Bug#461355: Confirmed in upstream.

Mon Jan 21 02:09:40 UTC 2008

This bug is indeed in the upstream code.

I wrote a very simple JSP and put it in the ROOT webapp that comes with 
Tomcat. The JSP says:

----BEGIN----
<%@page session="false" %>
<% java.util.logging.Logger.getAnonymousLogger().info("Hello, world!"); %>
-----END-----

The resulting exception:

----BEGIN----
java.security.AccessControlException: access denied 
(java.io.FilePermission /home/users/alex/tomcat-5.5-svn-test/tomcat-5.5-build/webapps/ROOT/WEB-INF/classes/logging.properties 
read)

java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
java.security.AccessController.checkPermission(AccessController.java:546)
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
java.lang.SecurityManager.checkRead(SecurityManager.java:871)
java.io.File.exists(File.java:731)
org.apache.naming.resources.FileDirContext.file(FileDirContext.java:828)
org.apache.naming.resources.FileDirContext.lookup(FileDirContext.java:211)
org.apache.naming.resources.ProxyDirContext.lookup(ProxyDirContext.java:294)
org.apache.catalina.loader.WebappClassLoader.findResourceInternal(WebappClassLoader.java:1925)
org.apache.catalina.loader.WebappClassLoader.findResource(WebappClassLoader.java:937)
org.apache.juli.ClassLoaderLogManager.readConfiguration(ClassLoaderLogManager.java:298)
org.apache.juli.ClassLoaderLogManager$2.run(ClassLoaderLogManager.java:273)
java.security.AccessController.doPrivileged(Native Method)
org.apache.juli.ClassLoaderLogManager.getClassLoaderInfo(ClassLoaderLogManager.java:270)
org.apache.juli.ClassLoaderLogManager.getLogger(ClassLoaderLogManager.java:175)
java.util.logging.Logger.getAnonymousLogger(Logger.java:359)
org.apache.jsp.testlog_jsp._jspService(testlog_jsp.java:41)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:331)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:329)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:597)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:244)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:276)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:162)
-----END-----

Note that, on 
http://tomcat.apache.org/tomcat-5.5-doc/security-manager-howto.html in 
the "Tomcat Custom Permissions" section, a FilePermission is dynamically 
granted to webapps to read their own files. A similar FilePermission 
needs to be (but isn't) granted to JULI to read logging.properties.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20080120/c9be4551/attachment.pgp 