Gary Gregory created LOG4J2-1110: ------------------------------------ Summary: org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late Key: LOG4J2-1110 URL: https://issues.apache.org/jira/browse/LOG4J2-1110 Project: Log4j 2 Issue Type: Bug Components: JUL adapter Affects Versions: 2.3 Reporter: Gary Gregory
org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late. The JUL Javadocs https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html#setLevel(java.util.logging.Level) state: {quote} Throws: SecurityException - if a security manager exists and if the caller does not have LoggingPermission("control"). {quote} Our impl {{org.apache.logging.log4j.jul.CoreLogger.setLevel(Level)}}: {code:java} @Override public void setLevel(final Level level) throws SecurityException { logger.setLevel(LevelTranslator.toLevel(level)); super.doSetLevel(level); } {code} Checks for perms through {{super.doSetLevel(level)}} which is too late since our logger is already modified. The fix is to switch the two calls: {code:java} @Override public void setLevel(final Level level) throws SecurityException { super.doSetLevel(level); logger.setLevel(LevelTranslator.toLevel(level)); } {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-dev-h...@logging.apache.org