Why can't untrusted code change the log level under Java Logging?

Question

I'm have a Java app that also runs as an applet. The app also happens to use a library called BasicPlayer to play .ogg files. BasicPlayer has a built-in logger that uses Apache Logging Commons to create a logger for BasicPlayer.class using the built-in Java logger. The only way that I know about to turn off the BasicPlayer logging is to run this code:

Logger.getLogger(BasicPlayer.class.getName()).setLevel(Level.OFF);

This works fine when running as a regular app. However, when running as an applet, this code will throw a SecurityException because for some reason applets can't change the log level of non-anonymous loggers (see here for a sorta-explanation).

Why would they do this? Who cares if an applet changes the log level?

Answer 1

Why would they do this? Who cares if an applet changes the log level?

Well, for a start, other stuff running in the host JVM may be using Apache logging to keep an audit trail of what the applet is doing. If an applet can change the logging level, it can turn off auditing.

The other thing to point out is that BasicPlayer is open source, so you also have the option of modifying the source it to disable logging and rebuilding.