Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 67721 invoked from network); 12 Jun 2002 20:36:08 -0000 Received: from unknown (HELO nagoya.betaversion.org) (192.18.49.131) by daedalus.apache.org with SMTP; 12 Jun 2002 20:36:08 -0000 Received: (qmail 5498 invoked by uid 97); 12 Jun 2002 20:35:47 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@jakarta.apache.org Received: (qmail 5474 invoked by uid 97); 12 Jun 2002 20:35:46 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 5459 invoked by uid 98); 12 Jun 2002 20:35:46 -0000 X-Antivirus: nagoya (v4198 created Apr 24 2002) Content-Type: text/plain; charset="iso-8859-1" From: Patrick Dowler Subject: tomcat with security manager Date: Wed, 12 Jun 2002 13:35:40 -0700 X-Mailer: KMail [version 1.4] To: tomcat-user@jakarta.apache.org MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200206121335.40877.patrick.dowler@nrc.ca> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N I'm developing a webapp with tomcat and struts and must use a security manager in tomcat (the -security startup arg). I have the following problem: Tomcat has and uses commons-logging.jar Struts has and uses commons-logging.jar The two jar files are identical. Normally, one is supposed to include strust jar files and a bunch of other stuff with the webapp (basically static linking, which seems tragic with a platform like java :-( so all the jars in $STRUTS_HOME/lib are copied to WEB_INF/lib. If I run with -security, TOMCAT finds the commons-logging.jar in WEB_INF/lib first, which has the webapp permissions (ie. NOT java.security.AllPermission :-) and fails. It looks like a java.lang.ExceptionInInitializerError: org.apache.commons.logging.LogConfigurationException: org.apache.commons.logging.LogConfigurationException: java.lang.NullPointerException but if I turn on java.security.debug I see it is really that it is a security access problem - which is expected: code in the webapp should not be able to open and write files in $CATALINA_HOME/logs. If I remove the commons-logging.jar from the webapp, then tomcat is happy (it uses $CATALINA_HOME/server/lib/commons-logging.jar, which has the right permissions) BUT then struts can't find the logging classes, which looks like: java.lang.NoClassDefFoundError: org/apache/commons/logging/LogFactory at org.apache.struts.util.MessageResourcesFactory.(MessageResourcesFactory.java:135) ... Granting java.security.AllPermission to webapps makes them work but is not an acceptable alternative because the webapp loads dynamic code that can't be trusted (either 'cause I wrote it and it's buggy or because someone else wrote it and it is buggy and/or malicious :-). Any ideas for a solution would be appreciated? cheers, -- Patrick Dowler Canadian Astronomy Data Centre National Research Council Victoria, BC -- To unsubscribe, e-mail: For additional commands, e-mail: