Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-1110

org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.3
    • 2.4
    • JUL adapter
    • None

    Description

      org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late.

      The JUL Javadocs https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html#setLevel(java.util.logging.Level) state:

      Throws:
      SecurityException - if a security manager exists and if the caller does not have LoggingPermission("control").

      Our impl org.apache.logging.log4j.jul.CoreLogger.setLevel(Level):

          @Override
    public void setLevel(final Level level) throws SecurityException {
        logger.setLevel(LevelTranslator.toLevel(level));
        super.doSetLevel(level);
    }

      Checks for perms through super.doSetLevel(level) which is too late since our logger is already modified.

      The fix is to switch the two calls:

          @Override
    public void setLevel(final Level level) throws SecurityException {
        super.doSetLevel(level);
        logger.setLevel(LevelTranslator.toLevel(level));
    }

      Attachments

        Issue Links

          is related to

          New Feature - A new feature of the product, which has yet to be developed. LOG4J2-3476 Support JUL ApiLogger::setLevel

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              ggregory Gary D. Gregory
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: