Bug#461355: tomcat5.5: More restrictive JULI permissions break java.util.logging.

Sun Jan 20 08:29:40 UTC 2008

On Sat, Jan 19, 2008 at 11:46:47PM -0800, Alexander Hvostov wrote:
> On Saturday 19 January 2008, Marcus Better wrote:
> > If the user creates that file then the security exception still gets
> > thrown, so it would be very confusing to pretend the file doesn't
> > exist. I'm not too happy about this idea.
> 
> In that case, we would need to grant FilePermission to read the 
> logging.properties file in the appropriate place in each Web application 
> directory.
> 
> To do this automatically, Tomcat would most likely have to provide a 
> custom java.security.Policy implementation that, in addition to granting 
> permissions defined by the configured security policy, also grants read 
> access to each webapp's own logging.properties file.

Upstream has this in catalina.properties (in SVN, not yet released).

        // To enable per context logging configuration, permit read access to the appropriate file.
        // Be sure that the logging configuration is secure before enabling such access
        // eg for the examples web application:
        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";

> I'm afraid this is a far bigger project than I'm willing to take on, but 
> perhaps someone among the Apache folks will do it, so why not forward 
> this bug upstream?

Is this really a bug upstream? We should not report bugs there that are
none there. Can someone build upstream SVN and test that a bit?

Cheers,
Michael