[logback-user] logback usage with security

Ceki Gülcü ceki at qos.ch
Wed Jul 7 22:23:19 CEST 2010


On 07/07/2010 9:36 PM, David Savage wrote:
> On Wed, Jul 7, 2010 at 8:16 PM, Ceki Gülcü<ceki at qos.ch>  wrote:
>> On 07/07/2010 4:41 PM, David Savage wrote:
>>>
>>> Hi there,
>>>
>>> I've just run into a problem with using logback in a jvm where the
>>> security manager is enabled. The trace of the exception is as follows:
>>>
>>> java.security.AccessControlException: access denied
>>> (java.lang.RuntimePermission getClassLoader)
>>>   at
>>> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>>>   at
>>> java.security.AccessController.checkPermission(AccessController.java:546)
>>>   at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>>   at java.lang.Class.getClassLoader(Class.java:594)
>>>   at
>>> ch.qos.logback.classic.spi.PackagingDataCalculator.populateFrames(PackagingDataCalculator.java:87)
>>>   at
>>> ch.qos.logback.classic.spi.PackagingDataCalculator.calculate(PackagingDataCalculator.java:58)
>>>   at
>>> ch.qos.logback.classic.spi.ThrowableProxy.calculatePackagingData(ThrowableProxy.java:100)
>>>   at ch.qos.logback.classic.spi.LoggingEvent.<init>(LoggingEvent.java:126)
>>>   at
>>> ch.qos.logback.classic.Logger.buildLoggingEventAndAppend(Logger.java:469)
>>>   at ch.qos.logback.classic.Logger.filterAndLog_0_Or3Plus(Logger.java:425)
>>>   at ch.qos.logback.classic.Logger.info(Logger.java:645)
>>>
>>> This is running with a logback-classic-0.9.23-SNAPSHOT that I pulled
>>> and built a couple of days ago.
>>>
>>> Looking at the code it seems the PackagingDataCalculator should be
>>> calling getClassLoader in an AccessController.doPriviledged block -
>>> but potentially this could also happen higher up to avoid having to
>>> put micro checks in all over the place.
>>>
>>> This leads me to a couple of questions:
>>>
>>> * Is logback generally dealing with security related checks and this
>>> is just one that's slipped through?
>>
>> No, logback does not do security checks.
>
> Ok that's understandable but a little bit of a problem for our
> usecase. I'll see if we have any bandwidth to work on it but in
> principle if we were to make updates to do the various AccessControl
> checks would you be interested in contributions to make this work?

Logback professional support covers such work. Contact me off list for 
details.

--
Ceki


More information about the Logback-user mailing list