On Jan 30, 2008 5:45 PM, Martin Marinschek <[EMAIL PROTECTED]> wrote:
> However, I do not buy Matthias argument that this is due to security reasons
> - if some intruder gets access to managed-beans, we are hosed anyways. I
> think, from a perspective servicing the user, it would be a good thing if
> the admin could enable debug-output on the fly for an
> application/user-session.
Actually, looking at the code which is triggering the early evaluation
of the debug-output expression, from the very end of
ConfigParser.parseConfigFile():
if (_LOG.isInfo())
{
Object debug = bean.getProperty(RequestContextBean.DEBUG_OUTPUT_KEY);
if (Boolean.TRUE.equals(debug))
_LOG.info("RUNNING_IN_DEBUG_MODE",_CONFIG_FILE);
}
Perhaps the answer is to delay logging this message until a bit later
in the lifecycle (ie. until after the FacesContext is known to be
available).
Andy
