You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Baron Von Awsm <ba...@gmail.com> on 2012/11/25 02:17:24 UTC
Configuring access to an external directory
Our web app may be deployed to a Tomcat version 6 or higher, hence Java
version 5 or higher. It may be deployed to a Tomcat running on a
Windows-derivative OS or Unix-derivative OS.
We have a requirement that can be stated as follows,
* The web app needs to be able to read from and write to a directory that
is external to the webapp's own docBase and directory structure.
* The write access needs to be unrestricted in that the web app will need
to create, modify and delete files and directories within the directory
(but not be able to delete the directory itself).
* The directory needs to be a member of the webapp's classpath.
* The directory contents must not be accessible via any url that can be
directed at the webapp. (The external directory cannot be considered to be
owned by the webapp. Other applications (not web applicaitons) own (in the
logical sense) the directory. These applications write information to and
read information from this directory. I need my web app to be a consumer
and publisher of informoration in this directory without exposing any
directory contents via a url).
We're developing on Windows 7. In the development environment, we're simply
placing the path to the external directory in the webapp's classpath in the
web app's Tomcat context file. We're running Tomcat without the -security
option and all works well. With the -security option, as expected, the
webapp no longer has the permissions needed to read and write against the
external directory with File operations.
What do we need to do to configure Tomcat (running with the -security
option) to allow us the access we're after to the external directory?
Cheers,
Baron
AW: Configuring access to an external directory
Posted by Stadelmann Josef <jo...@axa-winterthur.ch>.
If your OS supports ACL's (Access Control Lists) then adding an ACE (Access Control Entry) to the ACL (Access Control List) of the directory, would tell the file system that the user i.e. WWW$APACHE (or how the account under which Tomcat works is called) has Read, Write, Execute access to the directory and all its file. This is what we do i.e. on OpenVMS. If your OS does not support ACL/ACE well, some other security management features would have to do it.
Josef
-----Ursprüngliche Nachricht-----
Von: André Warnier [mailto:aw@ice-sa.com]
Gesendet: Montag, 26. November 2012 00:03
An: Tomcat Users List
Betreff: Re: Configuring access to an external directory
Baron Von Awsm wrote:
> Andre
>
> Thanks very much for your reply.
>
> Given your reply, would this be an accurate answer to my original question?
>
> When Tomcat is run with the -security option, the Java Security
> Manager is in effect. From there, configuring the directory access you
> are after is a matter of configuring the Java Security Manager. For
> Tomcat, the Java Security Manager is configured via the
> catalina.policy file. From there, the answers to your questions are
> not really to do with Tomcat, but to do with understanding the Java Security Manager.
> <<<
>
> Would that be an accurate answer? I ask to gain clarity and for no
> other reason.
>
You can get more clarity, and a much more detailed overview in the Tomcat on-line documentation, at http://tomcat.apache.org/tomcat-7.0-doc/index.html
See item 7)
which perusal would have saved you much typing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring access to an external directory
Posted by André Warnier <aw...@ice-sa.com>.
Baron Von Awsm wrote:
> Andre
>
> Thanks very much for your reply.
>
> Given your reply, would this be an accurate answer to my original question?
>
> When Tomcat is run with the -security option, the Java Security Manager is
> in effect. From there, configuring the directory access you are after is a
> matter of configuring the Java Security Manager. For Tomcat, the Java
> Security Manager is configured via the catalina.policy file. From there,
> the answers to your questions are not really to do with Tomcat, but to do
> with understanding the Java Security Manager.
> <<<
>
> Would that be an accurate answer? I ask to gain clarity and for no other
> reason.
>
You can get more clarity, and a much more detailed overview in the Tomcat on-line
documentation, at http://tomcat.apache.org/tomcat-7.0-doc/index.html
See item 7)
which perusal would have saved you much typing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring access to an external directory
Posted by Baron Von Awsm <ba...@gmail.com>.
Andre
Thanks very much for your reply.
Given your reply, would this be an accurate answer to my original question?
>>>
When Tomcat is run with the -security option, the Java Security Manager is
in effect. From there, configuring the directory access you are after is a
matter of configuring the Java Security Manager. For Tomcat, the Java
Security Manager is configured via the catalina.policy file. From there,
the answers to your questions are not really to do with Tomcat, but to do
with understanding the Java Security Manager.
<<<
Would that be an accurate answer? I ask to gain clarity and for no other
reason.
Cheers,
Baron
On 25 November 2012 22:13, André Warnier <aw...@ice-sa.com> wrote:
> My 2 cent below
>
>
> Baron Von Awsm wrote:
>
>> Our web app may be deployed to a Tomcat version 6 or higher, hence Java
>> version 5 or higher. It may be deployed to a Tomcat running on a
>> Windows-derivative OS or Unix-derivative OS.
>>
>> We have a requirement that can be stated as follows,
>>
>> * The web app needs to be able to read from and write to a directory that
>> is external to the webapp's own docBase and directory structure.
>>
>
> If there is no Java Security Manager in effect, a webapp can do whatever
> it wants, subject to the restrictions of access determined by the user-id
> under which it runs (the Tomcat user-id) and the permissions on the
> filesystem.
>
>
> * The write access needs to be unrestricted in that the web app will need
>> to create, modify and delete files and directories within the directory
>> (but not be able to delete the directory itself).
>>
>
> See the above paragraph.
>
>
> * The directory needs to be a member of the webapp's classpath.
>>
>
> Meaning, I suppose, the classpath of the JVM running Tomcat ?
> (but I don't really understand what you mean or what your needs are in
> terms of that "classpath" you are talking about. Do you really mean, in
> essence, that others will be putting classes there, that need to be loaded
> and run by your webapp ?).
>
>
> * The directory contents must not be accessible via any url that can be
>> directed at the webapp.
>>
>
> It would not be, if it is not under the Tomcat appBase.
> Unless you provide yourself some sneaky back-way to access them (like
> symlinks to it, from your webapp directory).
>
>
> (The external directory cannot be considered to be
>
>> owned by the webapp. Other applications (not web applicaitons) own (in the
>> logical sense) the directory. These applications write information to and
>> read information from this directory.
>>
>
> All irrelevant to the above, I think.
>
>
> I need my web app to be a consumer
>
>> and publisher of informoration in this directory without exposing any
>> directory contents via a url).
>>
>
> See above.
>
>
>
>> We're developing on Windows 7. In the development environment, we're
>> simply
>> placing the path to the external directory in the webapp's classpath in
>> the
>> web app's Tomcat context file. We're running Tomcat without the -security
>> option and all works well. With the -security option, as expected, the
>> webapp no longer has the permissions needed to read and write against the
>> external directory with File operations.
>>
>> What do we need to do to configure Tomcat (running with the -security
>> option) to allow us the access we're after to the external directory?
>>
>>
> Provide the appropriate rules to allow your webapp to read and write there.
> I believe that there are examples in the standard catalina.policy file
> that comes with Tomcat. Note that this is a "Java thing", not specific to
> Tomcat.
>
> Note: the Java Security Manager esentially provides a set of "fences"
> which limit what the webapp can do. If you write the webapps yourself, it
> protects you against your own mistakes in your own code. If you allow
> other people to load webapps to your system, it protects you against what
> their code can do.
> Of course this has a price in terms of overhead, beause once it is
> enabled, it has to check and filter every access to anything.
>
> Note : in my own humble opinion, with the tone you are using and the kind
> of questions you are asking, you are walking just on the fine line that
> separates the kind of thing for which people here will be willing to help
> you, and the kind of thing for which they would send you back to Googling
> for yourself.
> Do not forget that this is a mailing list manned by volunteers, with the
> objective of helping people who want to use Tomcat. It is not a free
> resource to do your work for you.
> There exist paid consultants for that.
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Configuring access to an external directory
Posted by André Warnier <aw...@ice-sa.com>.
My 2 cent below
Baron Von Awsm wrote:
> Our web app may be deployed to a Tomcat version 6 or higher, hence Java
> version 5 or higher. It may be deployed to a Tomcat running on a
> Windows-derivative OS or Unix-derivative OS.
>
> We have a requirement that can be stated as follows,
>
> * The web app needs to be able to read from and write to a directory that
> is external to the webapp's own docBase and directory structure.
If there is no Java Security Manager in effect, a webapp can do whatever it wants, subject
to the restrictions of access determined by the user-id under which it runs (the Tomcat
user-id) and the permissions on the filesystem.
> * The write access needs to be unrestricted in that the web app will need
> to create, modify and delete files and directories within the directory
> (but not be able to delete the directory itself).
See the above paragraph.
> * The directory needs to be a member of the webapp's classpath.
Meaning, I suppose, the classpath of the JVM running Tomcat ?
(but I don't really understand what you mean or what your needs are in terms of that
"classpath" you are talking about. Do you really mean, in essence, that others will be
putting classes there, that need to be loaded and run by your webapp ?).
> * The directory contents must not be accessible via any url that can be
> directed at the webapp.
It would not be, if it is not under the Tomcat appBase.
Unless you provide yourself some sneaky back-way to access them (like symlinks to it, from
your webapp directory).
(The external directory cannot be considered to be
> owned by the webapp. Other applications (not web applicaitons) own (in the
> logical sense) the directory. These applications write information to and
> read information from this directory.
All irrelevant to the above, I think.
I need my web app to be a consumer
> and publisher of informoration in this directory without exposing any
> directory contents via a url).
See above.
>
> We're developing on Windows 7. In the development environment, we're simply
> placing the path to the external directory in the webapp's classpath in the
> web app's Tomcat context file. We're running Tomcat without the -security
> option and all works well. With the -security option, as expected, the
> webapp no longer has the permissions needed to read and write against the
> external directory with File operations.
>
> What do we need to do to configure Tomcat (running with the -security
> option) to allow us the access we're after to the external directory?
>
Provide the appropriate rules to allow your webapp to read and write there.
I believe that there are examples in the standard catalina.policy file that comes with
Tomcat. Note that this is a "Java thing", not specific to Tomcat.
Note: the Java Security Manager esentially provides a set of "fences" which limit what the
webapp can do. If you write the webapps yourself, it protects you against your own
mistakes in your own code. If you allow other people to load webapps to your system, it
protects you against what their code can do.
Of course this has a price in terms of overhead, beause once it is enabled, it has to
check and filter every access to anything.
Note : in my own humble opinion, with the tone you are using and the kind of questions you
are asking, you are walking just on the fine line that separates the kind of thing for
which people here will be willing to help you, and the kind of thing for which they would
send you back to Googling for yourself.
Do not forget that this is a mailing list manned by volunteers, with the objective of
helping people who want to use Tomcat. It is not a free resource to do your work for you.
There exist paid consultants for that.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring access to an external directory
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dude,
On 11/24/12 8:17 PM, Baron Von Awsm wrote:
> We have a requirement that can be stated as follows,
>
> * The web app needs to be able to read from and write to a
> directory that is external to the webapp's own docBase and
> directory structure.
>
> * The write access needs to be unrestricted in that the web app
> will need to create, modify and delete files and directories within
> the directory (but not be able to delete the directory itself).
Your webapp can read from and write to any directory it can a)
reference and b) access via permissions. Tomcat does not directly
support or prohibit any of this. If you are using a SecurityManager
and Tomcat's catalina.policy file, then you you obviously have to
modify it accordingly.
> * The directory needs to be a member of the webapp's classpath.
This may be somewhat problematic. I would also argue that this is a
pretty large security hole, but that's for you to worry about. You can
specify the class loader used for your webapp (which you could write
yourself), and you can use virtual class loaders (provided by Tomcat),
etc. via configuration. Read the documentation for the <Loader>
component in the "configuration" section of the Tomcat users' guide.
> * The directory contents must not be accessible via any url that
> can be directed at the webapp.
No problem: just don't configure the DefaultServlet to give access to
this directory. Given the number of questions on this list about how
to configure the DS in this way, I suspect that *not* configuring DS
in this way isn't a problem.
> We're developing on Windows 7. In the development environment,
> we're simply placing the path to the external directory in the
> webapp's classpath in the web app's Tomcat context file.
Using <Parameter> or <Environment> or something similar? That seems
reasonable.
> We're running Tomcat without the -security option and all works
> well. With the -security option, as expected, the webapp no longer
> has the permissions needed to read and write against the external
> directory with File operations.
>
> What do we need to do to configure Tomcat (running with the
> -security option) to allow us the access we're after to the
> external directory?
catalina.policy
You can't configure class loading via catalina.policy -- that needs to
be done using <Context>/<Loader>.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlCzt+kACgkQ9CaO5/Lv0PCpegCfWmU8RZq2Xs1N3HgRuw/Qp6Cc
i24An0/y+oCM+6FqGlLR8OmEaV0ShCvH
=wUyY
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org