You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "Remko Popma (JIRA)" <ji...@apache.org> on 2017/06/16 23:34:00 UTC

[jira] [Comment Edited] (LOG4J2-1926) Remove dependency on RMI and Management APIs from log4j-api

    [ https://issues.apache.org/jira/browse/LOG4J2-1926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052513#comment-16052513 ] 

Remko Popma edited comment on LOG4J2-1926 at 6/16/17 11:33 PM:
---------------------------------------------------------------

Mikael, sorry, I misunderstood your concern. 
Please see LOG4J2-1663 and LOG4J2-1226 for the background. 
Basically this allows applications like Lilith to deserialize LogEvents even when the event  contains domain objects that are not in Lilith's classpath when derserializing. 

It's a good idea to use the FilteredObjectInputStream instead of the JDK ObjectInputStream when deserializing, and the recent changes should make this easier to accomplish.


was (Author: remkop@yahoo.com):
Mikael, sorry, I misunderstood your concern. 
Please see LOG4J2-1663 and LOG4J2-1226 for the background. 
Basically this allows applications like Lilith to deserialize LogEvents even when the event  contains domain objects that are not in Lilith's classpath when derserializing. 

> Remove dependency on RMI and Management APIs from log4j-api
> -----------------------------------------------------------
>
>                 Key: LOG4J2-1926
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1926
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: API
>    Affects Versions: 2.8
>         Environment: Android
>            Reporter: Oleg Kalnichevski
>            Assignee: Remko Popma
>
> (Remko: Paraphrasing discussion on the log4j dev mailing list. Please feel free to update/modify):
> When the Apache HttpClient 5.0 library gets pulled into an Android project, the Lint static code analyzer reports two severe violations due to transitive dependency through Log4j APIs 2.8 on Java RMI and Java Management APIs.
> At the moment adding a transitive dependency on log4j2-api causes any Android build to fail with a scary invalid package error. Surely this error can be ignored with a custom lint rule but it may present a certain reason for concert to less experienced developers.
> This is caused by Log4j's use of MarshalledObject: User domain objects and exceptions are wrapped in MarshalledObject when LogEvents are serialized. This allows applications like Lilith to deserialize LogEvents even when not all domain classes are on the classpath (LOG4J2-1226).
> Consider finding a different way to solve this problem that does not require MarshalledObject.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)