logging-log4j-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Richardson" <james.richard...@db.com>
Subject Re: need signed version of log4j.jar...
Date Thu, 11 Jan 2001 14:59:32 GMT

Theres an article on the java signing process in this months Dr Dobbs.


---------------------------------------- Message History ----------------------------------------

From: Tom Palmer <tom.palmer@interpath.net> on 11/01/2001 09:54

Please respond to "LOG4J Users Mailing List" <log4j-user@jakarta.apache.org>

To:   LOG4J Users Mailing List <log4j-user@jakarta.apache.org>
cc:   "Stockwell, Ted" <ted.stockwell@xqsite.com>
Subject:  Re: need signed version of log4j.jar...

Ted -

Seems like signing the jar file yourself *is* the right solution since
you can sign all your jars with the same key - one that you control and
provide to your clients for installation and permission granting.  What
are we missing?

Ceki Gulcu wrote:
> Ted,
> The act of signing is not a problem. However, wouldn't the public signer's
> key need to be registered somewhere? Otherwise Ali could claim to be Ahmet.
> What is Java's security model? Is something signed deemed good as long as
> it is signed regardless of who the identity of the signed? That would be
> pretty silly.
> My question is really do I (or Apache) need to register with some CA? Any
> enlightenment on this issue would be appreciated. Ceki
> At 16:43 10.01.2001 -0600, you wrote:
> >Hi,
> >
> >Since this is my first post to the log4j list I would first like to say
> >THANK YOU for making this tool available.  It is very fine work.
> >
> >Basically, this post is a request that you distribute digitally signed
> >versions of log4j.jar and log4j-core.jar.
> >
> >Here's why...
> >I have just started using Log4J in an application that I intend to
> >distribute using Java Web Start (http://java.sun.com/products/javawebstart).
> >
> >Java Web Start basically downloads applications to a client machine and runs
> >the applications in a sandbox, much like a browser runs applets.
> >My application is distributed in a signed jar and because my application's
> >jar is signed my application can request that it be given all permissions on
> >the client machine on which it is running.
> >Third-party "extensions" that are used by my application, like log4j, may
> >inherit my application's permissions but only if the code is signed.  Since
> >the log4j.jar is not signed it is not granted any permissions at all by Java
> >WebStart and is therefore unusable (log4j immediately generates the
> >Exception shown below).
> >
> >Anyway, for now I will work around the problem by signing the jar file
> >myself but that's not the "right" solution.
> >
> >thanks,
> >ted stockwell
> >
> >BTW...if I can be of any help with this then please don't hesitate to let me
> >know (but e-mail me directly since I'm not a list subscriber).
> >
> >
> >
> >-------------------------------
> >java.lang.ExceptionInInitializerError: java.security.AccessControlException:
> >access denied (java.util.PropertyPermission log4j.configuration read)
> >at
> >java.security.AccessControlContext.checkPermission(AccessControlContext.java
> >:272)
> >at java.security.AccessController.checkPermission(AccessController.java:399)
> >
> >at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
> >at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1278)
> >
> >at java.lang.System.getProperty(System.java:599)
> >at org.apache.log4j.Category.<clinit>(Category.java:135)
> >at Installer.<clinit>(Installer.java:48)
> >at java.lang.reflect.Method.invoke(Native Method)
> >at com.sun.javaws.Launcher.executeApplication(Launcher.java:701)
> >at com.sun.javaws.Launcher.executeMainClass(Launcher.java:663)
> >at com.sun.javaws.Launcher.continueLaunch(Launcher.java:546)
> >at com.sun.javaws.Launcher.handleApplicationDesc(Launcher.java:334)
> >at com.sun.javaws.Launcher.handleLaunchFile(Launcher.java:151)
> >at com.sun.javaws.Launcher.<init>(Launcher.java:113)
> >at com.sun.javaws.Main.main(Main.java:153)
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: log4j-user-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: log4j-user-help@jakarta.apache.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: log4j-user-help@jakarta.apache.org

Tom Palmer                                  Interpath Communications
Interactive Technologies Consulting         1700 Perimeter Park West
tom.palmer@interpath.net                    Morrisville, NC 27560
919-253-6586 (fax)

To unsubscribe, e-mail: log4j-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: log4j-user-help@jakarta.apache.org


This e-mail may contain confidential and/or privileged information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender immediately and
destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material
in this e-mail is strictly forbidden.

View raw message