You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Patrick Dowler <pa...@nrc.ca> on 2002/06/12 22:35:40 UTC

tomcat with security manager

I'm developing a webapp with tomcat and struts and must use a
security manager in tomcat (the -security startup arg). I have the
following problem:

Tomcat has and uses commons-logging.jar
Struts has and uses commons-logging.jar

The two jar files are identical. Normally, one is supposed to include
strust jar files and a bunch of other stuff with the webapp (basically
static linking, which seems tragic with a platform like java :-( so all
the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib.

If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib
first, which has the webapp permissions (ie. NOT java.security.AllPermission :-)

and fails. It looks like a

java.lang.ExceptionInInitializerError:
	org.apache.commons.logging.LogConfigurationException:
		org.apache.commons.logging.LogConfigurationException:
			java.lang.NullPointerException

but if I turn on java.security.debug I see it is really that it is a security access
problem - which is expected: code in the webapp should not be able to
open and write files in $CATALINA_HOME/logs.

If I remove the commons-logging.jar from the webapp, then tomcat is
happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which
has the right permissions) BUT then  struts can't find the logging
classes, which looks like:

java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory
	at org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135)
	...

Granting java.security.AllPermission to webapps makes them work but is not
an acceptable alternative because the webapp loads dynamic code that can't
be trusted (either 'cause I wrote it and it's buggy or because someone else
wrote it and it is buggy and/or malicious :-).

Any ideas for a solution would be appreciated? 

cheers,


-- 
Patrick Dowler
Canadian Astronomy Data Centre
National Research Council
Victoria, BC

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>