potentially thousands of servlet context entries

[David Bussenschutt <D....@mailbox.gu.edu.au>]

Q1, 
Thanks andreas, this fixed it:
cd /path/to/tomcat/webapps/
find . -type d -print | xargs -n1 chmod o+x
find . -type f -print | xargs -n1 chmod o+r
Is that going to be a security problem giving 'nobody' read access to all
of 'webapps' ?

Everyone:
Q2. I'm completely new to java and servlets (I'm just the sysop), but I'm
guessing that in a development environment you'd be wanting to reload/stop
a servlet frequently? 
Since all my ~3500 users are potential developers, then having just 1 (one)
JVM might be a bad idea, and I doubt the server could cope with 3500 of
them (actually it'd be more like 150-300 active at any one time).  
Any other ideas? Perhaps I could "cluster" the users into development
"teams" and have a JVM for each? (giving them the power to restart their
own JVM)
If I wanted to have a JVM for every user(started on demand - I'm NOT
running 3500 JVM's just in case some-one wants to use it) how would I go
about arranging that? Is there a few hints in a how-to someplace?

David.

At 09:54 AM 11/29/00 +0100, you wrote:
>Hi,
>Q1)
>Probably still a user-rights problem. Make sure user nobody has rwx on
>$TOMCAT_HOME/work and access to all context dirs (under webapp)
i>
>Q2)
>You might encounter several problems here. With some clever links and
>mod_rewrite rules you might establish a per user mapped context-dir but do
>you want to have all 3500 with in one Tomcat instance(one JVM). If one needs
>to reload/stop a servlet the engine has to be stopped for all 3499 users as
>well.
>To bypass that you will need a separate Tomcat for each user with will lead
>to a lot of memory and cpu consumption.
>
>Reagards,
>Andreas
>
>> -----Original Message-----
>> From: David Bussenschutt [mailto:D.Bussenschutt@mailbox.gu.edu.au]
>> Sent: Wednesday, November 29, 2000 4:31 AM
>> To: tomcat-user@jakarta.apache.org
>> Subject: Q's: running tomcat as 'nobody', and thousands of servlet
>> context entries
>> 
>> 
>> Hi All,
>> 
>> I've read the tomcat-apache howto at:
>> http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/tomcat
>> -apache-howto.
>> html
>> (and also the users-guide, the mod_jk howto, the list 
>> archives etc etc.)
>> 
>> I have installed: linux 2.2.14 ; apache 1.3.12 (mod_ssl & 
>> php4  & mod_so
>> statically linked; mod_jk, etc etc dyn. linked); tomcat 
>> 3.2beta8 (milestone
>> release) ; mod_jk compiled and installed
>> 
>> QUESTION 1.
>> 
>> When I run tomcat as 'nobody' as suggested in the above howto 
>> document, I
>> was initially getting all sorts of problems with 'nobody' not having
>> permission to write the log files etc, but with that all 
>> fixed, I now get
>> the following jsp errors from tomcat on startup:  
>> --------------------------------------------------------------
>> ------------
>> cannot load servlet name: jsp
>> cannot load servlet name: jsp
>> cannot load
>> servlet name:
>> jsp
>> --------------------------------------------------------------
>> ------------
>> 
>> but it doesn't seem to prevent the example jsp and servlets 
>> from working 
>> (once the log file permissions are fixed) ... what does it mean?
>> 
>> When I run tomcat as 'root' these problems don't exist, and 
>> the jsp and
>> servlet examples run fine.
>> 
>> So, can you give me any hints as to what the problem might be?
>> 
>> QUESTION 2.
>> 
>> I have another server I wish to install this on, and it has about 3500
>> users (students) that will all be wanting to use servlets/jsp in their
>> projects.  They all get http://localhost/~username/ access to 
>> their pages,
>> and also get cgi access through a global apache directive of :
>> ScriptAliasMatch ^/([^/]+)-bin(.*) /home/$1/cgi-bin$2
>> which allows cgi's within their own ~username space. 
>> (seen as http://localhost/~username-bin/ and available in the file
>> heirarchy as ~username/cgi-bin/ )
>> 
>> How do I go about giving them access to run servlets from 
>> their ~username
>> space?  eg:
>> (seen as http://localhost/~username-servlet/ and available in 
>> their own
>> home as ~username/servlet/ ??? )
>> It's not practical to create 3500 Context entries into the 
>> server.xml, one
>> for each user, so how might I go about this?
>> 
>> Also, How do I go about giving them access to run jsp from 
>> their username
>> space? 
>> Is it as simple as adding a directive somewhere saying that 
>> all *.jsp files
>> are redirected to the JVM? If so I must have mussed that in the
>> documentation somewhere...?
>> 
>> Thanks,
>> 
>> David.
>> 
>> P.S. These might be good questions to add to your original 
>> 'apache-tomcat'
>> howto, or to a FAQ someplace, assuming you have an answer... ;-)
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> --------------------------------------------------------------------
>> David Bussenschutt          Email: D.Bussenschutt@mailbox.gu.edu.au
>> Senior Computing Support Officer & Systems Administrator/Programmer
>> Location: Griffith University. Information Technology Services
>>           Brisbane Qld. Aust.  (TEN bldg. rm 1.33) Ph: (07)38757079
>> --------------------------------------------------------------------
>> 
>
>

--------------------------------------------------------------------
David Bussenschutt          Email: D.Bussenschutt@mailbox.gu.edu.au
Senior Computing Support Officer & Systems Administrator/Programmer
Location: Griffith University. Information Technology Services
          Brisbane Qld. Aust.  (TEN bldg. rm 1.33) Ph: (07)38757079
--------------------------------------------------------------------

Re: potentially thousands of servlet context entries

["Craig R. McClanahan" <Cr...@eng.sun.com>]

David Bussenschutt wrote:

> Q1,
> Thanks andreas, this fixed it:
> cd /path/to/tomcat/webapps/
> find . -type d -print | xargs -n1 chmod o+x
> find . -type f -print | xargs -n1 chmod o+r
> Is that going to be a security problem giving 'nobody' read access to all
> of 'webapps' ?
>

It should't (but see below).  In fact, as you have discovered, Tomcat will not be
able to work without this.

One potential issue that a sysop might want to be aware of:  many servlet based
applications customize themselves based on configuration files.  For example, the
servlet container itself references a file named WEB-INF/web.xml (inside the
document root of each web application's base directory).  Often, there is
sensitive information (such as username/password combinations for database
logins) in these files, and the issue is "can a remote user access this file?"

The servlet API expressly prohibits serving files from a WEB-INF directory
directly to a client user, so a request like this:

    http://localhost:8080/myapplication/WEB-INF/web.xml

will fail.  Therefore, the WEB-INF directory is a pretty good place to store
configuration files for your apps.  Placing them anywhere else within the
document base directory for a web app risks compromising the information
contained in them.

>
> Everyone:
> Q2. I'm completely new to java and servlets (I'm just the sysop), but I'm
> guessing that in a development environment you'd be wanting to reload/stop
> a servlet frequently?
> Since all my ~3500 users are potential developers, then having just 1 (one)
> JVM might be a bad idea, and I doubt the server could cope with 3500 of
> them (actually it'd be more like 150-300 active at any one time).
> Any other ideas? Perhaps I could "cluster" the users into development
> "teams" and have a JVM for each? (giving them the power to restart their
> own JVM)
> If I wanted to have a JVM for every user(started on demand - I'm NOT
> running 3500 JVM's just in case some-one wants to use it) how would I go
> about arranging that? Is there a few hints in a how-to someplace?
>

If your developers are willing, one way to do this would be to have each user
have their own "$TOMCAT_HOME" directory.  (A few tweaks to the standard scripts
would let you share most of the actual files.)  Then, they could just run the
standard startup script when they wanted their own Tomcat to be running.  The
hard part of administering this, though, will be making sure that two developers
are not trying to use the same network port at the same time.

If your developers are running on their own PCs, another approach might be to
have them run Tomcat locally, instead of on the server.

>
> David.
>

Craig McClanahan