I'm developing a webapp with tomcat and struts and must use a security manager in tomcat (the -security startup arg). I have the following problem:
Tomcat has and uses commons-logging.jar Struts has and uses commons-logging.jar The two jar files are identical. Normally, one is supposed to include strust jar files and a bunch of other stuff with the webapp (basically static linking, which seems tragic with a platform like java :-( so all the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib. If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib first, which has the webapp permissions (ie. NOT java.security.AllPermission :-) and fails. It looks like a java.lang.ExceptionInInitializerError: org.apache.commons.logging.LogConfigurationException: org.apache.commons.logging.LogConfigurationException: java.lang.NullPointerException but if I turn on java.security.debug I see it is really that it is a security access problem - which is expected: code in the webapp should not be able to open and write files in $CATALINA_HOME/logs. If I remove the commons-logging.jar from the webapp, then tomcat is happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which has the right permissions) BUT then struts can't find the logging classes, which looks like: java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory at org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135) ... Granting java.security.AllPermission to webapps makes them work but is not an acceptable alternative because the webapp loads dynamic code that can't be trusted (either 'cause I wrote it and it's buggy or because someone else wrote it and it is buggy and/or malicious :-). Any ideas for a solution would be appreciated? cheers, -- Patrick Dowler Canadian Astronomy Data Centre National Research Council Victoria, BC -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>