Rearrange tomcat-juli permissions, for better readability.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@951880 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/conf/catalina.policy b/conf/catalina.policy
index 19b0530..a1835e4 100644 (file)
--- a/conf/catalina.policy
+++ b/conf/catalina.policy
@@ -64,30 +64,35 @@ grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
 // These permissions apply to the logging API
 // Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
 // update this section accordingly.
+//  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
-        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
-        permission java.util.PropertyPermission "catalina.base", "read";
         permission java.io.FilePermission
          "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
+
         permission java.io.FilePermission
          "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
         permission java.io.FilePermission
          "${catalina.base}${file.separator}logs", "read, write";
         permission java.io.FilePermission
          "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+
         permission java.lang.RuntimePermission "shutdownHooks";
         permission java.lang.RuntimePermission "getClassLoader";
         permission java.lang.RuntimePermission "setContextClassLoader";
+
         permission java.util.logging.LoggingPermission "control";
 
-        // To enable per context logging configuration, permit read access to
+        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+        permission java.util.PropertyPermission "catalina.base", "read";
+
+        // Note: To enable per context logging configuration, permit read access to
         // the appropriate file. Be sure that the logging configuration is
-        // secure before enabling such access. E.g. for the examples web
-        // application:
+        // secure before enabling such access.
+        // E.g. for the examples web application, all in one line:
         // permission java.io.FilePermission "${catalina.base}${file.separator}
-        //  webapps${file.separator}examples${file.separator}
-        //  WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
+        //  webapps${file.separator}examples${file.separator}WEB-INF
+        //  ${file.separator}classes${file.separator}logging.properties", "read";
 };
 
 // These permissions apply to the server startup code

diff --git a/webapps/docs/security-manager-howto.xml b/webapps/docs/security-manager-howto.xml
index 5d2bad5..f3ae1a0 100644 (file)
--- a/webapps/docs/security-manager-howto.xml
+++ b/webapps/docs/security-manager-howto.xml
@@ -230,30 +230,35 @@ grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
 // These permissions apply to the logging API
 // Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
 // update this section accordingly.
+//  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
 grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
-        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
-        permission java.util.PropertyPermission "catalina.base", "read";
         permission java.io.FilePermission
          "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
+
         permission java.io.FilePermission
          "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
         permission java.io.FilePermission
          "${catalina.base}${file.separator}logs", "read, write";
         permission java.io.FilePermission
          "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+
         permission java.lang.RuntimePermission "shutdownHooks";
         permission java.lang.RuntimePermission "getClassLoader";
         permission java.lang.RuntimePermission "setContextClassLoader";
+
         permission java.util.logging.LoggingPermission "control";
 
-        // To enable per context logging configuration, permit read access to
+        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+        permission java.util.PropertyPermission "catalina.base", "read";
+
+        // Note: To enable per context logging configuration, permit read access to
         // the appropriate file. Be sure that the logging configuration is
-        // secure before enabling such access. E.g. for the examples web
-        // application:
+        // secure before enabling such access.
+        // E.g. for the examples web application, all in one line:
         // permission java.io.FilePermission "${catalina.base}${file.separator}
-        //  webapps${file.separator}examples${file.separator}
-        //  WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
+        //  webapps${file.separator}examples${file.separator}WEB-INF
+        //  ${file.separator}classes${file.separator}logging.properties", "read";
 };
 
 // These permissions apply to the server startup code