3

I have a Spring Boot 2.6.3 project that uses spring-boot-starter. When I run the dependecy:tree goal in maven, I see that spring-boot-starter-logging depends on both logback and (indirectly) log4j. Why does spring-boot-starter-logging require a dependency on log4-to-slf4j?

enter image description here

Luciano Fiandesio
  • 10,037
  • 10
  • 48
  • 56

1 Answers1

3

Spring Boot has bindings for all major logging frameworks. With a single configuration you can concentrate logs sent through SLF4J, Log4j 2.x API or java.util.logging.

Therefore the spring-boot-starter-logging provides:

  • a logging backend (logback-classic), which uses SLF4J as native API,
  • a bridge from the Log4j 2.x API to SLF4J (log4j-to-slf4j). Remark that this is not the standard Log4j 2.x Core implementation.
  • a bridge/handler from java.util.logging to SLF4J (jul-to-slf4j).

Remark that spring-boot-starter-log4j2 does the same thing and redirects the frameworks above to Log4j 2.x Core.

The big absent in this picture is Jakarta Commons Logging, which is only able to bind to java.util.logging (hence not directly to neither Logback nor Log4j 2.x Core). However spring-core depends on spring-jcl, which binds JCL directly to SLF4J or the Log4j 2.x API and can entirely replace the original JCL.

A fifth API (Log4j 1.x) was supported in Spring Boot 1.x.

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • Thanks for your answer. What do you mean with “ Remark that this is not the standard Log4j 2.x Core implementation.”? – Luciano Fiandesio Feb 19 '22 at 12:32
  • 2
    `log4j-core` and `log4j-to-slf4j` are two separate implementations of the Log4j 2.x API. The one unfortunately famous is `log4j-core`, while `log4j-to-slf4j` was not vulnerable. – Piotr P. Karwasz Feb 19 '22 at 13:57
  • Found this answer while looking for an explanation why they use log4j-to-slf4j in combination with log4j-api instead of log4j-over-slf4j. Do you happen to know that? – user2543253 Jan 24 '23 at 11:46
  • `log4j-to-slf4j` is a bridge from Log4j 2 API (notice the 2) to SLF4J. `log4j-over-slf4j` is a Log4j 1.x **replacement** that forwards everything to SLF4J. – Piotr P. Karwasz Jan 24 '23 at 12:29
  • So version 1 vs version 2 is the reason. Thank you – user2543253 Jan 24 '23 at 13:30