Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Log4j2 and Spring 4

Tags:

spring

slf4j

log4j2

I'm not able to make Log4j2 write Spring and Spring Security log messages (the latter I absolutely need to solve an issue) on log file. I've read a lot here and elsewhere (like in the Spring reference, of course) but I cannot make the solutions I found work for my case.

It's important to note that on both the solutions below, mine logging messages and hibernate ones are written correctly on file. The problem affects only Spring messages.

As far as I understand, Spring uses jcl (commons-logging) and there are two ways to let Spring uses Log4j2:

  • simply adding the bridge log4j-jcl (jcl -> log4j2)
  • using SLF4J with jcl-over-jcl and log4j-slf4j-impl (jcl -> slf4j -> log4j2)

I tried to exclude commons-logging from every other dependecy, in order to control manually its inclusion. In the first solution I let it included, in the second I exclude it, but I've seen diverse opinions on the topic. Anyway, in both cases Spring doesn't log.

I can see that hibernate uses jboss-logging. Is this the reason why it works on both configuration? Can its inclusion be a problem for Spring logging?

Can the application server be a problem on this? Maybe some library loaded by default that overrides application libs making a mess?

This is my environment:

  • Java 1.6
  • Servlet 2.5
  • Oracle weblogic 12.1
  • Spring MVC 4.3.4.RELEASE
  • Spring Security 4.2.0.RELEASE
  • Log4j 2.3 (last version compatible with Java 6)
  • Hibernate entity manager 4.2.21.final
  • SLF4J 1.7.22

I guess there is a dependency problem: some library that shouldn't be there or that is missing.

EDIT: From my dependency tree I don't see a dependency of spring-core on commons-logging, like reference says. I can see one of spring-data-jpa on slf4j and on jcl-over-slf4j. The presence of jcl-over-sl4j shluld be the problem, as rgoers suggested. I'll update results...

So this is my pom.xml dependencies section (as you can see there are two different logging dependencies configuration, one commented; both this configuration make mine and hibernate logs working good, but neither of the two makes Spring ones written):

<properties>
    <spring.version>4.3.4.RELEASE</spring.version>
    <spring.security.version>4.2.0.RELEASE</spring.security.version>
    <!--<spring.data.jpa.version>1.10.5.RELEASE</spring.data.jpa.version>-->
    <spring.data.jpa.version>1.7.2.RELEASE</spring.data.jpa.version>
    <thymeleaf.version>3.0.2.RELEASE</thymeleaf.version>
    <log4j.version>2.3</log4j.version>
    <hibernate.validator.version>5.3.2.Final</hibernate.validator.version>
    <hibernate.entitymanager.version>4.2.21.Final</hibernate.entitymanager.version> <!-- LAST VERSION SUPPORTING JPA 2.0 (JPA 2.1 is not supported by WebLogic 12.1.1) -->
    <javax.transaction.version>1.1</javax.transaction.version>
    <oracle.jdbc.version>12.1.0.2</oracle.jdbc.version>
    <querydsl.jpa.version>3.6.9</querydsl.jpa.version>
    <google.guava.version>18.0</google.guava.version>
    <quartz.version>2.2.1</quartz.version>
    <pdfbox.version>2.0.4</pdfbox.version>

</properties>

<dependencies>

    <!-- SPRING SECURITY -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${spring.security.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <!-- WEB AND VALIDATION -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>jstl</artifactId>
        <version>1.2</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>servlet-api</artifactId>
        <version>2.5</version>
        <scope>provided</scope>
    </dependency>
    <dependency>
        <groupId>org.hibernate</groupId>
        <artifactId>hibernate-validator</artifactId>
        <version>${hibernate.validator.version}</version>
    </dependency>

    <!-- THYMELEAF -->
    <dependency>
        <groupId>org.thymeleaf</groupId>
        <artifactId>thymeleaf</artifactId>
        <version>${thymeleaf.version}</version>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf</groupId>
        <artifactId>thymeleaf-spring4</artifactId>
        <version>${thymeleaf.version}</version>
    </dependency>
    <dependency>
        <groupId>com.github.mxab.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-data-attribute</artifactId>
        <version>2.0.1</version>
    </dependency>

    <!-- LOGGING -->

    <!-- Using JCL -->
    <dependency>
        <groupId>commons-logging</groupId>
        <artifactId>commons-logging</artifactId>
        <version>1.2</version>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>${log4j.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>${log4j.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-web</artifactId>
        <version>${log4j.version}</version>
        <scope>runtime</scope>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-jcl</artifactId>
        <version>${log4j.version}</version>
    </dependency>

    <!-- Using SLF4J -->
    <!--
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>jcl-over-slf4j</artifactId>
        <version>1.7.22</version>
    </dependency>
    <dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-api</artifactId>
        <version>1.7.22</version>
    </dependency>
    &lt;!&ndash;<dependency>
        <groupId>org.slf4j</groupId>
        <artifactId>slf4j-log4j12</artifactId>
        <version>1.6.1</version>
    </dependency>&ndash;&gt;

    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-slf4j-impl</artifactId>
        <version>${log4j.version}</version>
    </dependency>

    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>${log4j.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-core</artifactId>
        <version>${log4j.version}</version>
    </dependency>
    &lt;!&ndash;<dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-jcl</artifactId>
        <version>${log4j.version}</version>
    </dependency>&ndash;&gt;
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-web</artifactId>
        <version>${log4j.version}</version>
        <scope>runtime</scope>
    </dependency>
    -->

    <!-- PERSISTENCE LIBRARIES -->
    <dependency>
        <groupId>org.hibernate</groupId>
        <artifactId>hibernate-entitymanager</artifactId>
        <version>${hibernate.entitymanager.version}</version>
    </dependency>
    <dependency>
        <groupId>javax.transaction</groupId>
        <artifactId>jta</artifactId>
        <version>${javax.transaction.version}</version>
    </dependency>

    <!-- SPRING FRAMEWORK COMPONENTS -->
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-jdbc</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-orm</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework.data</groupId>
        <artifactId>spring-data-jpa</artifactId>
        <version>${spring.data.jpa.version}</version>
    </dependency>

    <!-- ORACLE JDBC -->
    <dependency>
        <groupId>com.oracle.jdbc</groupId>
        <artifactId>ojdbc7</artifactId>
        <version>${oracle.jdbc.version}</version>
    </dependency>

    <dependency>
        <groupId>commons-configuration</groupId>
        <artifactId>commons-configuration</artifactId>
        <version>1.10</version>
        <!--<exclusions>
            <exclusion>
                <groupId>commons-logging</groupId>
                <artifactId>commons-logging</artifactId>
            </exclusion>
        </exclusions>-->
    </dependency>

    <!-- SPRING-DATA JPA DATATABLES -->
    <dependency>
        <groupId>com.github.darrachequesne</groupId>
        <artifactId>spring-data-jpa-datatables</artifactId>
        <version>3.0</version>
    </dependency>

    <!-- QUERYDSL -->
    <dependency>
        <groupId>com.mysema.querydsl</groupId>
        <artifactId>querydsl-jpa</artifactId>
        <version>${querydsl.jpa.version}</version>
    </dependency>

    <!-- GOOGLE GUAVA UTILS -->
    <dependency>
        <groupId>com.google.guava</groupId>
        <artifactId>guava</artifactId>
        <version>${google.guava.version}</version>
    </dependency>

    <!-- APACHE PDF BOX -->
    <dependency>
        <groupId>org.apache.pdfbox</groupId>
        <artifactId>pdfbox</artifactId>
        <version>${pdfbox.version}</version>
        <!--<exclusions>
            <exclusion>
                <groupId>commons-logging</groupId>
                <artifactId>commons-logging</artifactId>
            </exclusion>
        </exclusions>-->
    </dependency>
    <dependency>
        <groupId>org.apache.pdfbox</groupId>
        <artifactId>fontbox</artifactId>
        <version>${pdfbox.version}</version>
        <!--<exclusions>
            <exclusion>
                <groupId>commons-logging</groupId>
                <artifactId>commons-logging</artifactId>
            </exclusion>
        </exclusions>-->
    </dependency>
    <dependency>
        <groupId>org.apache.pdfbox</groupId>
        <artifactId>pdfbox-tools</artifactId>
        <version>${pdfbox.version}</version>
    </dependency>

    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-io</artifactId>
        <version>1.3.2</version>
    </dependency>
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-csv</artifactId>
        <version>1.1</version>
    </dependency>

    <!-- ESAPI security features (prevent sql injection during password change -->
    <dependency>
        <groupId>org.owasp.esapi</groupId>
        <artifactId>esapi</artifactId>
        <version>2.1.0.1</version>
        <exclusions>
            <!--<exclusion>
                <groupId>commons-logging</groupId>
                <artifactId>commons-logging</artifactId>
            </exclusion>-->
            <exclusion>
                <groupId>log4j</groupId>
                <artifactId>log4j</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.quartz-scheduler</groupId>
        <artifactId>quartz</artifactId>
        <version>${quartz.version}</version>
    </dependency>
    <dependency>
        <groupId>org.quartz-scheduler</groupId>
        <artifactId>quartz-jobs</artifactId>
        <version>${quartz.version}</version>
    </dependency>


</dependencies>

And this is my log4j2 configuration. But I really don't think that the problem is here.

<?xml version="1.0" encoding="UTF-8"?>
<Configuration status="warn">

<Properties>
    <Property name="basePath">..\\logs\\myapp\\</Property>
</Properties>

<Appenders>
    <RollingFile name="fileLogger" fileName="${basePath}myapp.log" filePattern="${basePath}myapp-%d{yyyy-MM-dd}.log">
        <PatternLayout>
            <pattern>[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} %c{10} - %msg%n</pattern>
        </PatternLayout>
        <Policies>
            <TimeBasedTriggeringPolicy interval="1" modulate="true" />
        </Policies>
    </RollingFile>

    <Console name="console" target="SYSTEM_OUT">
        <PatternLayout   pattern="[%-5level] %d{yyyy-MM-dd HH:mm:ss.SSS} %c{10} - %msg%n" />
    </Console>
</Appenders>

<Loggers>
    <Logger name="com.myapp" level="debug" additivity="true">
        <appender-ref ref="fileLogger" level="debug" />
    </Logger>
    <Logger name="org.springframework" level="info" additivity="true">
        <appender-ref ref="fileLogger" level="info" />
    </Logger>
    <!--<Logger name="org.springframework.security" level="debug" additivity="true">
        <appender-ref ref="fileLogger" level="debug" />
    </Logger>-->
    <Logger name="org.thymeleaf" level="info" additivity="true">
        <appender-ref ref="fileLogger" level="info" />
    </Logger>

    <Logger name="org.hibernate" level="debug" additivity="true">
        <appender-ref ref="fileLogger" level="debug" />
    </Logger>

    <Root level="info" additivity="false">
        <appender-ref ref="console" />
    </Root>
</Loggers>
</Configuration>

And the following are the libraries on my war, maybe something is in the way.

antisamy-1.5.3.jar
antlr-2.7.7.jar
aopalliance-1.0.jar
aspectjrt-1.8.4.jar
attoparser-2.0.1.RELEASE.jar
batik-css-1.8.jar
batik-ext-1.8.jar
batik-util-1.8.jar
bridge-method-annotation-1.13.jar
bsh-core-2.0b4.jar
c3p0-0.9.1.1.jar
classmate-1.3.1.jar
codegen-0.6.8.jar
commons-beanutils-core-1.8.3.jar
commons-codec-1.2.jar
commons-collections-3.2.2.jar
commons-configuration-1.10.jar
commons-csv-1.1.jar
commons-fileupload-1.3.1.jar
commons-httpclient-3.1.jar
commons-io-1.3.2.jar
commons-lang-2.6.jar
commons-logging-1.2.jar
dom4j-1.6.1.jar
ecj-4.3.1.jar
esapi-2.1.0.1.jar
fontbox-2.0.4.jar
guava-18.0.jar
hibernate-commons-annotations-4.0.2.Final.jar
hibernate-core-4.2.21.Final.jar
hibernate-entitymanager-4.2.21.Final.jar
hibernate-jpa-2.0-api-1.0.1.Final.jar
hibernate-validator-5.3.2.Final.jar
jackson-annotations-2.6.0.jar
jackson-core-2.6.6.jar
jackson-databind-2.6.6.jar
javassist-3.18.1-GA.jar
javax.el-api-2.2.5.jar
javax.inject-1.jar
jboss-logging-3.3.0.Final.jar
jboss-transaction-api_1.1_spec-1.0.1.Final.jar
jcl-over-slf4j-1.7.10.jar
jsr305-1.3.9.jar
jta-1.1.jar
log4j-api-2.3.jar
log4j-core-2.3.jar
log4j-jcl-2.3.jar
log4j-web-2.3.jar
mysema-commons-lang-0.2.4.jar
nekohtml-1.9.16.jar
ognl-3.1.10.jar
ojdbc7-12.1.0.2.jar
pdfbox-2.0.4.jar
pdfbox-debugger-2.0.4.jar
pdfbox-tools-2.0.4.jar
quartz-2.2.1.jar
quartz-jobs-2.2.1.jar
querydsl-apt-3.6.9.jar
querydsl-codegen-3.6.9.jar
querydsl-core-3.6.9.jar
querydsl-jpa-3.6.9.jar
slf4j-api-1.6.6.jar
spring-aop-4.3.4.RELEASE.jar
spring-beans-4.3.4.RELEASE.jar
spring-context-4.3.4.RELEASE.jar
spring-core-4.3.4.RELEASE.jar
spring-data-commons-1.9.2.RELEASE.jar
spring-data-jpa-1.7.2.RELEASE.jar
spring-data-jpa-datatables-3.0.jar
spring-expression-4.3.4.RELEASE.jar
spring-jdbc-4.3.4.RELEASE.jar
spring-orm-4.3.4.RELEASE.jar
spring-security-config-4.2.0.RELEASE.jar
spring-security-core-4.2.0.RELEASE.jar
spring-security-web-4.2.0.RELEASE.jar
spring-tx-4.3.4.RELEASE.jar
spring-web-4.3.4.RELEASE.jar
spring-webmvc-4.3.4.RELEASE.jar
thymeleaf-3.0.2.RELEASE.jar
thymeleaf-extras-data-attribute-2.0.1.jar
thymeleaf-spring4-3.0.2.RELEASE.jar
unbescape-1.1.4.RELEASE.jar
validation-api-1.1.0.Final.jar
xalan-2.7.0.jar
xercesImpl-2.8.0.jar
xml-apis-1.3.03.jar
xml-apis-ext-1.3.04.jar
xom-1.2.5.jar

Every suggestion is appreciated.

Thank you all, dolfiz

like image 339
Dolfiz Avatar asked Feb 10 '17 10:02

Dolfiz

People also ask

Does spring use Log4j2?

Spring Boot also supports either Log4j or Log4j 2 for logging configuration, but only if one of them is on the classpath. If you are using the starter poms for assembling dependencies that means you have to exclude Logback and then include your chosen version of Log4j instead.

Is Spring affected by Log4j?

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own.

Is Spring Boot starter Log4j2 affected?

Does the Log4J2 vulnerability exist in Spring Boot? Yes! While Spring Boot uses the logback framework by default, it is often configured to use an alternate logging implementation like Log4J2. If you're Spring Boot app is configured to use the Log4J framework, then your application is vulnerable.

2 Answers

I have several Spring applications that log using Log4j 2. The recommended method, as you say is to leave the commons-logging jar in and use log4j-jcl to bridge it to Log4j 2. In that scenario the jcl-over-slf4j jar must not be present. In this case the logging calls will be commons-logging -> log4j-jcl -> log4j-api.

As you have said, the other way is to remove the commons-logging jar and replace it with jcl-over-slf4j. You would then need all the jars you have commented out. In this case the logging calls would be jcl-over-slf4j -> slf4j-api -> log4j-slf4j-impl -> log4j-api.

As you can see the second path is a bit longer.

BTW - Your log4j2 configuration is missing the wrapping <configuration>element.

like image 180
rgoers Avatar answered Oct 17 '22 14:10

rgoers

https://www.slf4j.org/legacy.htmlslf4j legacy

As you can see, you need add jcl-over-slf4j.jar and exclude commons-logging.jar (both has identical file structure inside, check it) After that, include slf4j-api.jar, bridge slf4j-log4j.jar and actual logging implementation - log4j.jar

Check for commons-logging.jar in resulted war file, it shouldn't present.

like image 1
user1516873 Avatar answered Oct 17 '22 16:10

user1516873
Sign in to Comment

Related questions

How to Cache HTTP Requests made with Netflix's Feign library in a Java Spring app
Spring AOP Pointcut with method name starting with get
How to configure a custom source to feed Spring Boot's @ConfigurationProperties
Ways to pass additional data to Custom RevisionEntity in Hibernate Envers?
Maven: non-parseable POM
How to stop a spring boot service from command line?
How to reconnect database if the connection closed in spring jpa?
Spring 5 Reactive fails when extending Flux/implementing Publisher and calling s.onNext() more than once
Moving Spring Boot 1.3 to 1.4, Hibernate 4 to 5, Pascal Case Issues
Documenting byte[] response in Spring Rest Docs
What's the correct way to find all entities ordered by field in Spring Data?
Use cases of methods of QueryByExampleExecutor<T> interface in Spring data JPA
Using Spring RestTemplate in JAX-RS project
Spring mvc - How to map all wrong request mapping to a single method
IE sends empty POST body randomly while using NTLM authentication (using angular to Spring)
Spring MVC - Failed to convert property value of type 'java.lang.String' to required type 'java.lang.Integer'
Querydsl - Exception in thread "main" java.lang.IllegalArgumentException: No sources given
Spring REST how to validate request body in different ways?
Does Spring Data support Elasticsearch 5.x?
Display list of values on JSP using Spring

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!