#1367 change log4j-1.2.17 to log4j-2.17.1

[jacol84]

Pull Request Checklist

• Have you read How to write the perfect pull request?
• Have you read through the contributor guidelines?
• Have you referenced any issues you're fixing using commit message keywords?
• Have you updated the documentation?
• Have you added tests for any changed functionality?

Helpful things

Migrating from Log4j 1.x to 2.x

Fixes

Fixes #1367

Purpose

proposal to fix bugs and vulnerabilities in the code
CVE-2021-4104
CVE-2019-17571

Background Context

a good step on update of libraries

TODO: discover if there is another path -Dlog4j2.configurationFile=$path$ or if there is any of: log4j2.xml, log4j2.properties, json, yaml, .... files in resources than log4j will be automatically configured, so Play can simply use this configuration. link

References

log4j2

[asolntsev]

Technically, the PR is good.
But are you sure log4j2 is better than alternatives? I know many people prefer "Logback" nowadays.

[jacol84]

may need to give users a choice
use SL4J and add add dependecy.yaml

[xabolcs]

But are you sure log4j2 is better than alternatives? I know many people prefer "Logback" nowadays.

+1 for Logback!

Logback Project

Logback is intended as a successor to the popular log4j project, picking up where log4j 1.x leaves off.
Logback's architecture is quite generic so as to apply under different circumstances. At present time, logback is divided into three modules, logback-core, logback-classic and logback-access.

The logback-core module lays the groundwork for the other two modules. The logback-classic module can be assimilated to a significantly improved version of log4j 1.x. Moreover, logback-classic natively implements the SLF4J API so that you can readily switch back and forth between logback and other logging frameworks such as log4j 1.x or java.util.logging (JUL).

The logback-access module integrates with Servlet containers, such as Tomcat and Jetty, to provide HTTP-access log functionality. Note that you could easily build your own module on top of logback-core.

[jacol84]

add link to Migrating from Log4j 1.x to 2.x

[jacol84]

I think "PLAY" was using log4j so this is upgrading the library to the latest version - better for sure than staying in the old version
@asolntsev
and the best solution would be to choose which logger you want to use
if you want to use log4j2 or logback your selections should add deps

[xael-fry]

@jacol84 xan you rebase it to master to avoid conflict? Thanks

[jacol84]

I did a rebase
dw @xael-fry
now has wrninng netty-3.10.6.Final.ja
WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by org.jboss.netty.util.internal.ByteBufferUtil (file:/S:/praca/play/git/play1MY/framework/lib/netty-3.10.6.Final.jar) to method java.nio.DirectByteBuffer.cleaner() WARNING: Please consider reporting this to the maintainers of org.jboss.netty.util.internal.ByteBufferUtil WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release 2022-02-02 09:49:21,946 [play-thread-1] INFO play - Application 'xxx' is now started !

[jacol84]

@xael-fry
I change "github workflow" to correctly with documentation -- > change folder how run ant
I fixed the test i-am-a-developer (last time I missed it)