Feedback on the Log4J2 hack in Spring Boot

Last week, I wrote a post that described how to hack the Maven dependency resolution system. I admit it was a dirty hack, it’s even in the post name.

But I got it wrong. Thanks Stéphane Nicoll for pointing it out:

Even though I linked the documentation, I misread it. Here’s my mea culpa.

As Stéphane states, you can exclude the default dependency from the parent spring-boot-starter starter:


Let’s check the mvn dependency:tree output:

[INFO] com.example:demo:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.4.1:compile          (2)
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.4.1:compile
[INFO] |  |  \- org.springframework:spring-context:jar:5.3.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.4.1:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.springframework:spring-core:jar:5.3.2:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.2:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.27:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.4.1:compile   (1)
[INFO] |  +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.13.3:compile
[INFO] |  |  +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] |  |  \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.13.3:compile
[INFO] |  +- org.apache.logging.log4j:log4j-jul:jar:2.13.3:compile
[INFO] |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:2.4.1:compile (2)
[INFO] |  +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.4.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-actuator:jar:2.4.1:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.3:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.3:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.11.3:compile
[INFO] |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.3:compile
[INFO] |  \- io.micrometer:micrometer-core:jar:1.6.2:compile
[INFO] |     +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile
[INFO] |     \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime
1 The Log4J2 starter is present as expected
2 None of the starters brings in the SLF4J dependency

Besides that specific point, there are a couple of unrelated lessons:

  1. Remember to check the documentation
  2. Remember to check the documentation once more
  3. Be surrounded by people who are willing to help correct you
  4. Admit when you’re wrong
  5. Most importantly, it’s less damaging to your pride to ask for feedback before posting than to publish such a fixing post after
Nicolas Fränkel

Nicolas Fränkel

Developer Advocate with 15+ years experience consulting for many different customers, in a wide range of contexts (such as telecoms, banking, insurances, large retail and public sector). Usually working on Java/Java EE and Spring technologies, but with focused interests like Rich Internet Applications, Testing, CI/CD and DevOps. Also double as a trainer and triples as a book author.

Read More
Feedback on the Log4J2 hack in Spring Boot
Share this