You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Stephan Schöffel <st...@gmx.net> on 2007/01/03 11:22:53 UTC
disable war deployment
hi,
is there a way to disable deployment of war files dropped into the
appBase? i dont mean the autoDeploy attribute. i need tomcat to not
deploy any war files at all...
gtx
stephan
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Stephan Schöffel <st...@gmx.net>.
i already altered HostConfig to fit my needs.
just wanted to know if there is a way to disable war-deployment. the way
like using deployXML to prevent tomcat deploy an app based on
context.xml file...
David Delbecq wrote:
>En l'instant précis du 01/03/07 13:05, Stephan Schöffel s'exprimait dans
>toute sa noblesse:
>
>
>>the problem is easy: i have to distribute the tomcat with preinstalled
>>apps. i havae to make sure the tomcat only loads apps that i delivered
>>with it.
>>
>>
>And how is tomcat supposed to make the difference between those that are
>"delivered with it" and those that are not?
>
>
>>now im trying to delete all ways loading apps. only apps in
>>dir-structures should be loaded (ie with the deployDirectory() method,
>>which i altered to verify the apps).
>>
>>
>I think you will then have to overwrite / subclass the default catalina
>host.
>
>
>>Gregor Schneider wrote:
>>
>>
>>
>>>Hi Stephan,
>>>
>>>the real question here is: what do you want to achieve?
>>>
>>>I'm afraid you try to put the cart before the horse....
>>>
>>>My guess is that you should take a look at what David wrote: Use your
>>>OS to prevent unauthorized access to your file-system.
>>>
>>>So I suggest you're letting us know what your exact problem is / what
>>>you'd like to achieve, name the OS and maybe we can find an
>>>appropriate solution for you.
>>>
>>>Cheers
>>>
>>>Greg
>>>
>>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by David Delbecq <de...@oma.be>.
En l'instant précis du 01/03/07 13:05, Stephan Schöffel s'exprimait dans
toute sa noblesse:
> the problem is easy: i have to distribute the tomcat with preinstalled
> apps. i havae to make sure the tomcat only loads apps that i delivered
> with it.
And how is tomcat supposed to make the difference between those that are
"delivered with it" and those that are not?
> now im trying to delete all ways loading apps. only apps in
> dir-structures should be loaded (ie with the deployDirectory() method,
> which i altered to verify the apps).
I think you will then have to overwrite / subclass the default catalina
host.
>
> Gregor Schneider wrote:
>
>> Hi Stephan,
>>
>> the real question here is: what do you want to achieve?
>>
>> I'm afraid you try to put the cart before the horse....
>>
>> My guess is that you should take a look at what David wrote: Use your
>> OS to prevent unauthorized access to your file-system.
>>
>> So I suggest you're letting us know what your exact problem is / what
>> you'd like to achieve, name the OS and maybe we can find an
>> appropriate solution for you.
>>
>> Cheers
>>
>> Greg
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Stephan Schöffel wrote:
> the idea of not running other apps in my tomcat has juristic backgound...
IMHO it should be clarified/solved within licensing terms, not within
the software.
In other case, I would run custom embeded tomcat or extend default host
class.
--
Mikolaj Rydzewski <mi...@ceti.pl>
Re: disable war deployment
Posted by Leon Rosenberg <ro...@googlemail.com>.
On 1/3/07, Mikolaj Rydzewski <mi...@ceti.pl> wrote:
> David Delbecq wrote:
> > And run tomcat within a a dedicated account having limited access to
> > system.
> >
> Are there any people who run tomcat as root? I can't believe!
there are people who run ambigious statement they've seen in some
boards on the net as root. like what does this "rm -rf /" do? Lets
test it!!!
:-)
Leon
>
> --
> Mikolaj Rydzewski <mi...@ceti.pl>
>
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
David Delbecq wrote:
> And run tomcat within a a dedicated account having limited access to
> system.
>
Are there any people who run tomcat as root? I can't believe!
--
Mikolaj Rydzewski <mi...@ceti.pl>
Re: disable war deployment
Posted by David Delbecq <de...@oma.be>.
En l'instant précis du 01/03/07 14:07, Mikolaj Rydzewski s'exprimait
dans toute sa noblesse:
> Stephan Schöffel wrote:
>> if someone is able to put a war file into the tomcat installed to
>> your computer he can do probably anything he wants to your computer.
> Use security manager.
>
And run tomcat within a a dedicated account having limited access to
system. (Like is done for apache servers if you do not want your users
to mess everything using CGI scripts)
Also, if you are under a unix environment, a chroot jail is a very
powerful tool.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Stephan Schöffel wrote:
> if someone is able to put a war file into the tomcat installed to your
> computer he can do probably anything he wants to your computer.
Use security manager.
--
Mikolaj Rydzewski <mi...@ceti.pl>
Re: disable war deployment
Posted by David Delbecq <de...@oma.be>.
What is your juridic requirement exactly? That owner can not inject code
in your webapp?
En l'instant précis du 01/03/07 14:04, Stephan Schöffel s'exprimait dans
toute sa noblesse:
> i know this solution is anything but not secure. but the main point
> iin doing this is a juristic question. if someone is able to put a war
> file into the tomcat installed to your computer he can do probably
> anything he wants to your computer. but if he is able to do so, this
> security break is not the concern of me anymore, but the user's of
> this machine.
>
>
> Gregor Schneider wrote:
>
>> Hi Stephan,
>>
>> well, that's awkward.
>>
>> Even if you are able to disable automatic deployment, anybody knowing
>> his ways around Tomcat will be able to change the settings again thus
>> make Tomcat load the other apps :(
>>
>> my idea would be to write a valve checking which apps are installed:
>> If any other then your delivered apps are installed, Tomcat is
>> forwarding the request to a customized error-page.
>>
>> however, even this solution will not prevent anybody from tampering.
>>
>> HTH
>>
>> Greg
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Stephan Schöffel <st...@gmx.net>.
i know this solution is anything but not secure. but the main point iin
doing this is a juristic question. if someone is able to put a war file
into the tomcat installed to your computer he can do probably anything
he wants to your computer. but if he is able to do so, this security
break is not the concern of me anymore, but the user's of this machine.
Gregor Schneider wrote:
> Hi Stephan,
>
> well, that's awkward.
>
> Even if you are able to disable automatic deployment, anybody knowing
> his ways around Tomcat will be able to change the settings again thus
> make Tomcat load the other apps :(
>
> my idea would be to write a valve checking which apps are installed:
> If any other then your delivered apps are installed, Tomcat is
> forwarding the request to a customized error-page.
>
> however, even this solution will not prevent anybody from tampering.
>
> HTH
>
> Greg
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Stephan,
well, that's awkward.
Even if you are able to disable automatic deployment, anybody knowing
his ways around Tomcat will be able to change the settings again thus
make Tomcat load the other apps :(
my idea would be to write a valve checking which apps are installed:
If any other then your delivered apps are installed, Tomcat is
forwarding the request to a customized error-page.
however, even this solution will not prevent anybody from tampering.
HTH
Greg
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Stephan Schöffel <st...@gmx.net>.
that is another problem: i dont want to do that, i have to do that. as a
requirement by my employer. the idea of not running other apps in my
tomcat has juristic backgound...
Mikolaj Rydzewski wrote:
> Stephan Schöffel wrote:
>
>> the problem is easy: i have to distribute the tomcat with
>> preinstalled apps. i havae to make sure the tomcat only loads apps
>> that i delivered with it. now im trying to delete all ways loading
>> apps. only apps in dir-structures should be loaded (ie with the
>> deployDirectory() method, which i altered to verify the apps).
>
> Why do you want to do this? You distribute your app bundled with
> tomcat. It works for sure ;-) Why do you want to prevent running other
> apps withing the same tomcat? You can always put a sentence in
> readme/license file that you don't support modified installations, etc.
>
> Have you tried to run embedded tomcat version? You can deploy an app
> using API, by hand.
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Stephan Schöffel wrote:
> the problem is easy: i have to distribute the tomcat with preinstalled
> apps. i havae to make sure the tomcat only loads apps that i delivered
> with it. now im trying to delete all ways loading apps. only apps in
> dir-structures should be loaded (ie with the deployDirectory() method,
> which i altered to verify the apps).
Why do you want to do this? You distribute your app bundled with tomcat.
It works for sure ;-) Why do you want to prevent running other apps
withing the same tomcat? You can always put a sentence in readme/license
file that you don't support modified installations, etc.
Have you tried to run embedded tomcat version? You can deploy an app
using API, by hand.
--
Mikolaj Rydzewski <mi...@ceti.pl>
Re: disable war deployment
Posted by Stephan Schöffel <st...@gmx.net>.
the problem is easy: i have to distribute the tomcat with preinstalled
apps. i havae to make sure the tomcat only loads apps that i delivered
with it. now im trying to delete all ways loading apps. only apps in
dir-structures should be loaded (ie with the deployDirectory() method,
which i altered to verify the apps).
Gregor Schneider wrote:
> Hi Stephan,
>
> the real question here is: what do you want to achieve?
>
> I'm afraid you try to put the cart before the horse....
>
> My guess is that you should take a look at what David wrote: Use your
> OS to prevent unauthorized access to your file-system.
>
> So I suggest you're letting us know what your exact problem is / what
> you'd like to achieve, name the OS and maybe we can find an
> appropriate solution for you.
>
> Cheers
>
> Greg
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Stephan,
the real question here is: what do you want to achieve?
I'm afraid you try to put the cart before the horse....
My guess is that you should take a look at what David wrote: Use your
OS to prevent unauthorized access to your file-system.
So I suggest you're letting us know what your exact problem is / what
you'd like to achieve, name the OS and maybe we can find an
appropriate solution for you.
Cheers
Greg
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Stephan Schöffel <st...@gmx.net>.
i had a look at those already and tried out different combinations. yet
there is no way (obvious to me) to prevent tomcat from starting war
files. i could use the deployOnStartup attribute but then i would
prevent tomcat from starting apps that are not packed in a war, too. i
had to start them all manually which is impossible.
i guess it would be easiest to use the deployXML flag (since this set to
false for my concerns) in the deployWar() method as well.
David Delbecq wrote:
>See http://tomcat.apache.org/tomcat-5.5-doc/config/host.html, the
>deployOnStartup, autoDeploy and deployXML properties are probably what
>you need to play with.
>
>En l'instant précis du 01/03/07 12:01, Stephan Schöffel s'exprimait dans
>toute sa noblesse:
>
>
>>i do need the write access to the tomcat dirs. but i need tomcat to
>>not start apps i dont want it to.
>>
>>
>>David Delbecq wrote:
>>
>>
>>
>>>Is the purpose to prevent users having access to file system from adding
>>>wars to tomcat? If yes, just use the OS to forbid write access to
>>>appBase for any user and also protect work directory from all users but
>>>tomcat.
>>>
>>>En l'instant précis du 01/03/07 11:22, Stephan Schöffel s'exprimait dans
>>>toute sa noblesse:
>>>
>>>
>>>
>>>
>>>>hi,
>>>>
>>>>is there a way to disable deployment of war files dropped into the
>>>>appBase? i dont mean the autoDeploy attribute. i need tomcat to not
>>>>deploy any war files at all...
>>>>
>>>>gtx
>>>>stephan
>>>>
>>>>---------------------------------------------------------------------
>>>>To start a new topic, e-mail: users@tomcat.apache.org
>>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>>
>>>>
>>>---------------------------------------------------------------------
>>>To start a new topic, e-mail: users@tomcat.apache.org
>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>>
>>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by David Delbecq <de...@oma.be>.
See http://tomcat.apache.org/tomcat-5.5-doc/config/host.html, the
deployOnStartup, autoDeploy and deployXML properties are probably what
you need to play with.
En l'instant précis du 01/03/07 12:01, Stephan Schöffel s'exprimait dans
toute sa noblesse:
> i do need the write access to the tomcat dirs. but i need tomcat to
> not start apps i dont want it to.
>
>
> David Delbecq wrote:
>
>> Is the purpose to prevent users having access to file system from adding
>> wars to tomcat? If yes, just use the OS to forbid write access to
>> appBase for any user and also protect work directory from all users but
>> tomcat.
>>
>> En l'instant précis du 01/03/07 11:22, Stephan Schöffel s'exprimait dans
>> toute sa noblesse:
>>
>>
>>> hi,
>>>
>>> is there a way to disable deployment of war files dropped into the
>>> appBase? i dont mean the autoDeploy attribute. i need tomcat to not
>>> deploy any war files at all...
>>>
>>> gtx
>>> stephan
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by Stephan Schöffel <st...@gmx.net>.
i do need the write access to the tomcat dirs. but i need tomcat to not
start apps i dont want it to.
David Delbecq wrote:
>Is the purpose to prevent users having access to file system from adding
>wars to tomcat? If yes, just use the OS to forbid write access to
>appBase for any user and also protect work directory from all users but
>tomcat.
>
>En l'instant précis du 01/03/07 11:22, Stephan Schöffel s'exprimait dans
>toute sa noblesse:
>
>
>>hi,
>>
>>is there a way to disable deployment of war files dropped into the
>>appBase? i dont mean the autoDeploy attribute. i need tomcat to not
>>deploy any war files at all...
>>
>>gtx
>>stephan
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
>---------------------------------------------------------------------
>To start a new topic, e-mail: users@tomcat.apache.org
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: disable war deployment
Posted by David Delbecq <de...@oma.be>.
Is the purpose to prevent users having access to file system from adding
wars to tomcat? If yes, just use the OS to forbid write access to
appBase for any user and also protect work directory from all users but
tomcat.
En l'instant précis du 01/03/07 11:22, Stephan Schöffel s'exprimait dans
toute sa noblesse:
> hi,
>
> is there a way to disable deployment of war files dropped into the
> appBase? i dont mean the autoDeploy attribute. i need tomcat to not
> deploy any war files at all...
>
> gtx
> stephan
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org