Tomcat: 6.0.32 (freshly downloaded and unpacked) Java: 1.6.0_25 (freshly installed) OS: Windows XP Env variables: JAVA_HOME=C:\Program Files\Java\jdk1.6.0_25 JAVA_OPTS=-Xmx512m Append the following permission to the end of catalina.policy: grant codeBase "http://www.abc.com" { permission java.security.AllPermission; }; bin/startup.bat -security Generates (in console window, no log files generated): Could not load Logmanager "org.apache.juli.ClassLoaderLogManager" java.security.AccessControlException: access denied (java.lang.RuntimePermission setContextClassLoader) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.Thread.setContextClassLoader(Thread.java:1394) at java.util.logging.LogManager$Cleaner.<init>(LogManager.java:204) at java.util.logging.LogManager$Cleaner.<init>(LogManager.java:198) at java.util.logging.LogManager.<init>(LogManager.java:235) at org.apache.juli.ClassLoaderLogManager.<init>(ClassLoaderLogManager.java:64) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at java.util.logging.LogManager$1.run(LogManager.java:164) at java.security.AccessController.doPrivileged(Native Method) at java.util.logging.LogManager.<clinit>(LogManager.java:156) at java.util.logging.Logger.getLogger(Logger.java:287) at sun.net.www.protocol.http.HttpURLConnection.<clinit>(HttpURLConnection.java:57) at sun.net.www.protocol.http.Handler.openConnection(Handler.java:44) at sun.net.www.protocol.http.Handler.openConnection(Handler.java:39) at java.net.URL.openConnection(URL.java:945) at sun.security.provider.PolicyFile.canonicalizeCodebase(PolicyFile.java:1799) at sun.security.provider.PolicyFile.getCodeSource(PolicyFile.java:783) at sun.security.provider.PolicyFile.addGrantEntry(PolicyFile.java:807) at sun.security.provider.PolicyFile.init(PolicyFile.java:653) at sun.security.provider.PolicyFile.access$400(PolicyFile.java:266) at sun.security.provider.PolicyFile$3.run(PolicyFile.java:546) at java.security.AccessController.doPrivileged(Native Method) at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:519) at sun.security.provider.PolicyFile.initPolicyFile(PolicyFile.java:505) at sun.security.provider.PolicyFile.init(PolicyFile.java:464) at sun.security.provider.PolicyFile.<init>(PolicyFile.java:309) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at java.lang.Class.newInstance0(Class.java:355) at java.lang.Class.newInstance(Class.java:308) at java.security.Policy.getPolicyNoCheck(Policy.java:167) at java.security.ProtectionDomain.implies(ProtectionDomain.java:224) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:352) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285) at java.lang.System.getProperty(System.java:650) at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:43) at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:171) at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:243) at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:298) at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:55) Note: This works fine with Java 1.5.0 Seems to be a Java 1.6.0 related problem. I have tried several versions of Java 1.6.0 and all exhibit the same problem.
As of Java 1.6 the combination of: - custom LogManager - security manager - http codebase in security policy file won't work. The root cause is the following circular dependency: - The Custom LogManager has to extend the standard LogManager - standard LogManager starts a Cleaner that calls setContextClassloader - that triggers a security check - that triggers the parsing of the policy file - that triggers a validity check of the http codebase - that uses HttpUrlConnection - that tries to create a Logger - that requires LogManager to be initialised The standard LogManager avoids this since it is viewed as System code hence all security checks are bypassed. I don't see a way around this without changes to java.util.logging.LogManager and that is outside the control of the Tomcat project.