tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Dowler <>
Subject tomcat with security manager
Date Wed, 12 Jun 2002 20:35:40 GMT

I'm developing a webapp with tomcat and struts and must use a
security manager in tomcat (the -security startup arg). I have the
following problem:

Tomcat has and uses commons-logging.jar
Struts has and uses commons-logging.jar

The two jar files are identical. Normally, one is supposed to include
strust jar files and a bunch of other stuff with the webapp (basically
static linking, which seems tragic with a platform like java :-( so all
the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib.

If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib
first, which has the webapp permissions (ie. NOT :-)

and fails. It looks like a


but if I turn on I see it is really that it is a security access
problem - which is expected: code in the webapp should not be able to
open and write files in $CATALINA_HOME/logs.

If I remove the commons-logging.jar from the webapp, then tomcat is
happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which
has the right permissions) BUT then  struts can't find the logging
classes, which looks like:

java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory
	at org.apache.struts.util.MessageResourcesFactory.(

Granting to webapps makes them work but is not
an acceptable alternative because the webapp loads dynamic code that can't
be trusted (either 'cause I wrote it and it's buggy or because someone else
wrote it and it is buggy and/or malicious :-).

Any ideas for a solution would be appreciated? 


Patrick Dowler
Canadian Astronomy Data Centre
National Research Council
Victoria, BC

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message