On Sat, Jan 19, 2008 at 11:46:47PM -0800, Alexander Hvostov wrote:
> On Saturday 19 January 2008, Marcus Better wrote:
> > If the user creates that file then the security exception still gets
> > thrown, so it would be very confusing to pretend the file doesn't
> > exist. I'm not too happy about this idea.
>
> In that case, we would need to grant FilePermission to read the
> logging.properties file in the appropriate place in each Web application
> directory.
>
> To do this automatically, Tomcat would most likely have to provide a
> custom java.security.Policy implementation that, in addition to granting
> permissions defined by the configured security policy, also grants read
> access to each webapp's own logging.properties file.
Upstream has this in catalina.properties (in SVN, not yet released).
// To enable per context logging configuration, permit read access to
the appropriate file.
// Be sure that the logging configuration is secure before enabling
such access
// eg for the examples web application:
// permission java.io.FilePermission
"${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties",
"read";
> I'm afraid this is a far bigger project than I'm willing to take on, but
> perhaps someone among the Apache folks will do it, so why not forward
> this bug upstream?
Is this really a bug upstream? We should not report bugs there that are
none there. Can someone build upstream SVN and test that a bit?
Cheers,
Michael
_______________________________________________
pkg-java-maintainers mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
