(running Tomcat 4.04) Granting permissions to individual jar files in a
webapp's WEB-INF/lib directory does not seem to be working correctly for
me:
I'm using the lastest Log4J and decided to put it in the lib directory
for my specific webapp. In a servlet filter for this webapp I have a
static Logger field that gets initialized:
private static final Logger logger =
Logger.getLogger(AuthFilter.class.getName());
I'm attempting to give the log4j jar in the webapp's WEB-INF/lib
directory java.lang.AllPermission:
grant codeBase
"file:${catalina.home}/webapps/myapp/WEB-INF/lib/log4j-1.2.6.jar" {
permission java.security.AllPermission;
};
When I try to start up Tomcat, I get the following error:
log4j:WARN Caught Exception while in Loader.getResource. This may be
innocuous.
java.security.AccessControlException: access denied
(java.lang.RuntimePermission getClassLoader)
<large exception trace follows>
I've noticed that if I put this specific permission in the general grant
structure of catalina.policy, everything works fine:
grant {
// lots of other permissions
java.lang.RuntimePermission "getClassLoader";
};
I'd like to avoid granting all webapp code this permission, so can
anyone tell me why the specific jarfile-based permission grant does not
work? When I turn on permissions debugging
(-Djava.security.debug=access:failure), I see the following output (this
is when I try granting AllPermission to the log4j jar specifically):
access: domain that failed ProtectionDomain (jar:file:C:/Documents and
Settings/jwp/tomcat/webapps/myapp/WEB-INF/lib/log4j-1.2.6.jar!/org/apach
e/log4j/helpers/Loader.class <no certificates>)
WebappClassLoader
available:
Extension[Struts Framework, implementationVendor=Apache Software
Foundation, implementationVendorId=org.apache,
implementationVersion=1.0.2, specificationVendor=Apache Software
Foundation, specificationVersion=1.0]
delegate: false
repositories:
/WEB-INF/classes/
required:
<...>
If I read this correctly, the Log4J jar is the code base that's
violating the permissions check. But how can that be when I specifically
grant AllPermission to the log4j jar file?
Thanks for your help,
John
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
