You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2013/08/17 14:36:53 UTC
Using log4j under a security manager
All,
See this SO thread:
http://stackoverflow.com/questions/18147885/use-log4j-in-a-tomcat-with-security-manager
...and refer to the Tomcat 7 log4j instructions:
http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
...for context.
It looks like (the original) bin/tomcat-juli.jar is not given
permissions in conf/catalina.policy to read bin/log4j.properties. So, if
one follows the instructions for Tomcat/log4j from the link above, and
runs under a security manager, the logging system will throw a
SecurityException.
Should we modify catalina.policy to allow bin/tomcat-juli.jar to read
lib/log4j.properties (and possibly newer config files such as
lib/log4j.xml), or should we add an instruction in the documentation for
doing that?
On the one hand, it might be nice if it "just worked" with fewer steps
to follow. On the other hand, running such that read-access to
conf/log4j.properties|xml when not needed could be considered a (very
minor) security risk.
Separately, in Tomcat's logging instructions, item #4 says that if you
want to use log4j globally, you should put the new tomcat-juli.jar into
the conf/ directory instead of bin/. There is no commentary about what
to do with the original bin/tomcat-juli.jar... if I were following the
instructions, I would leave the original in place, but that does not
really sound appropriate to me. What is the proper technique to use
log4j for both Tomcat and webapp logging?
Thanks,
-chris
Re: Using log4j under a security manager
Posted by Nick Williams <ni...@nicholaswilliams.net>.
On Aug 17, 2013, at 7:36 AM, Christopher Schultz wrote:
> All,
>
> See this SO thread:
> http://stackoverflow.com/questions/18147885/use-log4j-in-a-tomcat-with-security-manager
>
> ...and refer to the Tomcat 7 log4j instructions:
>
> http://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
>
> ...for context.
>
> It looks like (the original) bin/tomcat-juli.jar is not given
> permissions in conf/catalina.policy to read bin/log4j.properties. So, if
> one follows the instructions for Tomcat/log4j from the link above, and
> runs under a security manager, the logging system will throw a
> SecurityException.
>
> Should we modify catalina.policy to allow bin/tomcat-juli.jar to read
> lib/log4j.properties (and possibly newer config files such as
> lib/log4j.xml), or should we add an instruction in the documentation for
> doing that?
And log4j2.xml. That's the new one.
However, I actually think documentation is what's needed here. I favor just doing that over adding a default allowance.
> On the one hand, it might be nice if it "just worked" with fewer steps
> to follow. On the other hand, running such that read-access to
> conf/log4j.properties|xml when not needed could be considered a (very
> minor) security risk.
>
> Separately, in Tomcat's logging instructions, item #4 says that if you
> want to use log4j globally, you should put the new tomcat-juli.jar into
> the conf/ directory instead of bin/. There is no commentary about what
> to do with the original bin/tomcat-juli.jar... if I were following the
> instructions, I would leave the original in place, but that does not
> really sound appropriate to me. What is the proper technique to use
> log4j for both Tomcat and webapp logging?
>
> Thanks,
> -chris
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org