "extensions" that are used by my application, like log4j, may
>inherit my application's permissions but only if the code is signed.  Since
>the log4j.jar is not signed it is not granted any permissions at all by Java
>WebStart and is therefore unusable (log4j immediately generates the
>Exception shown below).
>
>Anyway, for now I will work around the problem by signing the jar file
>myself but that's not the "right" solution.
>
>thanks,
>ted stockwell
>
>BTW...if I can be of any help with this then please don't hesitate to let me
>know (but e-mail me directly since I'm not a list subscriber).
>
>
>
>-------------------------------
>java.lang.ExceptionInInitializerError: java.security.AccessControlException:
>access denied (java.util.PropertyPermission log4j.configuration read)
>at
>java.security.AccessControlContext.checkPermission(AccessControlContext.java
>:272)
>at java.security.AccessController.checkPermission(AccessController.java:399)
>
>at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
>at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1278)
>
>at java.lang.System.getProperty(System.java:599)
>at org.apache.log4j.Category.<clinit>(Category.java:135)
>at Installer.<clinit>(Installer.java:48)
>at java.lang.reflect.Method.invoke(Native Method)
>at com.sun.javaws.Launcher.executeApplication(Launcher.java:701)
>at com.sun.javaws.Launcher.executeMainClass(Launcher.java:663)
>at com.sun.javaws.Launcher.continueLaunch(Launcher.java:546)
>at com.sun.javaws.Launcher.handleApplicationDesc(Launcher.java:334)
>at com.sun.javaws.Launcher.handleLaunchFile(Launcher.java:151)
>at com.sun.javaws.Launcher.<init>(Launcher.java:113)
>at com.sun.javaws.Main.main(Main.java:153)
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: log4j-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: log4j-user-help@jakarta.apache.org


Mime
View raw message