[JIRA] Created: (LBCLASSIC-263) Logback Classic causes SecurityException
Logback Classic causes SecurityException ---------------------------------------- Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] NC updated LBCLASSIC-263: ------------------------- Attachment: PackagingDataCalculator.diff Added PackagingDataCalculator patch. Please let me know if there are any problems with this format.
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] NC commented on LBCLASSIC-263: ------------------------------ What can I do to facilitate getting this patch incorporated into the next release? I've been applying the patch to our production server for several releases before finally getting it posted here, and would rather not have to continue doing so now.
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] Ceki Gulcu commented on LBCLASSIC-263: -------------------------------------- Hello, Is the invocation Class.getClassLoader() in PackagingDataCalculator the only time you see SecurityExceptions thrown by logback under a SecurityManager?
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] Ceki Gulcu edited comment on LBCLASSIC-263 at 7/7/11 7:27 PM: -------------------------------------------------------------- Hello, Is the invocation Class.getClassLoader() in PackagingDataCalculator the only place where you see a SecurityException thrown by a SecurityManager? was (Author: noreply.ceki@qos.ch): Hello, Is the invocation Class.getClassLoader() in PackagingDataCalculator the only time you see SecurityExceptions thrown by logback under a SecurityManager?
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] NC commented on LBCLASSIC-263: ------------------------------ Yes, it is. With this patch applied we have not encountered any SecurityExceptions. I remember spending a bit of time looking around the code to see if anything else might eventually cause a problem, but didn't see anything obvious.
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] Ceki Gulcu resolved LBCLASSIC-263. ---------------------------------- Resolution: Won't Fix I've added a new method getClassLoaderAsPrivileged in the ch.qos.logback.core.util.Loader class which was changed as follows: package ch.qos.logback.core.util; public class Loader { private static boolean HAS_GET_CLASS_LOADER_PERMISSION = false; static { HAS_GET_CLASS_LOADER_PERMISSION = AccessController.doPrivileged(new PrivilegedAction<Boolean>() { public Boolean run() { try { AccessController.checkPermission( new RuntimePermission("getClassLoader")); return true; } catch (AccessControlException e) { return false; } } }); } public static ClassLoader getClassLoaderAsPrivileged(final Class clazz) { if (!HAS_GET_CLASS_LOADER_PERMISSION) return null; else return AccessController.doPrivileged( new PrivilegedAction<ClassLoader>() { public ClassLoader run() { return clazz.getClassLoader(); } }); } } The changed were committed in [1]. However, I did not change PackagingDataCalculator to use Loader#getClassLoaderAsPrivileged due to performance reasons. Collecting packaging data is already rather expensive and I do not wish to add to the cost. You have two options: 1) make the single line change yourself 2) add %ex at the end of your conversion patterns. This will avoid using the default %xEx. See [2] for documentation. [1] http://github.com/ceki/logback/commit/75da45d0f69 [2] http://logback.qos.ch/manual/layouts.html#xThrowable
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] NC commented on LBCLASSIC-263: ------------------------------ You're right, assuming a security manager would impose a performance penalty. Altering PackagingDataCalculator as follows would avoid the penalty: if(System.getSecurityManager() == null) lastExactClassLoader =callerClass.getClassLoader(); else lastExactClassLoader =Loader.getClassLoaderAsPrivileged(callerClass); When not running under a security manager the ClassLoader is obtained in the usual manner, yet everything still works, out of the box, if a security manager is in place. This provides the best of both worlds with only a simple check. System.getSecurityManager() is not expensive.
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-263?page=com.atlassian.jira.plugin.syste... ] NC commented on LBCLASSIC-263: ------------------------------ I'll add that the logic could obviously be encapsulated in a Loader.getClassLoader(Class) method for future reuse and cleaner code.
Logback Classic causes SecurityException ----------------------------------------
Key: LBCLASSIC-263 URL: http://jira.qos.ch/browse/LBCLASSIC-263 Project: logback-classic Issue Type: Bug Affects Versions: 0.9.28 Reporter: NC Assignee: Logback dev list Attachments: PackagingDataCalculator.diff
PackagingDataCalculator invokes Class.getClassLoader(). This method throws a SecurityException when running under a security manager and that manager denies access to the ClassLoader. I'm submitting a PackagingDataCalculator patch which wraps the getClassLoader() invocation in a doPrivileged block. This allows these calls to succeed when the getClassLoader RuntimePermission is granted to logback-classic.
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
participants (2)
-
Ceki Gulcu (JIRA) -
NC (JIRA)