RE: LogFactoryImpl.java - SecurityException

Tue, 26 Mar 2002 18:33:31 -0800 

> From: Juozas Baliuka [mailto:[EMAIL PROTECTED]]

>> Would it be possible for someone to change file LogFactoryImpl.java?
>> It currently has:
>>         } catch (SecurityException e) {
>>         }
>> And it might be better if it had:
>>         } catch (SecurityException e) {
>>                 logClassName = LOG_DEFAULT;
>>         }
>>
>> This would prevent null being passed to loadClass().

> I does not work on this project, but I think it is not the best idea
> to set default logger on security exeption.

I do use the project, and I agree that setting to the default logger
is a bad idea on security exception.

The contact the logging has, is that it will attempt the following:
 * Look a attribute set on Factory
 * Look at system properties
 * Try log4j
 * Try JDK1.4
 * Use Default (no-op?) log

If it fails to get system property, it should try to use log4j, and
*not* automatically use the default log.

> It will be very dificult to find a problem and grant requred permissions
> or to dissable logging if app does not have permissions for logging.

I agree, with the first matter, although the second case isn't really the
issue.

> The most *secure* way not to catch SecurityException at all, or
> rethrow it. It must be not a problem because it is Runtime exception.

Err no.
Then logging (and any component that depends on it) would be useless in
any environment where system properties were protected.

Please see the bug report on this:
  http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7468



NOTICE
This e-mail and any attachments are confidential and may contain copyright material of 
Macquarie Bank or third parties. If you are not the intended recipient of this email 
you should not read, print, re-transmit, store or act in reliance on this e-mail or 
any attachments, and should destroy all copies of them. Macquarie Bank does not 
guarantee the integrity of any emails or any attached files. The views or opinions 
expressed are the author's own and may not reflect the views or opinions of Macquarie 
Bank. 


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to