[JIRA] Created: (LBCLASSIC-304) Moving from log4j to logback classic breaks java.policy.security behavior
Moving from log4j to logback classic breaks java.policy.security behavior ------------------------------------------------------------------------- Key: LBCLASSIC-304 URL: http://jira.qos.ch/browse/LBCLASSIC-304 Project: logback-classic Issue Type: Bug Affects Versions: 1.0.0 Environment: CentOS 5.7 Reporter: Andrew Bourgeois Assignee: Logback dev list Hello Simply replacing the log4j libraries with the logback ones breaks my RMI server at runtime. Please take the following code: public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } And the following stacktrace: 01:05:37.702 [main] DEBUG be.removed.fun.removed.TestMain - Policy location: ./src/main/config/java.policy Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:725) at be.removed.fun.removed.TestMain.main(TestMain.java:18) Somehow logback broke it, I can't even set a property anymore while I was able to read it before (I tested it, reading properties give the same results). FYI: If I put the "java.policy" file into my $JAVA_HOME/jre/lib/security, the file IS taken into account. POM.xml before operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.16</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.0</version> </dependency> POM.xml after operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.0.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.0.0</version> </dependency> Andrew -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-304?page=com.atlassian.jira.plugin.syste... ] Ceki Gulcu commented on LBCLASSIC-304: -------------------------------------- Have you modified the java.policy file when moving to logback? Do you need to grant logback permissions? What happens when you revert to log4j?
Moving from log4j to logback classic breaks java.policy.security behavior -------------------------------------------------------------------------
Key: LBCLASSIC-304 URL: http://jira.qos.ch/browse/LBCLASSIC-304 Project: logback-classic Issue Type: Bug Affects Versions: 1.0.0 Environment: CentOS 5.7 Reporter: Andrew Bourgeois Assignee: Logback dev list
Hello Simply replacing the log4j libraries with the logback ones breaks my RMI server at runtime. Please take the following code: public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } And the following stacktrace: 01:05:37.702 [main] DEBUG be.removed.fun.removed.TestMain - Policy location: ./src/main/config/java.policy Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:725) at be.removed.fun.removed.TestMain.main(TestMain.java:18) Somehow logback broke it, I can't even set a property anymore while I was able to read it before (I tested it, reading properties give the same results). FYI: If I put the "java.policy" file into my $JAVA_HOME/jre/lib/security, the file IS taken into account. POM.xml before operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.16</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.0</version> </dependency> POM.xml after operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.0.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.0.0</version> </dependency> Andrew
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-304?page=com.atlassian.jira.plugin.syste... ] Andrew Bourgeois commented on LBCLASSIC-304: -------------------------------------------- The java.policy file didn't change. It's (for simplicity): grant { permission java.security.AllPermission; }; Once I revert back to log4j (by just changing the 3 entries in the POM) everything is fine. You can't reproduce it? Let me know if you can't, and I'll try to narrow it down to a project with only this class and only those entries in its POM, then upload it here. While I think that you're smart enough to figure out what lines I didn't post in the original issue, here's all of it: package be.removed.fun.removed; import java.rmi.RMISecurityManager; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class TestMain { private static final Logger logger = LoggerFactory.getLogger(TestMain.class); public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } }
Moving from log4j to logback classic breaks java.policy.security behavior -------------------------------------------------------------------------
Key: LBCLASSIC-304 URL: http://jira.qos.ch/browse/LBCLASSIC-304 Project: logback-classic Issue Type: Bug Affects Versions: 1.0.0 Environment: CentOS 5.7 Reporter: Andrew Bourgeois Assignee: Logback dev list
Hello Simply replacing the log4j libraries with the logback ones breaks my RMI server at runtime. Please take the following code: public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } And the following stacktrace: 01:05:37.702 [main] DEBUG be.removed.fun.removed.TestMain - Policy location: ./src/main/config/java.policy Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:725) at be.removed.fun.removed.TestMain.main(TestMain.java:18) Somehow logback broke it, I can't even set a property anymore while I was able to read it before (I tested it, reading properties give the same results). FYI: If I put the "java.policy" file into my $JAVA_HOME/jre/lib/security, the file IS taken into account. POM.xml before operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.16</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.0</version> </dependency> POM.xml after operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.0.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.0.0</version> </dependency> Andrew
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-304?page=com.atlassian.jira.plugin.syste... ] Ceki Gulcu commented on LBCLASSIC-304: -------------------------------------- What happens if you remove the the lines related to logging. Try this: import java.rmi.RMISecurityManager; public class Main { public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "java.policy"); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } } Do you get a SecurityException or not? I bet that you do and in that case logback is not to blame.
Moving from log4j to logback classic breaks java.policy.security behavior -------------------------------------------------------------------------
Key: LBCLASSIC-304 URL: http://jira.qos.ch/browse/LBCLASSIC-304 Project: logback-classic Issue Type: Bug Affects Versions: 1.0.0 Environment: CentOS 5.7 Reporter: Andrew Bourgeois Assignee: Logback dev list
Hello Simply replacing the log4j libraries with the logback ones breaks my RMI server at runtime. Please take the following code: public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } And the following stacktrace: 01:05:37.702 [main] DEBUG be.removed.fun.removed.TestMain - Policy location: ./src/main/config/java.policy Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:725) at be.removed.fun.removed.TestMain.main(TestMain.java:18) Somehow logback broke it, I can't even set a property anymore while I was able to read it before (I tested it, reading properties give the same results). FYI: If I put the "java.policy" file into my $JAVA_HOME/jre/lib/security, the file IS taken into account. POM.xml before operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.16</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.0</version> </dependency> POM.xml after operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.0.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.0.0</version> </dependency> Andrew
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-304?page=com.atlassian.jira.plugin.syste... ] Andrew Bourgeois commented on LBCLASSIC-304: -------------------------------------------- This code runs indeed! Would you mind telling me what's wrong then? With log4j this works fine, and I have no idea why it breaks with logback-classic.
Moving from log4j to logback classic breaks java.policy.security behavior -------------------------------------------------------------------------
Key: LBCLASSIC-304 URL: http://jira.qos.ch/browse/LBCLASSIC-304 Project: logback-classic Issue Type: Bug Affects Versions: 1.0.0 Environment: CentOS 5.7 Reporter: Andrew Bourgeois Assignee: Logback dev list
Hello Simply replacing the log4j libraries with the logback ones breaks my RMI server at runtime. Please take the following code: public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } And the following stacktrace: 01:05:37.702 [main] DEBUG be.removed.fun.removed.TestMain - Policy location: ./src/main/config/java.policy Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:725) at be.removed.fun.removed.TestMain.main(TestMain.java:18) Somehow logback broke it, I can't even set a property anymore while I was able to read it before (I tested it, reading properties give the same results). FYI: If I put the "java.policy" file into my $JAVA_HOME/jre/lib/security, the file IS taken into account. POM.xml before operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.16</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.0</version> </dependency> POM.xml after operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.0.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.0.0</version> </dependency> Andrew
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-304?page=com.atlassian.jira.plugin.syste... ] Ceki Gulcu commented on LBCLASSIC-304: -------------------------------------- What do you mean by "the code runs indeed" ?
Moving from log4j to logback classic breaks java.policy.security behavior -------------------------------------------------------------------------
Key: LBCLASSIC-304 URL: http://jira.qos.ch/browse/LBCLASSIC-304 Project: logback-classic Issue Type: Bug Affects Versions: 1.0.0 Environment: CentOS 5.7 Reporter: Andrew Bourgeois Assignee: Logback dev list
Hello Simply replacing the log4j libraries with the logback ones breaks my RMI server at runtime. Please take the following code: public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } And the following stacktrace: 01:05:37.702 [main] DEBUG be.removed.fun.removed.TestMain - Policy location: ./src/main/config/java.policy Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:725) at be.removed.fun.removed.TestMain.main(TestMain.java:18) Somehow logback broke it, I can't even set a property anymore while I was able to read it before (I tested it, reading properties give the same results). FYI: If I put the "java.policy" file into my $JAVA_HOME/jre/lib/security, the file IS taken into account. POM.xml before operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.16</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.0</version> </dependency> POM.xml after operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.0.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.0.0</version> </dependency> Andrew
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[ http://jira.qos.ch/browse/LBCLASSIC-304?page=com.atlassian.jira.plugin.syste... ] Andrew Bourgeois commented on LBCLASSIC-304: -------------------------------------------- I wanted to say "This code runs FINE indeed", so yes, without exceptions. Sorry that I reported this as a bug. I did it because I saw something similar with JRuby in the past (it did something with the classloaders of JDBC (see: http://jira.codehaus.org/browse/JRUBY-5528)), and it was a bug.
Moving from log4j to logback classic breaks java.policy.security behavior -------------------------------------------------------------------------
Key: LBCLASSIC-304 URL: http://jira.qos.ch/browse/LBCLASSIC-304 Project: logback-classic Issue Type: Bug Affects Versions: 1.0.0 Environment: CentOS 5.7 Reporter: Andrew Bourgeois Assignee: Logback dev list
Hello Simply replacing the log4j libraries with the logback ones breaks my RMI server at runtime. Please take the following code: public static void main(String[] args) throws Exception { System.setProperty("java.security.policy", "./src/main/config/java.policy"); logger.debug("Policy location: {}", System.getProperty("java.security.policy")); if (System.getSecurityManager() == null) { System.setSecurityManager(new RMISecurityManager()); } System.setProperty("java.security.policy", "./src/main/config/java.policy"); } And the following stacktrace: 01:05:37.702 [main] DEBUG be.removed.fun.removed.TestMain - Policy location: ./src/main/config/java.policy Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.security.policy write) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:725) at be.removed.fun.removed.TestMain.main(TestMain.java:18) Somehow logback broke it, I can't even set a property anymore while I was able to read it before (I tested it, reading properties give the same results). FYI: If I put the "java.policy" file into my $JAVA_HOME/jre/lib/security, the file IS taken into account. POM.xml before operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>log4j</groupId> <artifactId>log4j</artifactId> <version>1.2.16</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.6.0</version> </dependency> POM.xml after operation: <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-api</artifactId> <version>1.6.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.0.0</version> </dependency> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-classic</artifactId> <version>1.0.0</version> </dependency> Andrew
-- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.qos.ch/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
participants (2)
-
Andrew Bourgeois (JIRA) -
Ceki Gulcu (JIRA)