Hi, i'm trying to solve a security permission issue when running a
spring application in tomcat (v5.5.4) with the security manager turned
on. I'm not sure if the root cause is log4j or spring, and i'm also
confused why either would need such a permission.
Any ideas/help would be great.

I can solve the issue by with an addition to the policy as below for all
files in my web context as its needed for .jars and .jsp files:

permission java.lang.RuntimePermission "defineClassInPackage.java.lang";

Below is part of my security log.

Thanks,

Tim

access: access allowed (java.io.FilePermission
/usr/local/jakarta-tomcat-5.5.4/common/classes/org/apache/log4j/LayoutBeanInfo.class
read)
access: access allowed (java.io.FilePermission
/usr/local/jakarta-tomcat-5.5.4/server/classes/org/apache/log4j/LayoutBeanInfo.class
read)
access: access denied (java.lang.RuntimePermission
defineClassInPackage.java.lang)
java.lang.Exception: Stack trace
        at java.lang.Thread.dumpStack(Thread.java:1206)
        at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
        at
java.security.AccessController.checkPermission(AccessController.java:546)
        at
java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at
java.lang.SecurityManager.checkPackageDefinition(SecurityManager.java:1580)
        at
org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:834)
        at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1299)
        at
org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1181)
        at java.beans.Introspector.instantiate(Introspector.java:1460)
        at
java.beans.Introspector.findExplicitBeanInfo(Introspector.java:410)
        at java.beans.Introspector.<init>(Introspector.java:359)
        at java.beans.Introspector.getBeanInfo(Introspector.java:159)
        at java.beans.Introspector.getBeanInfo(Introspector.java:220)
        at java.beans.Introspector.<init>(Introspector.java:368)
        at java.beans.Introspector.getBeanInfo(Introspector.java:159)
        at java.beans.Introspector.getBeanInfo(Introspector.java:220)
        at java.beans.Introspector.<init>(Introspector.java:368)
        at java.beans.Introspector.getBeanInfo(Introspector.java:159)
        at
org.apache.log4j.config.PropertySetter.introspect(PropertySetter.java:66)
        at
org.apache.log4j.config.PropertySetter.getPropertyDescriptor(PropertySetter.java:234)
        at
org.apache.log4j.config.PropertySetter.setProperty(PropertySetter.java:146)
        at
org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:120)
        at
org.apache.log4j.config.PropertySetter.setProperties(PropertySetter.java:87)
        at
org.apache.log4j.PropertyConfigurator.parseAppender(PropertyConfigurator.java:640)
        at
org.apache.log4j.PropertyConfigurator.parseCategory(PropertyConfigurator.java:603)
        at
org.apache.log4j.PropertyConfigurator.configureRootCategory(PropertyConfigurator.java:500)
        at
org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:406)
        at
org.apache.log4j.PropertyConfigurator.doConfigure(PropertyConfigurator.java:307)
        at
org.apache.log4j.PropertyWatchdog.doOnChange(PropertyConfigurator.java:673)
        at
org.apache.log4j.helpers.FileWatchdog.checkAndConfigure(FileWatchdog.java:80)
        at
org.apache.log4j.helpers.FileWatchdog.<init>(FileWatchdog.java:49)
        at
org.apache.log4j.PropertyWatchdog.<init>(PropertyConfigurator.java:665)
        at
org.apache.log4j.PropertyConfigurator.configureAndWatch(PropertyConfigurator.java:373)
        at
org.springframework.util.Log4jConfigurer.initLogging(Log4jConfigurer.java:64)
        at
org.springframework.web.util.Log4jWebConfigurer.initLogging(Log4jWebConfigurer.java:97)
        at
org.springframework.web.util.Log4jConfigListener.contextInitialized(Log4jConfigListener.java:44)
        at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3631)
        at
org.apache.catalina.core.StandardContext.start(StandardContext.java:4065)
        at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:755)
        at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:121)
        at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:737)
        at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
        at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:590)
        at
org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
        at
org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
        at
org.apache.catalina.startup.HostConfig.start(HostConfig.java:1079)
        at
org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
        at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1011)
        at
org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
        at
org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1003)
        at
org.apache.catalina.core.StandardEngine.start(StandardEngine.java:437)
        at
org.apache.catalina.core.StandardService.start(StandardService.java:450)
        at
org.apache.catalina.core.StandardServer.start(StandardServer.java:2010)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:589)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
access: access allowed (java.security.SecurityPermission getPolicy)
access: access allowed (java.io.FilePermission
/home/tim/temp/tempcontext/WEB-INF/lib/spring.jar read)
access: domain that failed ProtectionDomain
(file:/home/tim/temp/tempcontext/WEB-INF/lib/spring.jar <no signer
certificates>)
 WebappClassLoader
  delegate: false
  repositories:
    /WEB-INF/classes/
----------> Parent Classloader:
org.apache.catalina.loader.StandardClassLoader@145d068

 <no principals>
 java.security.Permissions@b8bef7 (
 (java.net.SocketPermission localhost:3306 connect,resolve)
 (java.net.SocketPermission *:25 connect,resolve)
 (java.net.SocketPermission *:80 connect,resolve)
 (java.net.SocketPermission localhost:3306 connect,resolve)