What is the most secure logging framework for a Web application using existing libraries?


I need to decide on a logging framework for a new web application running in containers (Tomcat, JBoss...). This application references java libraries using different logging frameworks.

My reading indicates that some logging frameworks do not work well in container because of classloader issues. I am also reading that this is not an issue anymore. The situation is confusing. What is the status?

It seems like using SLF4J and redirecting to Log4J + using bridges to SLF4J for referenced Java libraries (when necessary) is the safe solution.

Which logging framework should I use for my web application and remain on the safe side?

After digging the subject deeper, I can conclude the following:

  1. The classloader issues are mostly reported around the Jakarta Common Logging (JCL) interface.
  2. In order to tackle the multiple logging frameworks used in different Java libraries, a logging interface such as SLF4J or JCL is necessary.
  3. SLF4J is a safe solution for web applications running in containers. It is preferable to accessing the logger provided by the container regarding portability issues.

I have summarized my findings in a blog post.