On Sat, Jan 19, 2008 at 11:46:47PM -0800, Alexander Hvostov wrote: > On Saturday 19 January 2008, Marcus Better wrote: > > If the user creates that file then the security exception still gets > > thrown, so it would be very confusing to pretend the file doesn't > > exist. I'm not too happy about this idea. > > In that case, we would need to grant FilePermission to read the > logging.properties file in the appropriate place in each Web application > directory. > > To do this automatically, Tomcat would most likely have to provide a > custom java.security.Policy implementation that, in addition to granting > permissions defined by the configured security policy, also grants read > access to each webapp's own logging.properties file.
Upstream has this in catalina.properties (in SVN, not yet released). // To enable per context logging configuration, permit read access to the appropriate file. // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; > I'm afraid this is a far bigger project than I'm willing to take on, but > perhaps someone among the Apache folks will do it, so why not forward > this bug upstream? Is this really a bug upstream? We should not report bugs there that are none there. Can someone build upstream SVN and test that a bit? Cheers, Michael _______________________________________________ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers