You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Brian J. Sayatovic" <tr...@trinition.org> on 2005/03/24 02:38:31 UTC
How does Tomcat interact with filesystem file permissions
I'm curious to know how Tomcat interacts with file permissions in the
native filesystem. For example, I'm running Tomcat 5.5 on Windows XP
SP2 as a service under the Local System account. I'm also using Tagisj
JAAS as a JAAS Realm so Tomcat can use my XP credentials.
I have my default context set to a directory with some static HTML
content. I also have folders in that directory that have reestricted
permissions to certain groups I have defined in XP. However, just
hitting my website as an anonymous user, Tomcat willingly lets people
into those folders. Instead, I've had to put security constraints in my
web.xml listing the groups that I wanted the folders restricted to.
So is all file access from the DefaultServlet performed as the Local
System account?
Regards,
Brian.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How does Tomcat interact with filesystem file permissions
Posted by "Brian J. Sayatovic" <tr...@trinition.org>.
Well, I can create a special "Tomcat Service" account, and then be
careful what groups I add it to, and make sure the Tomcat directory is
accessible to it. I'll also find the How To for running Tomcat as an NT
service again to see if they address this. And this isn't a
corporation, this is just for my own personal use (though that's still
not an excuse not to secure my own box!)
Regarding Tagish JAAS, this is the home page:
http://free.tagish.net/jaas/index.jsp
It's a bit out of support. I found it through Chris Maeda's article on
TheServerSide.com:
http://www.theserverside.com/blogs/printfriendly.tss?id=ServletApp
On Chris Maeda's Blog, there were plenty of feedback comments.
http://www.cmaeda.com/index.php?p=22
A lot of folks couldn't get it to work with Tomcat outside of form-based
authentication. I wanted to use normal authentication where the browser
just prompts you and was havign Tomcat's JVM die without a record of the
cause! Eventually with some debug tracing and looking at source code, I
determined that the Win32 API call being used didn't like null (which
are the default credentials returned by Tomcat's JAAS module when there
is no authenticated user). So, I modified the Tagish JAAS source code
to simply through an authentication-related exception when null was sent
to it.
So, now, Tagish JAAS is using XP for authentication!
Regards,
Brian.
Jason Bainbridge wrote:
>On Wed, 23 Mar 2005 20:38:31 -0500, Brian J. Sayatovic
><tr...@trinition.org> wrote:
>
>
>>So is all file access from the DefaultServlet performed as the Local
>>System account?
>>
>>
>
>Sure is and running any service like Tomcat as LocalSystem is a bad
>idea, you should create either a domain or local account (some
>companies prefer domain accounts as it is "easier to manage") that
>only has the bare necessity of permissions to run Tomcat. I just went
>through this exercise myself and still need to document exactly what I
>did as I couldn't find any online resources about it.
>
>I have never used or heard of Tagisj JAAS though but that does sound
>like something that would be worthwhile looking into.
>
>Regards,
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: How does Tomcat interact with filesystem file permissions
Posted by Jason Bainbridge <jb...@gmail.com>.
On Wed, 23 Mar 2005 20:38:31 -0500, Brian J. Sayatovic
<tr...@trinition.org> wrote:
> So is all file access from the DefaultServlet performed as the Local
> System account?
Sure is and running any service like Tomcat as LocalSystem is a bad
idea, you should create either a domain or local account (some
companies prefer domain accounts as it is "easier to manage") that
only has the bare necessity of permissions to run Tomcat. I just went
through this exercise myself and still need to document exactly what I
did as I couldn't find any online resources about it.
I have never used or heard of Tagisj JAAS though but that does sound
like something that would be worthwhile looking into.
Regards,
--
Jason Bainbridge
http://kde.org - webmaster@kde.org
Personal Site - http://jasonbainbridge.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org