Ido Tzang (Migrated from SEC-1458) said:
Although the first listener in my web.xml is the Log4jConfigListener. the log4j configuration happens before getting there.
It happens because I also have HttpSessionEventPublisher listener that has a static Log, when the static Log is initialized it causes the log4j default configuration.
The problem is that some loggers from the default configuration are still alive even after the Log4jConfigListener is called.
Changing the Log to not being static should solve the issue.
Ido Tzang said:
Actually, after testing further, making the field an instance field rather than static does not solve the problem - it appears as if Tomcat instantiates all listener objects before calling them.
we ended up changing Log4jConfigListener to call shutdownLogging before initLogging, to clear the Log4j configuration.
Not sure if this is a Spring Security issue...
Luke Taylor said:
I think this is essentially the same problem as reported in SPR-5977. I've removed the logger field from HttpSessionEventPublisher. The logger reference is now obtained in each method before using it.