On 17/03/2011 9:53 PM, Steve Davis wrote:

Is it possible to configure logback so that most loggers' levels are modifiable via JMX, but restrict manipulation of certain loggers? E.g., enable the JMX Configurator for the root logger, but disable it for specific loggers with additivity="false"? It appears that the<jmxConfigurator /> element can only appear at the top level of a<configuration> block.

The goal, for my application, is to allow user control of logging in the field, for debugging, but not allow anyone to disable certain loggers that handle security-related events. Preferably, those loggers wouldn't even show up in as attributes in jconsole.

(This is a Java desktop app, not web.)

I've come across this problem very recently. It is possible to add a a guard (a logback component which listens to events) designed to prevent specified loggers from being modified. While such a component will stop non-malicious users, an attacker could uninstall the said guard and bypass the checks you've put in place. One solution is to raise an alert when the guard is uninstalled. I intend to implement such a guard very soon. HTH, -- QOS.ch, main sponsor of cal10n, logback and slf4j open source projects, is looking to hire talented software developers. For further details, see http://logback.qos.ch/job.html