On Sunday 20 January 2008, you wrote:
> Upstream has this in catalina.properties (in SVN, not yet released).
>
> // To enable per context logging configuration, permit read
> access to the appropriate file. // Be sure that the logging
> configuration is secure before enabling such access // eg for the
> examples web application:
> // permission java.io.FilePermission
> "${catalina.base}${file.separator}webapps${file.separator}examples${fil
>e.separator}WEB-INF${file.separator}classes${file.separator}logging.prop
>erties", "read";Yes, you can find that text in /etc/tomcat5.5/policy.d/03catalina.policy in Debian. However, this isn't automatic -- the provided rule only applies to the example webapps, and similar rules have to be added for every webapp that uses java.util.logging. > > I'm afraid this is a far bigger project than I'm willing to take on, > > but perhaps someone among the Apache folks will do it, so why not > > forward this bug upstream? > > Is this really a bug upstream? We should not report bugs there that are > none there. Can someone build upstream SVN and test that a bit? I'm building it now. It's downloading all the dependencies and that's going to take a while, but I'll say what my results are. For now, it does indeed appear to be an upstream bug, since upstream code is neither failing gracefully nor dynamically adjusting the policy, thus causing default installations to fail unless the policy is manually modified.
signature.asc
Description: This is a digitally signed message part.
