Hi Felix, This sounds like an optimized solution to solve the problem :).
A possible alternative might be, to exchange the writer on the first AccessControlException, this would prevent doPriviledged blocks when no principal-based authorization is done, I must admit that I have no idea on the performance implications on entering a privileged section. Cheers, Reto Felix Meschberger said the following on 01/27/2009 09:42 PM: > Hi Reto, > > I am somewhat reluctant to have each logging call to this privileged > stuff. How about the following solution: > > The SlingLoggerWriter.createWriter method is responsible to create the > actual writer. If the system has a SecurityManager, a PrivilegedWriter > is wrapped around the underlying OutputStreamWriter(FileOutputStream), > which does the privileged stuff. If the system has no SecurityManager, > no such PrivilegedWriter is added. > > In addition, as you note, the SlingLoggerWriter.checkRotate must be > enhanced to check the SecurityManager before rotating the file(s). > > WDYT ? > > Regards > Felix > > > Reto Bachmann-Gmür schrieb: > >> Hello >> >> We're using the Sling - OSGi LogService Implementation partially in code >> running as a subject. The problem is that for this to work we have to >> assign read and write right on the log-file to all users. Otherwise we >> get an exception like the following: >> >> 27.01.2009 18:09:08.491 *INFO* [btpool3-0 - /kl] >> org.trialox.platform.security.auth.AuthenticatingFilter >> SecurityException: {} java.security.AccessControlException: access >> denied (java.io.FilePermission >> /home/reto/trialox-workspace/default/org.trialox.cms.launchpad/target/sling/logs/error.log >> read) >> at >> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) >> at >> java.security.AccessController.checkPermission(AccessController.java:546) >> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) >> at java.lang.SecurityManager.checkRead(SecurityManager.java:871) >> at java.io.File.length(File.java:846) >> at >> org.apache.sling.commons.log.slf4j.SlingLoggerWriter.checkRotate(SlingLoggerWriter.java:308) >> >> >> I was wondering if it wouldn't be reasonable to have the logger do the >> file access in a AccessController.doPrivileged section, so that the >> respective permissions only have to be granted to the codebase and not >> to the useres as well. >> >> Cheers, >> Reto >> >> > >