I looked more in to this a wee bit.
Turns out the the LogManager used in the Appserver is a single, global LogManager, shared by, apparently, everything.
The ramifications of this, at a glance, are that if you want to assign a different Handler to the Glassfish logs, you could do so.
It also means that if you have libraries deployed in two separate application contexts, for example, two different WARs, they would share the same Loggers. So, if you change the logging level in one application for a Logger, that logging level would affect any other application in server using that same Logger.
I do not know if this is affected by the Security Manager (assuming it's turned off, which by default it is not).
From a security point of view, it seems possible to iterate across all of the installed Loggers in the LogManager, and add your own Handler to it, and change the logging level. Thus being able to harvest any log information that may come out of the system.
This could be particularly dangerous if artifacts such as passwords are logged for, say, debugging purposes.
[Message sent by forum member 'whartung' (whartung)]
http://forums.java.net/jive/thread.jspa?messageID=219797