[
https://issues.apache.org/jira/browse/LOG4J2-238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13976344#comment-13976344
]
Matt Sicker commented on LOG4J2-238:
------------------------------------
So it looks like we've got a couple issues with the use of sun.misc.Unsafe.
First of all, you can't use this class at all without either having no security
context or by at least having some reflection permissions (which tends to allow
one to completely destroy any and all security in Java at that point; it's the
god permission). In that regard, I find it amusing that LMAX disruptor
[bypasses the security check via
reflection|https://github.com/LMAX-Exchange/disruptor/blob/master/src/main/java/com/lmax/disruptor/util/Util.java#L102]
instead of bothering with the [getUnsafe
method|http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/37392f2f5d59/src/share/classes/sun/misc/Unsafe.java#l87]
(which does its own security check by seeing if the calling class has a
ClassLoader; not sure why that's supposed to work).
When it comes to disruptor, the Unsafe class is only used in two places:
[Sequence|https://github.com/LMAX-Exchange/disruptor/blob/master/src/main/java/com/lmax/disruptor/Sequence.java]
and
[MultiProducerSequencer|https://github.com/LMAX-Exchange/disruptor/blob/master/src/main/java/com/lmax/disruptor/MultiProducerSequencer.java].
While I commend their efforts at keeping all the code in Java, when it comes
to manipulating things at this level, some of this code might be better off as
JNI code. At least that would work in OSGi as far as I know.
> OSGi dependency failures in core
> --------------------------------
>
> Key: LOG4J2-238
> URL: https://issues.apache.org/jira/browse/LOG4J2-238
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.0-beta5
> Environment: OSGi (Eclipse 4.2.2, but I think the issue is generic
> OSGi)
> Reporter: Bob Kerns
> Labels: OSGi
> Attachments:
> 0001-LOG4J2-238-and-Log472-159.-OSGi-coordination-of-API-.patch
>
>
> To get the core module to load, in addition to re-fixing what was almost
> fixed in LOG4J2-159 I had to make several packages optional.
> * com.lmax.disruptor
> * com.lmax.disruptor.dsl
> * com.lmax.disruptor.util
> These provided a dependency on sun.misc, which I could hack around to make
> available but isn't normally available in OSGi and thus not a dependency I
> can easily put into a product. I believe the dependency is on sun.misc.Unsafe
> I'd like to use it...
> There is also a direct dependency somewhere on
> * sun.misc (also Unsafe)
> * com.sun.tools.jconsole -- I think this unlikely to be used in an OSGi
> environment, so optional is appropriate.
> * org.codehaus.jackson
> * org.codehaus.jackson.map
> These would be easy enough to satisfy, but since most people won't need JSON
> logging, the dependency should be optional.
> I think the correct minimal fix is just to make them all optional in the
> manifest. Eliminating the need for sun.misc would be a good further step
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
