Log4j 2
  1. Log4j 2
  2. LOG4J2-150

Applet: AccessControlException from System.getProperty(...), Integer.getInteger, and Boolean.getBoolean

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0-beta4
    • Fix Version/s: 2.0-beta4
    • Component/s: API, Core
    • Labels:
      None
    • Environment:

      Firefox 18

      Description

      When deploying Log4J2 in an applet, several API and Core classes make direct, unchecked attempts to pull in system properties via System.getProperty(...), Integer.getInteger, and Boolean.getBoolean. A sandboxed applet unfortunately may not access arbitrary system properties. PropertiesUtil seems to handle for this issue, but not all Core uses this utility, nor do a few classes in the API.

      The resulting exception looks like:
      Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission log4j2.status.entries read)
      at java.security.AccessControlContext.checkPermission(Unknown Source)
      at java.security.AccessController.checkPermission(Unknown Source)
      at java.lang.SecurityManager.checkPermission(Unknown Source)
      at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
      at java.lang.System.getProperty(Unknown Source)
      at java.lang.Integer.getInteger(Unknown Source)
      at java.lang.Integer.getInteger(Unknown Source)
      at org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:48)
      ... 27 more

      I've created a patch (to follow) which resolves these issues. Unfortunately, some code in my patch is duplicated or very similar between the API and Core – PropertiesUtil lives in Core, and I wasn't comfortable re-locating it to the API without discussion/review. Instead, I introduced a minimal version of the code to the API module.

        Activity

        Hide
        Scott Severtson added a comment -

        We can verify that Log4J2 can now be safely used in an applet environment.

        Show
        Scott Severtson added a comment - We can verify that Log4J2 can now be safely used in an applet environment.
        Hide
        Ralph Goers added a comment -

        Fixed as of revision 1434589. Please verify and close.

        Show
        Ralph Goers added a comment - Fixed as of revision 1434589. Please verify and close.
        Hide
        Ralph Goers added a comment -

        I added PropsUtil to the API. It should be renamed to PropertiesUtil and the one in core removed. The one in the API allows a properties file to be provided to provide default values for the properties.

        Show
        Ralph Goers added a comment - I added PropsUtil to the API. It should be renamed to PropertiesUtil and the one in core removed. The one in the API allows a properties file to be provided to provide default values for the properties.
        Hide
        Scott Severtson added a comment -

        Patch to resolve direct/indirect access to System.properties from within an Applet.

        Show
        Scott Severtson added a comment - Patch to resolve direct/indirect access to System.properties from within an Applet.

          People

          • Assignee:
            Ralph Goers
            Reporter:
            Scott Severtson
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development