> From: Juozas Baliuka [mailto:[EMAIL PROTECTED]]
>> Would it be possible for someone to change file LogFactoryImpl.java? >> It currently has: >> } catch (SecurityException e) { >> } >> And it might be better if it had: >> } catch (SecurityException e) { >> logClassName = LOG_DEFAULT; >> } >> >> This would prevent null being passed to loadClass(). > I does not work on this project, but I think it is not the best idea > to set default logger on security exeption. I do use the project, and I agree that setting to the default logger is a bad idea on security exception. The contact the logging has, is that it will attempt the following: * Look a attribute set on Factory * Look at system properties * Try log4j * Try JDK1.4 * Use Default (no-op?) log If it fails to get system property, it should try to use log4j, and *not* automatically use the default log. > It will be very dificult to find a problem and grant requred permissions > or to dissable logging if app does not have permissions for logging. I agree, with the first matter, although the second case isn't really the issue. > The most *secure* way not to catch SecurityException at all, or > rethrow it. It must be not a problem because it is Runtime exception. Err no. Then logging (and any component that depends on it) would be useless in any environment where system properties were protected. Please see the bug report on this: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7468 NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>