Gary Gregory created LOG4J2-1110:
------------------------------------
Summary: org.apache.logging.log4j.jul.CoreLogger.setLevel() checks
for security permission too late
Key: LOG4J2-1110
URL: https://issues.apache.org/jira/browse/LOG4J2-1110
Project: Log4j 2
Issue Type: Bug
Components: JUL adapter
Affects Versions: 2.3
Reporter: Gary Gregory
org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security
permission too late.
The JUL Javadocs
https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html#setLevel(java.util.logging.Level)
state:
{quote}
Throws:
SecurityException - if a security manager exists and if the caller does not
have LoggingPermission("control").
{quote}
Our impl {{org.apache.logging.log4j.jul.CoreLogger.setLevel(Level)}}:
{code:java}
@Override
public void setLevel(final Level level) throws SecurityException {
logger.setLevel(LevelTranslator.toLevel(level));
super.doSetLevel(level);
}
{code}
Checks for perms through {{super.doSetLevel(level)}} which is too late since
our logger is already modified.
The fix is to switch the two calls:
{code:java}
@Override
public void setLevel(final Level level) throws SecurityException {
super.doSetLevel(level);
logger.setLevel(LevelTranslator.toLevel(level));
}
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-dev-h...@logging.apache.org
