tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Using log4j under a security manager
Date Sat, 17 Aug 2013 12:36:53 GMT

See this SO thread:

...and refer to the Tomcat 7 log4j instructions:

...for context.

It looks like (the original) bin/tomcat-juli.jar is not given
permissions in conf/catalina.policy to read bin/ So, if
one follows the instructions for Tomcat/log4j from the link above, and
runs under a security manager, the logging system will throw a

Should we modify catalina.policy to allow bin/tomcat-juli.jar to read
lib/ (and possibly newer config files such as
lib/log4j.xml), or should we add an instruction in the documentation for
doing that?

On the one hand, it might be nice if it "just worked" with fewer steps
to follow. On the other hand, running such that read-access to
conf/|xml when not needed could be considered a (very
minor) security risk.

Separately, in Tomcat's logging instructions, item #4 says that if you
want to use log4j globally, you should put the new tomcat-juli.jar into
the conf/ directory instead of bin/. There is no commentary about what
to do with the original bin/tomcat-juli.jar... if I were following the
instructions, I would leave the original in place, but that does not
really sound appropriate to me. What is the proper technique to use
log4j for both Tomcat and webapp logging?


View raw message