(running Tomcat 4.04) Granting permissions to individual jar files in a webapp's WEB-INF/lib directory does not seem to be working correctly for me:
I'm using the lastest Log4J and decided to put it in the lib directory for my specific webapp. In a servlet filter for this webapp I have a static Logger field that gets initialized: private static final Logger logger = Logger.getLogger(AuthFilter.class.getName()); I'm attempting to give the log4j jar in the webapp's WEB-INF/lib directory java.lang.AllPermission: grant codeBase "file:${catalina.home}/webapps/myapp/WEB-INF/lib/log4j-1.2.6.jar" { permission java.security.AllPermission; }; When I try to start up Tomcat, I get the following error: log4j:WARN Caught Exception while in Loader.getResource. This may be innocuous. java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader) <large exception trace follows> I've noticed that if I put this specific permission in the general grant structure of catalina.policy, everything works fine: grant { // lots of other permissions java.lang.RuntimePermission "getClassLoader"; }; I'd like to avoid granting all webapp code this permission, so can anyone tell me why the specific jarfile-based permission grant does not work? When I turn on permissions debugging (-Djava.security.debug=access:failure), I see the following output (this is when I try granting AllPermission to the log4j jar specifically): access: domain that failed ProtectionDomain (jar:file:C:/Documents and Settings/jwp/tomcat/webapps/myapp/WEB-INF/lib/log4j-1.2.6.jar!/org/apach e/log4j/helpers/Loader.class <no certificates>) WebappClassLoader available: Extension[Struts Framework, implementationVendor=Apache Software Foundation, implementationVendorId=org.apache, implementationVersion=1.0.2, specificationVendor=Apache Software Foundation, specificationVersion=1.0] delegate: false repositories: /WEB-INF/classes/ required: <...> If I read this correctly, the Log4J jar is the code base that's violating the permissions check. But how can that be when I specifically grant AllPermission to the log4j jar file? Thanks for your help, John -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>