Re: Running under a SecurityManager
Hello, I have a small HelloWorld to test the issue. https://github.com/apache/logging-log4j2/pull/1008 works with it, the privileges are obtained from the caller, both in a positive (caller is the appserver) and a negative (caller is the app) way. LOG4J2-3579 is as blocker to integrate 2.18.0 in WildFly, would it be possible to release 2.18.1 soon? Could you provide a tag for 2.18.1 in git, please? 2.18.0 has only be released to Maven Central, without tag. Regards Boris > Ralph Goers hat am 22.08.2022 09:50 CEST > geschrieben: > > > I we don’t have permission to use ServiceLoader Log4j will simply fail to > initialize with anything other than SimpleLoggerContextFactory (i.e. - > nothing in log4j-core will work). > > It looks to me that the issue in 2.18.0 is that ServiceLoaderUtil is > accessing ServiceLoader via a MethodHandle and that must be requiring the > SecurityManager. We are using MethodHandlers so that it will work properly in > a JPMS environment. One solution that I think would work for this would be to > check if JPMS is active and if not directly call ServiceLoader. > > Ralph > > > > On Aug 21, 2022, at 9:31 AM, . . wrote: > > > > Hello all, > > > > thanks Piotr to take care for the topic. One thing to consider: > > > >> The environment and system properties sources are protected by internal > >> Java security checks,... > > > > Unfortunately not after applying the fix: PropertiesUtil[1] loads all the > > services which provide a PropertySource inside the doPrivileged including > > the default log4j2 implementations[2] which include the system properties > > [3]. Both fix approaches are not good at the moment. In practice nearly all > > frameworks require Property* permissions, due to caching / loading all etc. > > But that is not a good reason to introduce a leak. Maybe a alternative with > > more refactoring: Only the really needed properties are loaded, without a > > util method, without a service in between. The SecurityExceptions are > > thrown and not silently ignored. Any service implementation has to care > > itself. > > > > I don't know enough about service loading: Would any service lookup inside > > a doPrivileged block cause a constructor to be called inside the same > > block? :-( > > > > One thing in general: Could someone explain the usecase behind catching > > SecurityExceptions and silently dropping them? [4][5][6][7][8] Please > > explain it for the case that an authorized administrator with the knowledge > > and right to grant permissions wants to set the permissions correct. Please > > explain it for an monitoring system (ELK or something) which is configured > > to alert for SecurityExceptions. > > > > The hope of a near end of the SecurityManager must be delayed till December > > 2030[9] as long as you want to support Java 8 with log4j2 ;-) Due to very > > positive experience in application testing and production I'm not happy > > about the deprecation, but that is offtopic. > > > > Regards > > Boris > > > > [1] > > https://github.com/apache/logging-log4j2/blob/b734a4f66af868f03dafafe5de92999058096eca/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L477 > > [2] > > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/resources/META-INF/services/org.apache.logging.log4j.util.PropertySource > > [3] > > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L44 > > [4] > > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L45 > > [5] > > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L76 > > [6] > > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/SystemPropertiesPropertySource.java#L85 > > [7] > > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L405 > > [8] > > https://github.com/apache/logging-log4j2/blob/release-2.x/log4j-api/src/main/java/org/apache/logging/log4j/util/PropertiesUtil.java#L456 > > [9] https://www.oracle.com/java/technologies/java-se-support-roadmap.html
Re: Running under a SecurityManager
Hello Piotr, > Piotr P. Karwasz hat am 29.08.2022 20:03 CEST > geschrieben: > The next release (2.19.0) will require updating our Log4j2 -> SLF4J > and SLF4J -> Log4j2 bridges to SLF4J 2.0. If that is also a blocker > for Wildfly we'll probably manage to release 2.19.0 before your next > Wildfly version. There is a public schedule for WildFly announced[1], all logging belongs to _WF Core_: 27.0.0.Beta1: WF Core feature freeze -- Friday Sep 9 WF feature freeze -- Monday Sep 12 Tag and release -- Wednesday Sep 14 / Thur Sep 15 27.0.0.Final: WF Core feature freeze -- Friday Sep 23 WF feature freeze -- Monday Sep 26 Tag and release -- Wednesday Sep 28 / Thur Sep 29 I assume the update of SLF4J 2.0 and log4j 2.19.0 will be considered as "big" change for the logging subsystem and must be available in the beta. I'm going to prepare a PR for the relevant JBoss Logging dependencies, let's see what James can do. Regards Boris [1] https://lists.jboss.org/archives/list/wildfly-...@lists.jboss.org/thread/UMOETDN6NSQ4ATAUVSBFHGSCIXQOZDAJ/
Re: [VOTE] Release Apache Log4j 2.19.0-rc1
+1 Tested against * WildFly Core main with -DallTests ( https://github.com/wildfly/wildfly-core/ ) * JBoss Logging 3.4 branch ( https://github.com/jboss-logging/jboss-logging/tree/3.4 ) * Log4j2 JBoss Logmanager main( https://github.com/jboss-logging/log4j2-jboss-logmanager ) Regards Boris > Ralph Goers hat am 10.09.2022 00:56 CEST > geschrieben: > > > This is a vote to release Log4j 2.19.0, the next version of the Log4j 2 > project. > > Note that the security page on the web site was updated to better describe > CVE-2021-44228 and CVE-2021-45046. Please review those changes. > > Please download, test, and cast your votes on the log4j developers list. > [] +1, release the artifacts > [] -1, don't release because... > > The vote will remain open for 72 hours. All votes are welcome and we > encourage everyone to test the release, but only Logging PMC votes are > “officially” counted. As always, at least 3 +1 votes and more positive than > negative votes are required.
Re: [VOTE] Release Apache Log4j 2.19.0-rc2
+1 Git tag log4j-2.19.0-rc2 tested with Apache Maven 3.8.5 (3599d3414f046de2324203b78ddcf9b5e4388aa0) Maven home: /opt/maven Java version: 1.8.0_345, vendor: Temurin, runtime: /usr/lib/jvm/temurin-8-jdk/jre Default locale: de_DE, platform encoding: UTF-8 OS name: "linux", version: "5.19.8-200.fc36.x86_64", arch: "amd64", family: "unix" Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: c:\VHVEntw\apache-maven-3.8.6 Java version: 1.8.0_345, vendor: Temurin, runtime: c:\Program Files\jdk8u345-b01\jre Default locale: de_DE, platform encoding: Cp1252 OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows" WinVer 21H2 Build 19044.2006 Maven artifacts orgapachelogging-1089 tested against * SHA1 checked * WildFly Core main with -DallTests ( https://github.com/wildfly/wildfly-core/ ) * JBoss Logging 3.4 branch ( https://github.com/jboss-logging/jboss-logging/tree/3.4 ) * Log4j2 JBoss Logmanager main( https://github.com/jboss-logging/log4j2-jboss-logmanager ) all with Apache Maven 3.8.5 (3599d3414f046de2324203b78ddcf9b5e4388aa0) Maven home: /opt/maven Java version: 11.0.16.1, vendor: Eclipse Adoptium, runtime: /usr/lib/jvm/temurin-11-jdk Default locale: de_DE, platform encoding: UTF-8 OS name: "linux", version: "5.19.8-200.fc36.x86_64", arch: "amd64", family: "unix" Regards Boris > Ralph Goers hat am 13.09.2022 22:49 CEST > geschrieben: > > > This is a vote to release Log4j 2.19.0, the next version of the Log4j 2 > project. > [] > Tag: > a) for a new copy do "git clone https://github.com/apache/logging-log4j2.git > and then "git checkout tags/log4j-2.19.0-rc2” or just "git clone -b > log4j-2.19.0-rc2 https://github.com/apache/logging-log4j2.git"; > b) for an existing working copy to “git pull” and then “git checkout > tags/log4j-2.19.0-rc2” > > Web Site: https://logging.staged.apache.org/log4j/2.x/index.html. > > Maven Artifacts: > https://repository.apache.org/content/repositories/orgapachelogging-1089/
