santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45095] New: log4j. properties in xmlsec sources and builds has side effects in production environment
Date Thu, 29 May 2008 14:40:22 GMT

           Summary: in xmlsec sources and builds has side
                    effects in production environment
           Product: Security
           Version: Java 1.4.1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Encryption

xmlsec sources in svn and xmlsec builds in official maven repositories and alss
in contain an unusable for production.

Not only it is a bad practice to redefine a root logger in,
but it is redefined to accept DEBUG level. This can cause a production
environnement to flow alot of debug data in log files.

Every single projet having a log4j config MUST :
 - choose a unique name for its (or .xml) to avoid classloader
to take instead of another The log4j config file should
be called explicitely with the *Configurator. This allow multiple jars in the
same classloader to append their log4j config instead of having only oneloaded 
at random.
 - never redefine the root logger. The root logger may be called by anyone so
if you redfine it, side effects occur (as having another software logging in
"your" root logger). The root logger should be defined at a WAR or EAR level as
a default logger.
 - never define root logger with DEBUG level : this should be the choice of the
user to increase verbosity level.

xmlsec have a bad log4j config :  it redefines a root logger at DEBUG level.

This issue 
 - forces developper to re-build xmlsec-*.jar with a custom in
order to lower the verbosity for production
 - forces developper to avoid using maven or apache repositories

The bigest problem is that even with a correct, this file may
interact with other bad designed software using the same default config name.
So one library among them will have its logger loaded, the other will fail
silently !

I'm reporting this because xmlsec-1.3.1 was the cause for another component to
log a lot of DEBUG infos on sysout. But 1.4.1 has the same problem.

The correct way to correct this is : 
 - removing the root logger config from
 - set other logger at ERROR level

Only the user can decide if the verbosity should be increased

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

View raw message