I think that would be a container-specific concern, but I honestly don't know enough to comment further. You might want to explore the option of segregating Stanbol into its own container, although I realize that would mean extra overhead.
--- A. Soroka The University of Virginia Library On Sep 8, 2014, at 11:27 AM, Luyi Wang <wangl...@guitarca.com> wrote: > yeah. > > only for stanbol. The permission granted right now are available for whole > site. > > > On Mon, Sep 8, 2014 at 8:14 AM, aj...@virginia.edu <aj...@virginia.edu> > wrote: > >> Do you mean giving only permissions to actions originating in the Stanbol >> webapp and not to actions originating in other webapps deployed in your web >> container? >> >> --- >> A. Soroka >> The University of Virginia Library >> >> On Sep 8, 2014, at 11:11 AM, Luyi Wang <wangl...@guitarca.com> wrote: >> >>> Does anyone have some idea on giving only codebase permission? >>> >>> On Sun, Sep 7, 2014 at 4:07 AM, aj...@virginia.edu <aj...@virginia.edu> >>> wrote: >>> >>>> Another approach here is to move the Stanbol home _out_ of the directory >>>> of your web container. I think that's a little clearer and safer, and >>>> that's how I run Stanbol as a web app. You can do that with an init >> param >>>> in the Stanbol web application's web.xml file, with an element like >> this: >>>> >>>> </init-param> >>>> <init-param> <!-- the default sling.home is set to >> stanbol >>>> --> >>>> <param-name>sling.home</param-name> >>>> <param-value>/my/directory/for/stanbol</param-value> >>>> </init-param> >>>> >>>> And of course you must give the Tomcat user rights to content under that >>>> directory. >>>> >>>> --- >>>> A. Soroka >>>> The University of Virginia Library >>>> >>>> On Sep 7, 2014, at 1:08 AM, Luyi Wang <wangl...@guitarca.com> wrote: >>>> >>>>> Hi all: >>>>> >>>>> Would like to share my experience on deploying stanbol war file to >>>> tomcat7 >>>>> on ubuntu 14.04 >>>>> >>>>> After the full build by following instruction upon >>>>> http://stanbol.apache.org/docs/trunk/tutorial.html >>>>> >>>>> I got the stanbol.war file deployed on tomcat7 but it kept reporting >>>> error >>>>> for resource not available as Apache Sling is starting. I checked the >>>>> access log and found stanbol (actually sling) failed in creating a >> folder >>>>> under tomcat folder instead of tomcat webapps folder. An easy hack way >> is >>>>> to create a folder named "stanbol" with tomcat7 user/group access >> under >>>>> your $CATALINA_BASE folder and restart tomcat7. Then everything is fine >>>>> except the the link "system/console" would be broken by default >> setting. >>>>> >>>>> The broken link reporting permission error. To solve this, need to edit >>>> two >>>>> parts. >>>>> 1. add permission into your tomcat policy configuration which is under >>>>> /etc/tomcat7/policy.d folder. You can choose one to edit since later >> on >>>>> they all compile to be one file as $CATALINA_BASE/work/catalina.policy >>>>> (/var/lib/tomcat7/work/catalina.policy) >>>>> >>>>> The hack way is to grant permission with careless. >>>>> >>>>> grant { >>>>> permission java.security.AllPermission; >>>>> }; >>>>> >>>>> >>>>> I tried to make it more robust by adding permission only for stanbol >>>>> codebase however I failed to make it work. If anyone knows how to do , >>>> let >>>>> me know. >>>>> >>>>> After that , need to change the tomcat init script in >> /etc/init.d/tomcat >>>>> Line 98 to yes. >>>>> >>>>> TOMCAT7_SECURITY=yes >>>>> >>>>> >>>>> After all these, every component would work but we need to alter the >>>> tomcat >>>>> application memory size. >>>>> >>>>> vi /etc/default/tomcat7 >>>>> >>>>> change the JAVA_OPTS line. >>>>> >>>>> JAVA_OPTS="-Djava.awt.headless=true -Xmx1g -XX:MaxPermSize=256m >>>>> -XX:+UseConcMarkSweepGC" >>>>> >>>>> Then restart tomcat7. >>>>> >>>>> >>>>> Hope this would help people. >>>>> >>>>> Thanks. >>>>> >>>>> -Luyi. >>>> >>>> >> >>
