Bug 45095

Summary: log4j.properties in xmlsec sources and builds has side effects in production environment
Product: Security - Now in JIRA Reporter: Joachim Rousseau <syrion.com>
Component: EncryptionAssignee: XML Security Developers Mailing List <security-dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: Java 1.4.1   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Joachim Rousseau 2008-05-29 07:40:21 UTC 
xmlsec sources in svn and xmlsec builds in official maven repositories and alss in http://xml.apache.org/security/dist/java-library/ contain an unusable log4j.properties for production.

Not only it is a bad practice to redefine a root logger in log4j.properties, but it is redefined to accept DEBUG level. This can cause a production environnement to flow alot of debug data in log files.

Every single projet having a log4j config MUST :
 - choose a unique name for its log4j.properties (or .xml) to avoid classloader to take instead of another log4j.properties/.xml. The log4j config file should be called explicitely with the *Configurator. This allow multiple jars in the same classloader to append their log4j config instead of having only oneloaded  at random.
 - never redefine the root logger. The root logger may be called by anyone so if you redfine it, side effects occur (as having another software logging in "your" root logger). The root logger should be defined at a WAR or EAR level as a default logger.
 - never define root logger with DEBUG level : this should be the choice of the user to increase verbosity level.

xmlsec have a bad log4j config :  it redefines a root logger at DEBUG level.

This issue 
 - forces developper to re-build xmlsec-*.jar with a custom log4j.properties in order to lower the verbosity for production
 - forces developper to avoid using maven or apache repositories

The bigest problem is that even with a correct log4j.properties, this file may interact with other bad designed software using the same default config name. So one library among them will have its logger loaded, the other will fail silently !

I'm reporting this because xmlsec-1.3.1 was the cause for another component to log a lot of DEBUG infos on sysout. But 1.4.1 has the same problem.

The correct way to correct this is : 
 - removing the root logger config from org/apache/xml/security/resource/log4j.properties
 - set other logger at ERROR level

Only the user can decide if the verbosity should be increased
Comment 1 sean.mullan 2008-06-27 13:28:44 UTC 
Fixed as suggested.
Comment 2 Adrian.B.Robert 2010-01-11 11:57:05 UTC 
Did this fix go into any releases?  xmlsec-1.4.3.jar seems to be the latest and it has the problem described.
Comment 3 sean.mullan 2010-01-11 13:46:13 UTC 
(In reply to comment #2)
> Did this fix go into any releases?  xmlsec-1.4.3.jar seems to be the latest and
> it has the problem described.

Here are the diffs for the fix that went into 1.4.3. Did you expect something different?

$ svn diff -r350676 log4j.properties
Index: log4j.properties
===================================================================
--- log4j.properties    (revision 350676)
+++ log4j.properties    (working copy)
@@ -4,14 +4,13 @@
 #
 # ------------------------------------------------------------------------
 #
-log4j.rootLogger=DEBUG, LOGTXT

 ########################################################################
 #
 # Logging based on packages
 #
 ########################################################################
-log4j.logger.org.apache.xml.security=DEBUG, LOGTXT
+log4j.logger.org.apache.xml.security=ERROR, LOGTXT
 log4j.logger.org.apache.xml.security.test.AllTests=DEBUG, LOGTXT

 ########################################################################
Comment 4 Joachim Rousseau 2010-01-23 18:15:29 UTC 
xmlsec 1.4.3 is OK, as its log4j config follows recommandations
 - no more root logger overriding
 - no more DEBUG level

As an effect, xmlsec is not flooding production logs anymore. It works as expected. xmlsec 1.4.3 doesn't have the issue anymore. 

(In reply to comment #3)
> (In reply to comment #2)
> > Did this fix go into any releases?  xmlsec-1.4.3.jar seems to be the latest and
> > it has the problem described.