DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG� RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=32413>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND� INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=32413 Summary: log4j vs the SecurityManager Product: Log4j Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Other AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] If your JVM runs with a SecurityManager (common in production J2EE environments), you'll be prevented from doing various otherwise ordinary things unless the Java security policy has been configured to let you. So, you see in log4j various places catching security exceptions and falling back to something reasonably graceful. (There are comments in the source code about some ancient MS JRE version, but the same thing applies to all modern JREs.) All well and good. If you want, for example, to be allowed to read the value of Java property "log4j.mumble", you have to configure Java policy to allow it. What would be great would be: 1. Some documentation listing all the types of permissions you might need to configure for various things. There's the main body of log4j, but there is also variable details for things like the bundled appenders (e.g., FileAppender needs permission to write to whatever file is configured). 2. Besides catching security exceptions, these "privileged" actions should be inside AccessController.doPrivileged() blocks. If you don't do that (and log4j doesn't in the couple placeds I looked), then you also have to configure the same privileges for everything up the call stack. doPrivileged is a way of reducing it to a need to just configure for log4j itself. In case all of the above seems like gibberish, here are some useful homework assignment links: Default Policy Implementation and Policy File Syntax. <http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html> Permissions in the JavaTM 2 SDK. <http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html> API for Privileged Blocks. <http://java.sun.com/j2se/1.4.2/docs/guide/security/doprivileged> -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
