Hi Ralph, On Mon, 22 Aug 2022 at 09:50, Ralph Goers <ralph.go...@dslextreme.com> wrote: > It looks to me that the issue in 2.18.0 is that ServiceLoaderUtil is > accessing ServiceLoader via a MethodHandle and that must be requiring the > SecurityManager. We are using MethodHandlers so that it will work properly in > a JPMS environment. One solution that I think would work for this would be to > check if JPMS is active and if not directly call ServiceLoader.
I did some more digging and `ServiceLoaderUtil` is failing, because the call stack contains classes that do not have access to `META-INF/services` resources (`log4j-api` of course has access to it). I added some reflection magic to PR #1008 to perform an `AccessController.doPriviledged(() -> ServiceLoader.load(serviceType. classLoader)` using the caller's domain. This should prevent other code from loading services using Log4j2 permissions, but at the same time requires a lot of reflection permissions from the Log4j2 API itself. I believe the Log4j2 API should at least have an "accessInPackage" permission for each caller's package. Piotr [1] https://github.com/apache/logging-log4j2/pull/1008
