How can we configure deployXML=true in security manager ?

[Utkarsh Dave]

We upgraded from Tomcat 7.0.41 to tomcat 7.0.53.
We are starting the Tomcat as -security so as to enable security manager.
I also see the changelog of 7.0.48 mentioning about this change
When running under a security manager, change the default value of the
Host's deployXML attribute to false.
add If a Host is configured with a value of false for deployXML, a web
application has an embedded descriptor at META-INF/context.xml and no
explicit descriptor has been defined for this application, do not allow the
application to start. The reason for this is that the embedded descriptor
may contain configuration necessary for secure operation such as a
RemoteAddrValve.


As a result many of the applications are not starting in my project.
How can we fix this?

-Thanks
Utkarsh

Re: How can we configure deployXML=true in security manager ?

[Daniel Mikusa]

On Thu, Aug 14, 2014 at 6:39 AM, Utkarsh Dave utkarshkd...@gmail.com
wrote:

 We upgraded from Tomcat 7.0.41 to tomcat 7.0.53.
 We are starting the Tomcat as -security so as to enable security manager.
 I also see the changelog of 7.0.48 mentioning about this change
 When running under a security manager, change the default value of the
 Host's deployXML attribute to false.
 add If a Host is configured with a value of false for deployXML, a web
 application has an embedded descriptor at META-INF/context.xml and no
 explicit descriptor has been defined for this application, do not allow the
 application to start. The reason for this is that the embedded descriptor
 may contain configuration necessary for secure operation such as a
 RemoteAddrValve.
 

 As a result many of the applications are not starting in my project.
 How can we fix this?


Don't rely on the contents of your application's META-INF/context.xml
files.  As the note you quoted mentions, when you set -security it is
going to set deployXML to false.  This is explained a bit more in the
docs for deployXML.

Set to false if you want to disable parsing the context XML descriptor
embedded inside the application (located at /META-INF/context.xml).
Security conscious environments should set this to false to prevent
applications from interacting with the container's configuration. The
administrator will then be responsible for providing an external context
configuration file, and putting it in the location defined by the xmlBase
attribute. If this flag is false, a descriptor is located at
/META-INF/context.xml and no descriptor is present in xmlBase then the
context will fail to start in case the descriptor contains necessary
configuration for secure deployment (such as a RemoteAddrValve) which
should not be ignored. The flag's value defaults to true unless a security
manager is enabled when the default is false.

To work around this just move all the necessary configuration that was in
/META-INF/context.xml into conf/Catalina/localhost/app.xml (i.e.
conf/service/host/app.xml).

Dan



 -Thanks
 Utkarsh