hi Ceki, firstly, i want to say thank you very much for your great contribution in open source!!(and thanks to the logback team for the initiative) so many people use log4j!( and in the future logback). about the security need: that's the same than the one which is implemented in java.util.logging package: prevent unauthorized users or code to modify programmatically logging configuration. browsing your code, i think you can add this security check at GenericConfigurator methods, or maybe at a higher level, i.e ContextAwareBase class (maybe to securize the setContext method). how to do it? that's straightforward: you need to decide if all these methods requires the same permission, or you want to selectively give access depending on the user/code specific loggingPermisison. imagine all logging configuration access is enabled with the loggingPermisison("control"), like in the java.util.logging; i.e, if the user or code have got the loggingpermission, you will grant acess to the protected method. how to do the seucrity check: you have only to insert in the start of your method: if(System.getSecurityManager!=null={ AccessController.checkPermisison(new LogginPermission("control'); } and that's all!! if the securitymanager is not enabled, you will not have security check, and if its enabled, the security architecture will do the security check for you. if access is granted, it will continue silently, otherwise, a securityException will be raised. simple and elegant as my opinion. do you need other details? cheers, Charles. www.jguard.net Ceki Gülcü-3 wrote:
Hi Charles,
At 02:22 PM 11/30/2006, you wrote:
Hi, one major advantage(to me, i acknowledge ;-) ) of the java.util.logging package over log4j and other logging libraries is its security. it uses the underlying java security infrastructure by securing logs with loggingpermission use. have you any plan to use loggingpermission?
We had no specific plans to add security given demand for it has been (surprisingly) week. However, the idea is definitely worth consideration.
it can be used very easily to control any logging configuration change. other use case can stands on loggingpermission to prevent some programers
to
use loggers of some packages for example.
Could you summarize the say 2 or 3 most important security checks you would like to see added?
if you are interested to implemented this feature, i can help you to understand java security internals if needed.
Thank you for the kind offer. We are interested in adding security. Would you care to contribute actual code?
cheers,
Charles GAY www.jguard.net
-- Ceki Gülcü Logback: The reliable, generic, fast and flexible logging framework for Java. http://logback.qos.ch
_______________________________________________ Logback-user mailing list Logback-user@qos.ch http://qos.ch/mailman/listinfo/logback-user
-- View this message in context: http://www.nabble.com/loggingPermission-tf2731649.html#a7690145 Sent from the Logback User mailing list archive at Nabble.com.