Install of CAS 6.4.4.2 includes log4j-jul-2.14.1.jar and log4j-jul-2.17.0.jar

119 views
Skip to first unread message

Rod B

unread,
Jan 7, 2022, 2:01:23 PM1/7/22
to CAS Community
Hi,

In test I downloaded the CAS Overlay for 6.4.4.2 here:
https://github.com/apereo/cas-overlay-template/archive/6.4.zip

We have a very basic install and I built the cas.war file.

When. I look at .../cas/WEB-INF/lib I notice there is to log4j-jul files:
log4j-jul-2.14.1.jar
log4j-jul-2.17.0.jar

I've tried to exclude the old file in the build.gradle file:

  overlays {

        cas {
                from "org.apereo.cas:cas-server-webapp${project.appServer}:${project.'cas.version'}@war
                 provided = false
                 excludes = ["WEB-INF/lib/servlet-api-2*.jar"]
                 excludes = ["WEB-INF/lib/log4j-jul-2.14.1.jar"]

                 }

But the file remains.

Fortunately it doesn't seem to be causing a problem, but I've experienced issues when there are duplicate jar files of different versions. Specifically log4j2 files.

Is this something that can be fixed in the upstream?

Also, is log4j2 going to be upgraded to 2.17.1 soon or do we need to use the remediation  steps referenced in this thread:

Many thanks!

Rod

Rod

unread,
Jan 7, 2022, 2:35:55 PM1/7/22
to CAS Community
If it's any value to someone using CAS overlay 6.4.4.2 this is how the changes all look:
gradle.properties:

log4j2.version=2.17.1


build.gradle:


dependencies {
...

    // Log4j2 version 2.17.1 patch

    implementation "org.apache.logging.log4j:log4j-api:${project.'log4j2.version'}"

    implementation "org.apache.logging.log4j:log4j-core:${project.'log4j2.version'}"

    implementation "org.apache.logging.log4j:log4j-jcl:${project.'log4j2.version'}"

    implementation "org.apache.logging.log4j:log4j-jul:${project.'log4j2.version'}"

    implementation "org.apache.logging.log4j:log4j-layout-template-json:${project.'log4j2.version'}"

    implementation "org.apache.logging.log4j:log4j-slf4j18-impl:${project.'log4j2.version'}"

    implementation "org.apache.logging.log4j:log4j-web:${project.'log4j2.version'}"

...


}

...

    overlays {

                
         cas {

           ...

            

            excludes = ["WEB-INF/lib/log4j-*-2.17.0.jar"]

           ...
          }

     }


Cheers,

Rod


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/a4676eac-89f5-405e-bbc3-3e8f586725b0n%40apereo.org.

Rod

unread,
Jan 7, 2022, 2:35:56 PM1/7/22
to CAS Community
I did the patch remediation and the older file is now gone and we're at log4j version 2.17.1

So, thank you community for all of your help!

Rod

--

Jeffrey Ramsay

unread,
Jan 7, 2022, 11:29:38 PM1/7/22
to CAS Community
Try this:

bootWar {
    entryCompression = ZipEntryCompression.STORED
    overlays {
        cas {
            from "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}@war"
            provided = false
            excludes = ["WEB-INF/lib/log4j*2.12.*.jar","WEB-INF/lib/log4j*2.13.*.jar"]
        }
    }
}

-Jeff

--

Rod

unread,
Jan 8, 2022, 12:51:33 AM1/8/22
to CAS Community
Thanks for your reply, Jeffrey!

I got it all sorted.

I really appreciate this community!

Best Regards,

Rod

Reply all
Reply to author
Forward
0 new messages