[logback-user] Restricting JMX control certain loggers?

Ceki Gülcü ceki at qos.ch
Thu Mar 17 23:40:39 CET 2011

On 17/03/2011 9:53 PM, Steve Davis wrote:
> Is it possible to configure logback so that most loggers' levels are modifiable
> via JMX, but restrict manipulation of certain loggers?  E.g., enable the JMX
> Configurator for the root logger, but disable it for specific loggers with
> additivity="false"?  It appears that the<jmxConfigurator />  element can only
> appear at the top level of a<configuration>  block.
> The goal, for my application, is to allow user control of logging in the field,
> for debugging, but not allow anyone to disable certain loggers that handle
> security-related events.  Preferably, those loggers wouldn't even show up in as
> attributes in jconsole.
> (This is a Java desktop app, not web.)

I've come across this problem very recently. It is possible to add a a 
guard (a logback component which listens to events) designed to prevent 
specified loggers from being modified. While such a component will stop 
non-malicious users, an attacker could uninstall the said guard and 
bypass the checks you've put in place.

One solution is to raise an alert when the guard is uninstalled.

I intend to implement such a guard very soon.

QOS.ch, main sponsor of cal10n, logback and slf4j open source projects, 
is looking to hire talented software developers. For further details, 
see http://logback.qos.ch/job.html

More information about the Logback-user mailing list