A Java Geek

Feedback on the Log4J2 hack in Spring Boot

Feedback on the Log4J2 hack in Spring Boot

Nicolas Fränkel's photo
Nicolas Fränkel
·

3 min read

Last week, I wrote a post that described how to hack the Maven dependency resolution system. I admit it was a dirty hack, it's even in the post name.

But I got it wrong. Thanks Stéphane Nicoll for pointing it out:

https://twitter.com/snicoll/status/1338394993162145792

Even though I linked the documentation, I misread it. Here's my mea culpa.

As Stéphane states, you can exclude the default dependency from the parent spring-boot-starter starter:

<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter</artifactId>
  <exclusions>
    <exclusion>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-logging</artifactId>
    </exclusion>
  </exclusions>
</dependency>
<dependency>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>

Let's check the mvn dependency:tree output:

[INFO] com.example:demo:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.4.1:compile          // 2
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.4.1:compile
[INFO] |  |  \- org.springframework:spring-context:jar:5.3.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.4.1:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.springframework:spring-core:jar:5.3.2:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.2:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.27:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.4.1:compile   // 1
[INFO] |  +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.13.3:compile
[INFO] |  |  +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] |  |  \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.13.3:compile
[INFO] |  +- org.apache.logging.log4j:log4j-jul:jar:2.13.3:compile
[INFO] |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:2.4.1:compile // 2
[INFO] |  +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.4.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-actuator:jar:2.4.1:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.3:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.3:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:compile
[INFO] |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.3:compile
[INFO] |  \- io.micrometer:micrometer-core:jar:1.6.2:compile
[INFO] |     +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile
[INFO] |     \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime
  1. The Log4J2 starter is present as expected
  2. None of the starters brings in the SLF4J dependency

Besides that specific point, there are a couple of unrelated lessons:

  1. Remember to check the documentation
  2. Remember to check the documentation once more
  3. Be surrounded by people who are willing to help correct you
  4. Admit when you're wrong
  5. Most importantly, it's less damaging to your pride to ask for feedback before posting than to publish such a fixing post after

To go further:

Originally published at A Java Geek on December 20th 2020

JavaSpringbootlogging