General updates
git-svn-id: https://svn.apache.org/repos/asf/jakarta/commons/proper/logging/trunk@476777 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Simon Kitching
@@ -58,7 +58,9 @@ behaviour. In earlier releases, this method did not use an AccessController when
|
|||||||
obtaining the context classloader. In version 1.1 it did. In this release, it has
|
obtaining the context classloader. In version 1.1 it did. In this release, it has
|
||||||
reverted to not using an AccessController; any user-level code that needs to obtain a
|
reverted to not using an AccessController; any user-level code that needs to obtain a
|
||||||
context classloader should itself create an AccessController, and call the
|
context classloader should itself create an AccessController, and call the
|
||||||
LogFactory.getContextClassLoader method via the doPrivileged method.
|
LogFactory.getContextClassLoader method via the doPrivileged method. This fixes a
|
||||||
|
potential security issue, where untrusted code could get access to the context
|
||||||
|
classloader if a signed JCL library was in the classpath.
|
||||||
|
|
||||||
== Dependencies ==
|
== Dependencies ==
|
||||||
|
|
||||||
@@ -85,12 +87,13 @@ File commons-logging-api-nn.jar provides minimal adapters to external logging
|
|||||||
libraries, just the internally implemented SimpleLog and NoOpLog classes
|
libraries, just the internally implemented SimpleLog and NoOpLog classes
|
||||||
plus Jdk14Logger (which is currently required by Apache Tomcat).
|
plus Jdk14Logger (which is currently required by Apache Tomcat).
|
||||||
|
|
||||||
This jar file may be used as a declared dependency for projects that care about
|
The file commons-logging-api-nn.jar may be used as a declared dependency for
|
||||||
"transitive dependencies" and can't handle jar files such as commons-logging-nn.jar
|
projects that care about "transitive dependencies" and can't handle jar files
|
||||||
which have "optional" dependencies depending on how they are used. In addition,
|
such as commons-logging-nn.jar which have "optional" dependencies depending on
|
||||||
this jar file can be useful for "rebundlers" of JCL who recompile the source-code
|
how they are used. In addition, this jar file can be useful for "rebundlers" of
|
||||||
but who may not be able to recompile against the full set of supported adapters;
|
JCL who recompile the source-code but who may not be able to recompile against
|
||||||
such projects should be able to at least recreate an equivalent of this jar file.
|
the full set of supported adapters; such projects should be able to at least
|
||||||
|
recreate an equivalent of this jar file.
|
||||||
|
|
||||||
== General Notes ==
|
== General Notes ==
|
||||||
|
|
||||||
@@ -108,19 +111,37 @@ Software Foundation licensing rules. The terms and conditions are unaltered;
|
|||||||
this merely affects how those are presented in the source files. See
|
this merely affects how those are presented in the source files. See
|
||||||
http://www.apache.org/legal/src-headers.html
|
http://www.apache.org/legal/src-headers.html
|
||||||
|
|
||||||
|
This release can be built/tested with maven 2.0.4. Maven 1.x and Ant continue
|
||||||
|
to be supported.
|
||||||
|
|
||||||
== Bugs Fixed ==
|
== Bugs Fixed ==
|
||||||
|
|
||||||
* LOGGING-106: JCL 1.1 was completely unusable under a security policy that prevented
|
* LOGGING-106: JCL 1.1 was completely unusable under a security policy that prevented
|
||||||
access to system properties. Even signing/authorising the JCL library was not
|
access to system properties. Even signing/authorising the JCL library was not
|
||||||
sufficient. This has been fixed by (a) catching SecurityException and falling back
|
sufficient. This has been fixed by (a) catching SecurityException and falling back
|
||||||
to a sensible default, and (b) using AccessController so JCL can be granted
|
to a sensible default, and (b) using AccessController so JCL can be granted
|
||||||
privileges without needing the caller to have them too.
|
privileges without needing the caller to have them too.
|
||||||
|
|
||||||
* LOGGING-107: JCL 1.1 auto-discovery failed under a security policy that prevented
|
* LOGGING-107: JCL 1.1 auto-discovery failed under a security policy that prevented
|
||||||
calls to ClassLoader.getParent. Signing/authorising the JCL library was not
|
calls to ClassLoader.getParent. Signing/authorising the JCL library was not
|
||||||
sufficient as an AccessController was not used. This has been fixed by catching
|
sufficient as an AccessController was not used. This has been fixed by catching
|
||||||
SecurityException and using an AccessController.
|
SecurityException and using an AccessController.
|
||||||
|
|
||||||
|
* MEV-392 (http://jira.codehaus.org/browse/MEV-392)
|
||||||
|
As JCL didn't provide a Maven2 pom.xml file, one was helpfully created by people
|
||||||
|
not involved with the commons-logging project and published to the standard maven
|
||||||
|
repositories. Unfortunately this pom declared normal dependencies on all the logging
|
||||||
|
libraries that are supported by the core JCL distribution, meaning they all get pulled
|
||||||
|
into a project that declares a dependency on JCL1.1. This release now provides an
|
||||||
|
"official" pom.xml which declares these dependencies as optional so they aren't
|
||||||
|
automatically included in projects that depend on JCL 1.1.1.
|
||||||
|
|
||||||
|
* (no bug#): Fix thread-safety bug (SimpleDateFormat.format is not thread-safe).
|
||||||
|
Thanks to Martin Wilson of bright-interactive for the bug report.
|
||||||
|
|
||||||
|
* (no bug#): Security issue regarding access to context classloader (see incompatibilities
|
||||||
|
section above).
|
||||||
|
|
||||||
DEPRECATIONS:
|
DEPRECATIONS:
|
||||||
============
|
============
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user