You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@santuario.apache.org by bu...@apache.org on 2008/05/29 16:40:22 UTC
DO NOT REPLY [Bug 45095] New: log4j.
properties in xmlsec sources and builds has side effects in production
environment
https://issues.apache.org/bugzilla/show_bug.cgi?id=45095
Summary: log4j.properties in xmlsec sources and builds has side
effects in production environment
Product: Security
Version: Java 1.4.1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Encryption
AssignedTo: security-dev@xml.apache.org
ReportedBy: syrion.com@club-internet.fr
xmlsec sources in svn and xmlsec builds in official maven repositories and alss
in http://xml.apache.org/security/dist/java-library/ contain an unusable
log4j.properties for production.
Not only it is a bad practice to redefine a root logger in log4j.properties,
but it is redefined to accept DEBUG level. This can cause a production
environnement to flow alot of debug data in log files.
Every single projet having a log4j config MUST :
- choose a unique name for its log4j.properties (or .xml) to avoid classloader
to take instead of another log4j.properties/.xml. The log4j config file should
be called explicitely with the *Configurator. This allow multiple jars in the
same classloader to append their log4j config instead of having only oneloaded
at random.
- never redefine the root logger. The root logger may be called by anyone so
if you redfine it, side effects occur (as having another software logging in
"your" root logger). The root logger should be defined at a WAR or EAR level as
a default logger.
- never define root logger with DEBUG level : this should be the choice of the
user to increase verbosity level.
xmlsec have a bad log4j config : it redefines a root logger at DEBUG level.
This issue
- forces developper to re-build xmlsec-*.jar with a custom log4j.properties in
order to lower the verbosity for production
- forces developper to avoid using maven or apache repositories
The bigest problem is that even with a correct log4j.properties, this file may
interact with other bad designed software using the same default config name.
So one library among them will have its logger loaded, the other will fail
silently !
I'm reporting this because xmlsec-1.3.1 was the cause for another component to
log a lot of DEBUG infos on sysout. But 1.4.1 has the same problem.
The correct way to correct this is :
- removing the root logger config from
org/apache/xml/security/resource/log4j.properties
- set other logger at ERROR level
Only the user can decide if the verbosity should be increased
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 45095] log4j.properties in xmlsec sources and
builds has side effects in production environment
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45095
--- Comment #2 from Adrian.B.Robert@gmail.com 2010-01-11 11:57:05 UTC ---
Did this fix go into any releases? xmlsec-1.4.3.jar seems to be the latest and
it has the problem described.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 45095] log4j.properties in xmlsec sources and
builds has side effects in production environment
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45095
--- Comment #3 from sean.mullan@sun.com 2010-01-11 13:46:13 UTC ---
(In reply to comment #2)
> Did this fix go into any releases? xmlsec-1.4.3.jar seems to be the latest and
> it has the problem described.
Here are the diffs for the fix that went into 1.4.3. Did you expect something
different?
$ svn diff -r350676 log4j.properties
Index: log4j.properties
===================================================================
--- log4j.properties (revision 350676)
+++ log4j.properties (working copy)
@@ -4,14 +4,13 @@
#
# ------------------------------------------------------------------------
#
-log4j.rootLogger=DEBUG, LOGTXT
########################################################################
#
# Logging based on packages
#
########################################################################
-log4j.logger.org.apache.xml.security=DEBUG, LOGTXT
+log4j.logger.org.apache.xml.security=ERROR, LOGTXT
log4j.logger.org.apache.xml.security.test.AllTests=DEBUG, LOGTXT
########################################################################
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 45095] log4j.properties in xmlsec sources and
builds has side effects in production environment
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45095
--- Comment #4 from Joachim Rousseau <sy...@club-internet.fr> 2010-01-23 18:15:29 UTC ---
xmlsec 1.4.3 is OK, as its log4j config follows recommandations
- no more root logger overriding
- no more DEBUG level
As an effect, xmlsec is not flooding production logs anymore. It works as
expected. xmlsec 1.4.3 doesn't have the issue anymore.
(In reply to comment #3)
> (In reply to comment #2)
> > Did this fix go into any releases? xmlsec-1.4.3.jar seems to be the latest and
> > it has the problem described.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
DO NOT REPLY [Bug 45095] log4j.
properties in xmlsec sources and builds has side effects in production
environment
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=45095
sean.mullan@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from sean.mullan@sun.com 2008-06-27 13:28:44 PST ---
Fixed as suggested.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.