Choosing the Right Version of Apache Logging
I have dependencies on several Apache TLPs (top level projects) such as Apache Axis, Commons HttpClient, Commons DBCP, Commons Transaction, etc.
Each of these projects has a dependency on JCL (Commons Logging) and each project depends on a different version of the JCL.
Which JCL version should I choose - would the highest version be the best choice? Will higher JCL versions be compatible with projects that were compiled against a lower version (some of the projects were compiled against 1.0.x JCL, while others were compiled against 1.1.x)? Does the JCL project itself convey this information?
+2
source to share
1 answer
RELEASE-NOTES version 1.1.1 say the following:
== Incompatibilities ==
The protected method LogFactory.getContextClassLoader has been reverted to pre-1.1
behaviour. In earlier releases, this method did not use an AccessController when
obtaining the context classloader. In version 1.1 it did. In this release, it has
reverted to not using an AccessController; any user-level code that needs to obtain
a context classloader should itself create an AccessController, and call the
LogFactory.getContextClassLoader method via the doPrivileged method. This fixes a
potential security issue, where untrusted code could get access to the context
classloader if a signed Commons Logging library was in the classpath.
This sounds very specific to me. I would try the newer version (1.1.1) and see if there are any problems.
+2
source to share