From 39b0d64d6e4c72b41eb08bebcf24f2ca861574ec Mon Sep 17 00:00:00 2001
From: Mikolaj Izdebski <mizdebsk@redhat.com>
Date: Wed, 15 Dec 2021 16:02:07 +0100
Subject: [PATCH 2/2] Disable JNDI by default
JNDI, which is used by JMS appender, has significant security issues.
It is safer for users to disable JMS appender by default,
especially since the large majority are unlikely to be using it.
Those who are will need to explicitly enable it, for example:
log4j.appender.jms=org.apache.log4j.net.JMSAppender
log4j.appender.jms.Enabled=true
This is a simillar approach to the one implemented in Log4J 2:
https://issues.apache.org/jira/browse/LOG4J2-3208
---
.../java/org/apache/log4j/net/JMSAppender.java | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/main/java/org/apache/log4j/net/JMSAppender.java b/src/main/java/org/apache/log4j/net/JMSAppender.java
index 3482702d..564da0c5 100644
--- a/src/main/java/org/apache/log4j/net/JMSAppender.java
+++ b/src/main/java/org/apache/log4j/net/JMSAppender.java
@@ -101,6 +101,7 @@ import java.util.Properties;
@author Ceki Gülcü */
public class JMSAppender extends AppenderSkeleton {
+ boolean enabled;
String securityPrincipalName;
String securityCredentials;
String initialContextFactoryName;
@@ -120,6 +121,16 @@ public class JMSAppender extends AppenderSkeleton {
JMSAppender() {
}
+ public
+ void setEnabled(boolean enabled) {
+ this.enabled = enabled;
+ }
+
+ public
+ boolean getEnabled() {
+ return enabled;
+ }
+
/**
The <b>TopicConnectionFactoryBindingName</b> option takes a
string value. Its value will be used to lookup the appropriate
@@ -170,6 +181,10 @@ public class JMSAppender extends AppenderSkeleton {
* Options are activated and become effective only after calling
* this method.*/
public void activateOptions() {
+ if (!enabled) {
+ throw new IllegalStateException("JMS appender is disabled by default and must be enabled by setting Enabled=true property of the appender");
+ }
+
TopicConnectionFactory topicConnectionFactory;
try {
--
2.33.1