You are viewing a plain text version of this content. The canonical link for it is here.

Posted to log4j-dev@logging.apache.org by "Scott Severtson (JIRA)" <ji...@apache.org> on 2013/02/01 17:38:20 UTC

[jira] [Closed] (LOG4J2-150) Applet: AccessControlException from System.getProperty(...), Integer.getInteger, and Boolean.getBoolean

     [ https://issues.apache.org/jira/browse/LOG4J2-150?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Severtson closed LOG4J2-150.
----------------------------------


We can verify that Log4J2 can now be safely used in an applet environment.
                
> Applet: AccessControlException from System.getProperty(...), Integer.getInteger, and Boolean.getBoolean
> -------------------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-150
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-150
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: API, Core
>    Affects Versions: 2.0-beta4
>         Environment: Firefox 18
>            Reporter: Scott Severtson
>            Assignee: Ralph Goers
>             Fix For: 2.0-beta4
>
>         Attachments: system-properties-access-control-exception-handling.patch
>
>
> When deploying Log4J2 in an applet, several API and Core classes make direct, unchecked attempts to pull in system properties via System.getProperty(...), Integer.getInteger, and Boolean.getBoolean. A sandboxed applet unfortunately may not access arbitrary system properties. PropertiesUtil seems to handle for this issue, but not all Core uses this utility, nor do a few classes in the API.
> The resulting exception looks like:
> Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission log4j2.status.entries read)
> at java.security.AccessControlContext.checkPermission(Unknown Source)
> at java.security.AccessController.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPermission(Unknown Source)
> at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
> at java.lang.System.getProperty(Unknown Source)
> at java.lang.Integer.getInteger(Unknown Source)
> at java.lang.Integer.getInteger(Unknown Source)
> at org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:48)
> ... 27 more
> I've created a patch (to follow) which resolves these issues. Unfortunately, some code in my patch is duplicated or very similar between the API and Core -- PropertiesUtil lives in Core, and I wasn't comfortable re-locating it to the API without discussion/review. Instead, I introduced a minimal version of the code to the API module.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org