santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45095] New: log4j. properties in xmlsec sources and builds has side effects in production environment
Date Thu, 29 May 2008 14:40:22 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45095

           Summary: log4j.properties in xmlsec sources and builds has side
                    effects in production environment
           Product: Security
           Version: Java 1.4.1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encryption
        AssignedTo: security-dev@xml.apache.org
        ReportedBy: syrion.com@club-internet.fr


xmlsec sources in svn and xmlsec builds in official maven repositories and alss
in http://xml.apache.org/security/dist/java-library/ contain an unusable
log4j.properties for production.

Not only it is a bad practice to redefine a root logger in log4j.properties,
but it is redefined to accept DEBUG level. This can cause a production
environnement to flow alot of debug data in log files.

Every single projet having a log4j config MUST :
 - choose a unique name for its log4j.properties (or .xml) to avoid classloader
to take instead of another log4j.properties/.xml. The log4j config file should
be called explicitely with the *Configurator. This allow multiple jars in the
same classloader to append their log4j config instead of having only oneloaded 
at random.
 - never redefine the root logger. The root logger may be called by anyone so
if you redfine it, side effects occur (as having another software logging in
"your" root logger). The root logger should be defined at a WAR or EAR level as
a default logger.
 - never define root logger with DEBUG level : this should be the choice of the
user to increase verbosity level.

xmlsec have a bad log4j config :  it redefines a root logger at DEBUG level.

This issue 
 - forces developper to re-build xmlsec-*.jar with a custom log4j.properties in
order to lower the verbosity for production
 - forces developper to avoid using maven or apache repositories

The bigest problem is that even with a correct log4j.properties, this file may
interact with other bad designed software using the same default config name.
So one library among them will have its logger loaded, the other will fail
silently !

I'm reporting this because xmlsec-1.3.1 was the cause for another component to
log a lot of DEBUG infos on sysout. But 1.4.1 has the same problem.

The correct way to correct this is : 
 - removing the root logger config from
org/apache/xml/security/resource/log4j.properties
 - set other logger at ERROR level

Only the user can decide if the verbosity should be increased


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

Mime
View raw message