stackoom
  简体   繁体   中英

After JDK11 upgrade, log4j2 RollingFileAppender throws java.io.FilePermission error

 原文  2022-08-26 13:51:48       java/ spring-boot/ log4j2/ tomcat8/ java-11

Question

After upgrading from JDK8 to JDK11, we are getting the following message when starting tomcat:

     ERROR Could not create plugin of type class 
     org.apache.logging.log4j.core.appender.RollingFileAppender
     for element RollingFile: java.security.AccessControlException:
     access denied ("java.io.FilePermission" "/zdata/svrgrp/logs/qam1" "read")
     java.security.AccessControlException: access denied ("java.io.FilePermission"
     "/zdata/svrgrp/logs/qam1" "read")

Java has no problems writing other files to that directory; for example, we have a -outfile /zdata/tomcat/qam1/logs/catalina.out in the command line and we see output being written there.

But the most puzzling thing is that this worked just fine when we were running this on JDK8 using the exact same catalina policy.

Is there some fundamental change in the way JDK11 uses log4j that could explain this behavior?

Our log4j configuration xml is below. sys:applogdir is defined as /zdata/svrgrp/logs/qam1: 

<?xml version="1.0" encoding="UTF-8" ?>
<Configuration>
  <Appenders>
    <RollingFile
      name="default.file"
      fileName="${sys:applogdir}/myapp.log"
      filePattern="${sys:applogdir}/myapp.log.%d{yyyy-MM-dd}">
      <PatternLayout>
        <Pattern>%d %-5p [%t]:${sys:bi.tomcat.instanceName} (%F:%L) - %m%n</Pattern>
      </PatternLayout>
      <TimeBasedTriggeringPolicy/>
    </RollingFile>

  <Loggers>
    <Root level="debug">
      <AppenderRef ref="default.file"/>
    </Root>
  </Loggers>

</Configuration>

Has anyone else experienced this behavior upgrading from JDK8 to JDK11? Any thoughts on what might have changed?

1 answers

solution1
 0  2022-08-26 18:15:12

UPDATED

Starting with JDK9, java.io.FilePermission stopped canonicalizing pathnames by default. This means that symlinks will no longer be followed.

In our environment, "/zdata/svrgrp/logs/qam1" is a symlink to a location on another file system. So java.io.FilePermission would not follow that symlink, causing the "access denied" errors to appear.

You can tell java.io to revert to its old behavior by setting the permissionsUseCanonicalPath property to True. So I added this to our startup script:

-Djdk.io.permissionsUseCanonicalPath=true

And everything started working.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to resolve java.io.FilePermission error? log4j2 RollingFileAppender CronTriggeringPolicy throws NoSuchFileException access denied (“java.io.FilePermission” “execute”) java.io.FilePermission - access denied Applet java.io.FilePermission exception access denied (“java.io.FilePermission”) Initiate Log4j2 RollingFileAppender in Java Java RMI Tutorial - AccessControlException: access denied (java.io.FilePermission java.security.AccessControlException: Access denied (java.io.FilePermission Signed Java Applet access denied java.io.FilePermission read
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM