[logback-user] logback usage with security

David Savage david.savage at paremus.com
Wed Jul 7 21:36:16 CEST 2010 

On Wed, Jul 7, 2010 at 8:16 PM, Ceki Gülcü <ceki at qos.ch> wrote:
> On 07/07/2010 4:41 PM, David Savage wrote:
>>
>> Hi there,
>>
>> I've just run into a problem with using logback in a jvm where the
>> security manager is enabled. The trace of the exception is as follows:
>>
>> java.security.AccessControlException: access denied
>> (java.lang.RuntimePermission getClassLoader)
>>  at
>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>>  at
>> java.security.AccessController.checkPermission(AccessController.java:546)
>>  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>  at java.lang.Class.getClassLoader(Class.java:594)
>>  at
>> ch.qos.logback.classic.spi.PackagingDataCalculator.populateFrames(PackagingDataCalculator.java:87)
>>  at
>> ch.qos.logback.classic.spi.PackagingDataCalculator.calculate(PackagingDataCalculator.java:58)
>>  at
>> ch.qos.logback.classic.spi.ThrowableProxy.calculatePackagingData(ThrowableProxy.java:100)
>>  at ch.qos.logback.classic.spi.LoggingEvent.<init>(LoggingEvent.java:126)
>>  at
>> ch.qos.logback.classic.Logger.buildLoggingEventAndAppend(Logger.java:469)
>>  at ch.qos.logback.classic.Logger.filterAndLog_0_Or3Plus(Logger.java:425)
>>  at ch.qos.logback.classic.Logger.info(Logger.java:645)
>>
>> This is running with a logback-classic-0.9.23-SNAPSHOT that I pulled
>> and built a couple of days ago.
>>
>> Looking at the code it seems the PackagingDataCalculator should be
>> calling getClassLoader in an AccessController.doPriviledged block -
>> but potentially this could also happen higher up to avoid having to
>> put micro checks in all over the place.
>>
>> This leads me to a couple of questions:
>>
>> * Is logback generally dealing with security related checks and this
>> is just one that's slipped through?
>
> No, logback does not do security checks.

Ok that's understandable but a little bit of a problem for our
usecase. I'll see if we have any bandwidth to work on it but in
principle if we were to make updates to do the various AccessControl
checks would you be interested in contributions to make this work?

>
>> * From the call stack it seems the ThrowableProxy is doing quite a lot
>> of work in the user thread - is there any way to configure logback to
>> do this asynchronously?
>
> That work only done after an exception is thrown which is by definition
> exceptional, so performance should not be a real problem.

Hmmm yep on reflection that makes sense.

Regards,

Dave

>
>> Thanks in advance,
>>
>> Regards,
>>
>> Dave
>
> _______________________________________________
> Logback-user mailing list
> Logback-user at qos.ch
> http://qos.ch/mailman/listinfo/logback-user
>

More information about the Logback-user mailing list