https://bz.apache.org/bugzilla/show_bug.cgi?id=59247
--- Comment #11 from Konstantin Kolinko <knst.koli...@gmail.com> ---
(In reply to Coty Sutherland from comment #7)
> Created attachment 33713 [details]
> patch proposal to resolve the tomcat6 denial
>
> And here is a patch that seemingly resolves the issue for review. It looks
> like the examples webapp wants to use a class in o.a.catalina and it's
> getting denied. I added a section for the examples webapp much like the
> manager and host-manager section and put the permission there. Hopefully I
> did it correctly :)
Comment on this Tomcat 6 patch:
The issue:
> WARNING: WebappClassLoader.findClassInternal(chat.ChatServlet) security
> exception: Access denied ("java.lang.RuntimePermission"
> "accessClassInPackage.org.apache.catalina")
1. I am -1 on adding this permission by default. If you are security conscious,
you should not have the examples webapp installed. This is mentioned in
"Security Considerations" page (available in Tomcat 7 and later documentation).
[1]
This issue is originally known as bug 48218 and was resolved by package name
change in Tomcat 7.
2. It is worth adding this configuration fragment as commented-out example in
catalina.policy.
[1] https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Examples
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
