[logback-user] loggingPermission

charles gay charles.gay at gmail.com
Tue Dec 5 00:43:09 CET 2006

hi Ceki,
firstly, i want to say thank you very much for your great contribution in
open source!!(and thanks to the logback team for the initiative)
so many people use log4j!( and  in the future logback).

about the security need:
that's the same than the one which is implemented in java.util.logging
prevent unauthorized users or code to modify programmatically logging
browsing your code, i think you can add this security check at
GenericConfigurator methods, or maybe at a higher level, i.e
ContextAwareBase class (maybe to securize the setContext method).

how to do it?
that's straightforward:
you need to decide if all these methods requires the same permission, or you
want to selectively give access depending on the user/code specific
imagine all logging configuration access is enabled with the
loggingPermisison("control"), like in the java.util.logging;
i.e, if the user or code have got the loggingpermission, you will grant
acess to the protected method.
how to do the seucrity check:
you have only to insert in the start of your method:
AccessController.checkPermisison(new LogginPermission("control');

and that's all!!
if the securitymanager is not enabled, you will not have security check, and
if its enabled, the security architecture will do the security check for
if access is granted, it will continue silently, otherwise, a
securityException will be raised.
simple and elegant as my opinion.

do you need other details?



Ceki Gülcü-3 wrote:
> Hi Charles,
> At 02:22 PM 11/30/2006, you wrote:
>>one major advantage(to me, i acknowledge ;-) ) of the java.util.logging
>>package over log4j and other logging libraries is its security.
>>it uses the underlying java security infrastructure by securing logs with
>>loggingpermission use.
>>have you any plan to use loggingpermission?
> We had no specific plans to add security given demand for it has been 
> (surprisingly) week. However, the idea is definitely worth consideration.
>>it  can be used very easily to control any logging configuration change.
>>other use case can stands on loggingpermission to prevent some programers
>>use loggers of some packages for example.
> Could you summarize the say 2 or 3 most important security checks you
> would 
> like to see added?
>>if you are interested to implemented this feature, i can help you to
>>understand java security internals if needed.
> Thank you for the kind offer. We are interested in adding security. Would 
> you care to contribute actual code?
>>Charles GAY
> -- 
> Ceki Gülcü
> Logback: The reliable, generic, fast and flexible logging framework for
> Java.
> http://logback.qos.ch
> _______________________________________________
> Logback-user mailing list
> Logback-user at qos.ch
> http://qos.ch/mailman/listinfo/logback-user

View this message in context: http://www.nabble.com/loggingPermission-tf2731649.html#a7690145
Sent from the Logback User mailing list archive at Nabble.com.

More information about the Logback-user mailing list