Uploaded image for project: 'Log4j 2'
  1. Log4j 2
  2. LOG4J2-1110

org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.3
    • 2.4
    • JUL adapter
    • None

    Description

      org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late.

      The JUL Javadocs https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html#setLevel(java.util.logging.Level) state:

      Throws:
      SecurityException - if a security manager exists and if the caller does not have LoggingPermission("control").

      Our impl org.apache.logging.log4j.jul.CoreLogger.setLevel(Level):

          @Override
          public void setLevel(final Level level) throws SecurityException {
              logger.setLevel(LevelTranslator.toLevel(level));
              super.doSetLevel(level);
          }
      

      Checks for perms through super.doSetLevel(level) which is too late since our logger is already modified.

      The fix is to switch the two calls:

          @Override
          public void setLevel(final Level level) throws SecurityException {
              super.doSetLevel(level);
              logger.setLevel(LevelTranslator.toLevel(level));
          }
      

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              ggregory Gary D. Gregory
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: