Bug#461355: Confirmed in upstream.

[Michael Koch]

On Sun, Jan 20, 2008 at 06:09:40PM -0800, Alexander Hvostov wrote:
> This bug is indeed in the upstream code.
> 
> I wrote a very simple JSP and put it in the ROOT webapp that comes with 
> Tomcat. The JSP says:
> 
> ----BEGIN----
> <%@page session="false" %>
> <% java.util.logging.Logger.getAnonymousLogger().info("Hello, world!"); %>
> -----END-----
> 
> The resulting exception:
> 
> ----BEGIN----
> java.security.AccessControlException: access denied 
> (java.io.FilePermission /home/users/alex/tomcat-5.5-svn-test/tomcat-5.5-build/webapps/ROOT/WEB-INF/classes/logging.properties 
> read)
> 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
> java.security.AccessController.checkPermission(AccessController.java:546)
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> java.lang.SecurityManager.checkRead(SecurityManager.java:871)
> java.io.File.exists(File.java:731)
> org.apache.naming.resources.FileDirContext.file(FileDirContext.java:828)
> org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:211)
> org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:294)
> org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:1925)
> org.apache.catalina.loader.WebappClassLoader.findResource(WebappClassLoader.java:937)
> org.apache.juli.ClassLoaderLogManager.readConfiguration(ClassLoaderLogManager.java:298)
> org.apache.juli.ClassLoaderLogManager$2.run(ClassLoaderLogManager.java:273)
> java.security.AccessController.doPrivileged(Native Method)
> org.apache.juli.ClassLoaderLogManager.getClassLoaderInfo(ClassLoaderLogManager.java:270)
> org.apache.juli.ClassLoaderLogManager.getLogger(ClassLoaderLogManager.java:175)
> java.util.logging.Logger.getAnonymousLogger(Logger.java:359)
> org.apache.jsp.testlog_jsp._jspService(testlog_jsp.java:41)
> org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
> org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> java.lang.reflect.Method.invoke(Method.java:597)
> org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
> java.security.AccessController.doPrivileged(Native Method)
> javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
> org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
> -----END-----
> 
> Note that, on 
> http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html in 
> the "Tomcat Custom Permissions" section, a FilePermission is dynamically 
> granted to webapps to read their own files. A similar FilePermission 
> needs to be (but isn't) granted to JULI to read logging.properties.

Can you please file this bug upstream and report here so we can track
it? That would help a lot.

Thanks in advance.


Cheers.
Michael