You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@commons.apache.org by bu...@apache.org on 2002/06/10 15:03:29 UTC

DO NOT REPLY [Bug 9743] New: - Security policy configuration, SimpleLog uses System.getProperties()

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9743>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9743

Security policy configuration, SimpleLog uses System.getProperties()

           Summary: Security policy configuration, SimpleLog uses
                    System.getProperties()
           Product: Commons
           Version: Nightly Builds
          Platform: PC
        OS/Version: Solaris
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Logging
        AssignedTo: commons-dev@jakarta.apache.org
        ReportedBy: glenn@apache.org


SimpleLog uses System.getProperties to get a list of existing
org.apache.commons.logging.* properties.

If commons-logging is running within an application which uses
the Java SecurityManager such as Tomcat this requires granting
java.util.PropertyPermission "*", "read" to not only
commongs-logging.jar, but all other jar files with classes
on the stack.

This makes it impossible to restrict access to reading properties
for any API's on the stack.

SimpleLog should get each individual property it needs separately.

This would apply to any other code which uses System.getProperties() also.

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>