xmlsec sources in svn and xmlsec builds in official maven repositories and alss in http://xml.apache.org/security/dist/java-library/ contain an unusable log4j.properties for production. Not only it is a bad practice to redefine a root logger in log4j.properties, but it is redefined to accept DEBUG level. This can cause a production environnement to flow alot of debug data in log files. Every single projet having a log4j config MUST : - choose a unique name for its log4j.properties (or .xml) to avoid classloader to take instead of another log4j.properties/.xml. The log4j config file should be called explicitely with the *Configurator. This allow multiple jars in the same classloader to append their log4j config instead of having only oneloaded at random. - never redefine the root logger. The root logger may be called by anyone so if you redfine it, side effects occur (as having another software logging in "your" root logger). The root logger should be defined at a WAR or EAR level as a default logger. - never define root logger with DEBUG level : this should be the choice of the user to increase verbosity level. xmlsec have a bad log4j config : it redefines a root logger at DEBUG level. This issue - forces developper to re-build xmlsec-*.jar with a custom log4j.properties in order to lower the verbosity for production - forces developper to avoid using maven or apache repositories The bigest problem is that even with a correct log4j.properties, this file may interact with other bad designed software using the same default config name. So one library among them will have its logger loaded, the other will fail silently ! I'm reporting this because xmlsec-1.3.1 was the cause for another component to log a lot of DEBUG infos on sysout. But 1.4.1 has the same problem. The correct way to correct this is : - removing the root logger config from org/apache/xml/security/resource/log4j.properties - set other logger at ERROR level Only the user can decide if the verbosity should be increased
Fixed as suggested.
Did this fix go into any releases? xmlsec-1.4.3.jar seems to be the latest and it has the problem described.
(In reply to comment #2) > Did this fix go into any releases? xmlsec-1.4.3.jar seems to be the latest and > it has the problem described. Here are the diffs for the fix that went into 1.4.3. Did you expect something different? $ svn diff -r350676 log4j.properties Index: log4j.properties =================================================================== --- log4j.properties (revision 350676) +++ log4j.properties (working copy) @@ -4,14 +4,13 @@ # # ------------------------------------------------------------------------ # -log4j.rootLogger=DEBUG, LOGTXT ######################################################################## # # Logging based on packages # ######################################################################## -log4j.logger.org.apache.xml.security=DEBUG, LOGTXT +log4j.logger.org.apache.xml.security=ERROR, LOGTXT log4j.logger.org.apache.xml.security.test.AllTests=DEBUG, LOGTXT ########################################################################
xmlsec 1.4.3 is OK, as its log4j config follows recommandations - no more root logger overriding - no more DEBUG level As an effect, xmlsec is not flooding production logs anymore. It works as expected. xmlsec 1.4.3 doesn't have the issue anymore. (In reply to comment #3) > (In reply to comment #2) > > Did this fix go into any releases? xmlsec-1.4.3.jar seems to be the latest and > > it has the problem described.