Bug 45709 - Incorrect configuration in default catalina.policy
Summary: Incorrect configuration in default catalina.policy
Status: RESOLVED DUPLICATE of bug 45293
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.26
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-28 17:12 UTC by William Tranmer
Modified: 2008-08-29 07:59 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description William Tranmer 2008-08-28 17:12:26 UTC
Problem:
The zipfile distribution of Apache-Tomcat-5.5.26 contains an improper conf/catalina.policy file with regards to logging permissions when running with -security option.  It may exist in the other distribution packages.  I have not checked them.

To reproduce:
Download apache-tomcat-5.5.26.zip distribution
Expand the zip file to a folder
Run the command {catalina.hom}/bin/catalina run -security

Cause:
There are two corrections that need to be made actually.
1.  The commons-logging-api jar that is packaged with apache-tomcat-5.5.26 is named "commons-logging-api-1.1.1.jar".  The catalina.policy file grants permissions to "commons-logging-api.jar".
2.  After correcting the first cause, you will need three permissions set for ${catalina.home}/bin/tomcat-juli.jar.  These are due to the bundled example webapps.  Please add the following lines to the default permissions list for juli --

permission java.io.FilePermission "${catalina.base}${file.seaparator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";

permission java.io.FilePermission "${catalina.base}${file.seaparator}webapps${file.separator}servlets-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";

permission java.io.FilePermission "${catalina.base}${file.seaparator}webapps${file.separator}jsp-examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
Comment 1 Mark Thomas 2008-08-29 04:01:19 UTC
The first issue has already been fixed. The second isn't going to be fixed. Work is in hand to handle the errors more gracefully.

In a security conscious environment, the examples should not be installed so I don't see the need to add explicit permissions for this web app.

*** This bug has been marked as a duplicate of bug 45293 ***
Comment 2 William Tranmer 2008-08-29 07:59:46 UTC
Thanks