Uploaded image for project: 'Commons Logging'
  1. Commons Logging
  2. LOGGING-26

Security policy configuration, SimpleLog uses System.getProperties()

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Nightly Builds
    • Fix Version/s: 1.0.3
    • Labels:
      None
    • Environment:

      Operating System: Solaris
      Platform: PC

    • Bugzilla Id:
      9743

      Description

      SimpleLog uses System.getProperties to get a list of existing
      org.apache.commons.logging.* properties.

      If commons-logging is running within an application which uses
      the Java SecurityManager such as Tomcat this requires granting
      java.util.PropertyPermission "*", "read" to not only
      commongs-logging.jar, but all other jar files with classes
      on the stack.

      This makes it impossible to restrict access to reading properties
      for any API's on the stack.

      SimpleLog should get each individual property it needs separately.

      This would apply to any other code which uses System.getProperties() also.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              glenn@apache.org Glenn Nielsen
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: