On Fri, Jan 18, 2008 at 12:44:11PM -0800, Alexander Hvostov wrote: > On Thursday 17 January 2008, Marcus Better wrote: > > Yes, see #460839 where we deal with this for the tomcat5.5-webapps. > > > > The stricter permissions are part of a tightened security policy. I > > think our options are: > > (i) Change JULI not to look for the logging.properties in those places > > unless specifically configured to do it, > > (ii) Give blanket permission for JULI to look up logging.properties > > files in all webapps (possibly circumventing the security fix), > > (iii) Leave as is and let users add the necessary permissions. > > It could just catch the SecurityException while looking for > logging.properties and pretend that the file doesn't exist, possibly > after logging a message saying so.
Yes that would be the most nicest as opening permission per default without need can open a security leak. I looked at the offending code in connectors/juli/src/java/org/apache/juli/ClassLoaderLogManager.java and it looked not as simple as it should. Somebody an idea for this? Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
