Major Description
When deploying Log4J2 in an applet, several API and Core classes make direct, unchecked attempts to pull in system properties via System.getProperty(...), Integer.getInteger, and Boolean.getBoolean. A sandboxed applet unfortunately may not access arbitrary system properties. PropertiesUtil seems to handle for this issue, but not all Core uses this utility, nor do a few classes in the API.
The resulting exception looks like:
Caused by: java.security.AccessControlException: access denied (java.util.PropertyPermission log4j2.status.entries read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at java.lang.Integer.getInteger(Unknown Source)
at java.lang.Integer.getInteger(Unknown Source)
at org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:48)
... 27 more
I've created a patch (to follow) which resolves these issues. Unfortunately, some code in my patch is duplicated or very similar between the API and Core – PropertiesUtil lives in Core, and I wasn't comfortable re-locating it to the API without discussion/review. Instead, I introduced a minimal version of the code to the API module.