Bug#461355: tomcat5.5: More restrictive JULI permissions break java.util.logging.
Michael Koch
konqueror at gmx.de
Sat Jan 19 22:02:23 UTC 2008
On Fri, Jan 18, 2008 at 12:44:11PM -0800, Alexander Hvostov wrote:
> On Thursday 17 January 2008, Marcus Better wrote:
> > Yes, see #460839 where we deal with this for the tomcat5.5-webapps.
> >
> > The stricter permissions are part of a tightened security policy. I
> > think our options are:
> > (i) Change JULI not to look for the logging.properties in those places
> > unless specifically configured to do it,
> > (ii) Give blanket permission for JULI to look up logging.properties
> > files in all webapps (possibly circumventing the security fix),
> > (iii) Leave as is and let users add the necessary permissions.
>
> It could just catch the SecurityException while looking for
> logging.properties and pretend that the file doesn't exist, possibly
> after logging a message saying so.
Yes that would be the most nicest as opening permission per default
without need can open a security leak.
I looked at the offending code in
connectors/juli/src/java/org/apache/juli/ClassLoaderLogManager.java and
it looked not as simple as it should.
Somebody an idea for this?
Cheers,
Michael
More information about the pkg-java-maintainers
mailing list