At line 46 of LogLog.java, there is a call to the OptionConverter in order to
obtain the value of the system property "log4j.configDebug". I'm relatively
new to this, but if I'm right, this could be better done wrapped in a
AccessController.doPrivileged block. I'm in the practice of maintaining my
java.policy file to restrict anything I do in Java, but since this property
check can occur when there are other packages on the stack, I have to add the
line:
permission java.util.PropertyPermission "log4j.configDebug", "read";
to my policy file not only for log4j, but also (for example) JUnit. I imagine
this problem could occur in an IDE as well.
Following is a patch for LogLog.java which modifies the call to use a
privileged action
*** LogLog.java.orig Wed Feb 28 14:50:52 2001
--- LogLog.java Wed Feb 28 14:51:17 2001
***************
*** 43,49 ****
private static final String WARN_PREFIX = "log4j:WARN ";
static {
! String key = OptionConverter.getSystemProperty(CONFIG_DEBUG_KEY, null);
if(key != null)
configDebugEnabled = OptionConverter.toBoolean(key, true);
}
--- 43,55 ----
private static final String WARN_PREFIX = "log4j:WARN ";
static {
! String key = (String) AccessController.doPrivileged(
! new PrivilegedAction() {
! public Object run() {
! return OptionConverter.getSystemProperty(CONFIG_DEBUG_KEY,
null);
! }
! }
! );
if(key != null)
configDebugEnabled = OptionConverter.toBoolean(key, true);
}
Any comments? Perhaps this could also be applied to the other system
properties that log4j uses, although I have only seen security exceptions
(when using JUnit) from this particular property.
Thanks for entertaining my thoughts!
--
Dardo D. Kleiner
Connection Machine Facility, Center for Computational Sciences
Naval Research Laboratory (Washington, DC)
[EMAIL PROTECTED] -- 202.404.7019
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
