JDK11升级后log4j2 RollingFileAppender抛出java.io.FilePermission错误
[英]After JDK11 upgrade, log4j2 RollingFileAppender throws java.io.FilePermission error
问题描述
After upgrading from JDK8 to JDK11, we are getting the following message when starting tomcat:
从 JDK8 升级到 JDK11 后,我们在启动 tomcat 时收到以下消息:
ERROR Could not create plugin of type class
org.apache.logging.log4j.core.appender.RollingFileAppender
for element RollingFile: java.security.AccessControlException:
access denied ("java.io.FilePermission" "/zdata/svrgrp/logs/qam1" "read")
java.security.AccessControlException: access denied ("java.io.FilePermission"
"/zdata/svrgrp/logs/qam1" "read")
Java has no problems writing other files to that directory; Java 将其他文件写入该目录没有问题; for example, we have a -outfile /zdata/tomcat/qam1/logs/catalina.out in the command line and we see output being written there.例如,我们在命令行中有一个 -outfile /zdata/tomcat/qam1/logs/catalina.out,我们看到 output 被写在那里。
But the most puzzling thing is that this worked just fine when we were running this on JDK8 using the exact same catalina policy.但最令人费解的是,当我们使用完全相同的 catalina 策略在 JDK8 上运行它时,它运行得很好。
Is there some fundamental change in the way JDK11 uses log4j that could explain this behavior? JDK11 使用 log4j 的方式是否有一些根本性的变化可以解释这种行为?
Our log4j configuration xml is below.我们的 log4j 配置 xml 如下。 sys:applogdir is defined as /zdata/svrgrp/logs/qam1: sys:applogdir 定义为 /zdata/svrgrp/logs/qam1:
<?xml version="1.0" encoding="UTF-8" ?>
<Configuration>
<Appenders>
<RollingFile
name="default.file"
fileName="${sys:applogdir}/myapp.log"
filePattern="${sys:applogdir}/myapp.log.%d{yyyy-MM-dd}">
<PatternLayout>
<Pattern>%d %-5p [%t]:${sys:bi.tomcat.instanceName} (%F:%L) - %m%n</Pattern>
</PatternLayout>
<TimeBasedTriggeringPolicy/>
</RollingFile>
<Loggers>
<Root level="debug">
<AppenderRef ref="default.file"/>
</Root>
</Loggers>
</Configuration>
Has anyone else experienced this behavior upgrading from JDK8 to JDK11?有没有其他人经历过从 JDK8 升级到 JDK11 的这种行为? Any thoughts on what might have changed?对可能发生的变化有任何想法吗?
1 个解决方案
解决方案1
0 2022-08-26 18:15:12
UPDATED更新
Starting with JDK9, java.io.FilePermission stopped canonicalizing pathnames by default.从 JDK9 开始,java.io.FilePermission 默认停止规范化路径名。 This means that symlinks will no longer be followed.这意味着将不再遵循符号链接。
In our environment, "/zdata/svrgrp/logs/qam1" is a symlink to a location on another file system.在我们的环境中,“/zdata/svrgrp/logs/qam1”是指向另一个文件系统上某个位置的符号链接。 So java.io.FilePermission would not follow that symlink, causing the "access denied" errors to appear.因此 java.io.FilePermission 不会遵循该符号链接,从而导致出现“拒绝访问”错误。
You can tell java.io to revert to its old behavior by setting the permissionsUseCanonicalPath property to True.您可以通过将 permissionsUseCanonicalPath 属性设置为 True 来告诉 java.io 恢复到其旧行为。 So I added this to our startup script:所以我将它添加到我们的启动脚本中:
-Djdk.io.permissionsUseCanonicalPath=true
And everything started working.一切都开始起作用了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.