You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Patrick Dowler <pa...@nrc.ca> on 2002/06/12 22:35:40 UTC
tomcat with security manager
I'm developing a webapp with tomcat and struts and must use a
security manager in tomcat (the -security startup arg). I have the
following problem:
Tomcat has and uses commons-logging.jar
Struts has and uses commons-logging.jar
The two jar files are identical. Normally, one is supposed to include
strust jar files and a bunch of other stuff with the webapp (basically
static linking, which seems tragic with a platform like java :-( so all
the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib.
If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib
first, which has the webapp permissions (ie. NOT java.security.AllPermission :-)
and fails. It looks like a
java.lang.ExceptionInInitializerError:
org.apache.commons.logging.LogConfigurationException:
org.apache.commons.logging.LogConfigurationException:
java.lang.NullPointerException
but if I turn on java.security.debug I see it is really that it is a security access
problem - which is expected: code in the webapp should not be able to
open and write files in $CATALINA_HOME/logs.
If I remove the commons-logging.jar from the webapp, then tomcat is
happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which
has the right permissions) BUT then struts can't find the logging
classes, which looks like:
java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory
at org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135)
...
Granting java.security.AllPermission to webapps makes them work but is not
an acceptable alternative because the webapp loads dynamic code that can't
be trusted (either 'cause I wrote it and it's buggy or because someone else
wrote it and it is buggy and/or malicious :-).
Any ideas for a solution would be appreciated?
cheers,
--
Patrick Dowler
Canadian Astronomy Data Centre
National Research Council
Victoria, BC
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>