Hello,

I have a small HelloWorld to test the issue. 
https://github.com/apache/logging-log4j2/pull/1008 works with it, the 
privileges are obtained from the caller, both in a positive (caller is the 
appserver) and a negative (caller is the app) way.

LOG4J2-3579 is as blocker to integrate 2.18.0 in WildFly, would it be possible 
to release 2.18.1 soon? Could you provide a tag for 2.18.1 in git, please? 
2.18.0 has only be released to Maven Central, without tag.

Regards
Boris

> Ralph Goers <ralph.go...@dslextreme.com> hat am 22.08.2022 09:50 CEST 
> geschrieben:
> 
>  
> I we don’t have permission to use ServiceLoader Log4j will simply fail to 
> initialize with anything other than SimpleLoggerContextFactory (i.e. - 
> nothing in log4j-core will work). 
> 
> It looks to me that the issue in 2.18.0 is that ServiceLoaderUtil is 
> accessing ServiceLoader via a MethodHandle and that must be requiring the 
> SecurityManager. We are using MethodHandlers so that it will work properly in 
> a JPMS environment. One solution that I think would work for this would be to 
> check if JPMS is active and if not directly call ServiceLoader.
> 
> Ralph
> 
> 
> > On Aug 21, 2022, at 9:31 AM, . . <bu.apa...@mail.unckel.net> wrote:
> > 
> > Hello all,
> > 
> > thanks Piotr to take care for the topic. One thing to consider:
> > 
> >> The environment and system properties sources are protected by internal 
> >> Java security checks,... 
> > 
> > Unfortunately not after applying the fix: PropertiesUtil[1] loads all the 
> > services which provide a PropertySource inside the doPrivileged including 
> > the default log4j2 implementations[2] which include the system properties 
> > [3]. Both fix approaches are not good at the moment. In practice nearly all 
> > frameworks require Property* permissions, due to caching / loading all etc. 
> > But that is not a good reason to introduce a leak. Maybe a alternative with 
> > more refactoring: Only the really needed properties are loaded, without a 
> > util method, without a service in between. The SecurityExceptions are 
> > thrown and not silently ignored. Any service implementation has to care 
> > itself.
> > 
> > I don't know enough about service loading: Would any service lookup inside 
> > a doPrivileged block cause a constructor to be called inside the same 
> > block? :-(
> > 
> > One thing in general: Could someone explain the usecase behind catching 
> > SecurityExceptions and silently dropping them? [4][5][6][7][8] Please 
> > explain it for the case that an authorized administrator with the knowledge 
> > and right to grant permissions wants to set the permissions correct. Please 
> > explain it for an monitoring system (ELK or something) which is configured 
> > to alert for SecurityExceptions.
> > 
> > The hope of a near end of the SecurityManager must be delayed till December 
> > 2030[9] as long as you want to support Java 8 with log4j2 ;-) Due to very 
> > positive experience in application testing and production I'm not happy 
> > about the deprecation, but that is offtopic.
> > 
> > Regards
> > Boris
> > 
> > [1] 
> > https://github.com/apache/logging-log4j2/blob/b734a4f66af868f03dafafe5de92999058096eca/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L477
> > [2] 
> > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/resources/META-INF/services/org.apache.logging.log4j.util.PropertySource
> > [3] 
> > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L44
> > [4] 
> > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L45
> > [5] 
> > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L76
> > [6] 
> > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L85
> > [7] 
> > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L405
> > [8] 
> > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L456
> > [9] https://www.oracle.com/java/technologies/java-se-support-roadmap.html

Reply via email to