You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "Taglang, Guillaume" <Gu...@paybox.net> on 2000/10/05 02:34:54 UTC

Running Tomcat for an ISP

Hi,

2 questions about using Tomcat for an ISP:
  - can I prevent users to make a System.exit()
  - can I prevent crashing when the user use a buggy native library (core
dump)?

Regards,

Guillaume

Re: Running Tomcat for an ISP

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

Duane Gran wrote:

> > >   - can I prevent crashing when the user use a buggy native library (core
> > > dump)?
> > >
> >
> > How about not allowing native libraries?
> >
> > What ISP operators might want to think about is a two-tiered pricing model --
> > a higher price to have your own JVM, running under your own OS username, in
> > which you can run your own webapps but nobody elses (so if you crash it you
> > only hurt yourself), and an economy price for a shared JVM environment.  This
> > avoids the issue about OS user identity being shared as well.
>
> This is interesting.  I was under the impression that it wasn't possible
> to use a shared JVM with Tomcat like you can with JServ.  All of the
> examples I have seen in the User Guide seem to imply that a separate JVM
> instance is the only route.  Am I misunderstanding something?
>

For Tomcat 3.1 you basically had to run a separate JVM per virtual host.

This situation has been changed for 3.2 -- you can configure and run
multiple
virtual hosts in a single JVM, and you have the option to run under a
security
manager (if you're running on a Java2 platform) as I described in the
previous
message.  You might want to do this anyway, even in a JVM-per-customer
world, to
limit what mischief your customer can get into.

>
> > On the other hand, with hardware being relatively cheap, it's probably
> > simpler to stick with just the JVM-per-customer approach and put up a farm of
> > servers of appropriate size so that you don't care about the higher memory
> > occupancy.
>
> I would agree.  I'm in a similar position as the original poster and I'm
> testing Tomcat in a shared hosting environment.  Having a JVM instance
> for each user is much better than hoping that one person won't pull down
> the whole thing for everyone else.  The sandbox is worth it, although
> I'm still not sure how well this will scale in practice.  As I learn
> more from practical experience over the coming months I'll be
> summarizing to the list.
>
> Duane Gran

Craig

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

Re: Running Tomcat for an ISP

Posted by Duane Gran <ra...@spinweb.net>.

> >   - can I prevent crashing when the user use a buggy native library (core
> > dump)?
> >
> 
> How about not allowing native libraries?
> 
> What ISP operators might want to think about is a two-tiered pricing model --
> a higher price to have your own JVM, running under your own OS username, in
> which you can run your own webapps but nobody elses (so if you crash it you
> only hurt yourself), and an economy price for a shared JVM environment.  This
> avoids the issue about OS user identity being shared as well.

This is interesting.  I was under the impression that it wasn't possible
to use a shared JVM with Tomcat like you can with JServ.  All of the
examples I have seen in the User Guide seem to imply that a separate JVM
instance is the only route.  Am I misunderstanding something?

> On the other hand, with hardware being relatively cheap, it's probably
> simpler to stick with just the JVM-per-customer approach and put up a farm of
> servers of appropriate size so that you don't care about the higher memory
> occupancy.

I would agree.  I'm in a similar position as the original poster and I'm
testing Tomcat in a shared hosting environment.  Having a JVM instance
for each user is much better than hoping that one person won't pull down
the whole thing for everyone else.  The sandbox is worth it, although
I'm still not sure how well this will scale in practice.  As I learn
more from practical experience over the coming months I'll be
summarizing to the list.

Duane Gran

Re: Running Tomcat for an ISP

Posted by "Craig R. McClanahan" <Cr...@eng.sun.com>.

"Taglang, Guillaume" wrote:

> Hi,
>
> 2 questions about using Tomcat for an ISP:
>   - can I prevent users to make a System.exit()

Under Java2 (JDK1.2 or later), Tomcat 3.2 lets you run webapps under a
SecurityManager, so that you can fine tune the permissions that each webapp
can have.  Besides restricting System.exit(), you can impose any other
restrictions (like access to only certain network ports on certain hosts, or
access to only certain directories) supported by the protection model of
Java.

One thing to remember, though, is that a JVM operates under a single
operating system username.  Therefore, if you are running multiple webapps in
the same JVM (for different customers), the files are all accessible (at the
OS level) to non-Java programs running under that login.  See more below.

>
>   - can I prevent crashing when the user use a buggy native library (core
> dump)?
>

How about not allowing native libraries?

What ISP operators might want to think about is a two-tiered pricing model --
a higher price to have your own JVM, running under your own OS username, in
which you can run your own webapps but nobody elses (so if you crash it you
only hurt yourself), and an economy price for a shared JVM environment.  This
avoids the issue about OS user identity being shared as well.

On the other hand, with hardware being relatively cheap, it's probably
simpler to stick with just the JVM-per-customer approach and put up a farm of
servers of appropriate size so that you don't care about the higher memory
occupancy.

>
> Regards,
>
> Guillaume

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat

RE: Running Tomcat for an ISP

Posted by Joe Shevland <sh...@kpi.com.au>.

Hi,

Whilst I haven't done this yet I've been thinking about :) There may be some gotchas...

> -----Original Message-----
> From: Taglang, Guillaume [mailto:Guillaume.Taglang@paybox.net]
> Sent: Thursday, October 05, 2000 11:35 AM
> To: 'tomcat-user@jakarta.apache.org'
> Subject: Running Tomcat for an ISP
> 
> 
> 
> Hi,
> 
> 2 questions about using Tomcat for an ISP:
>   - can I prevent users to make a System.exit()

Installing a SecurityManager or specifying a security file with this ability turned off should work. Are there any issues with installing a SecurityManager for each Tomcat JVM instance running? This would be a whole-of-JVM thing, not per webapp.

>   - can I prevent crashing when the user use a buggy native library (core
> dump)?

No, as the core dump (BLOD, whatever) is an OS thing and out of the JVM's hands at that stage. But you *can* prevent or allow access to only particular native libraries using the SecurityManager (OTOH, again, haven't tried, but recall reading it).

Cheers,
Joe

> 
> Regards,
> 
> Guillaume
>