With the users: I thought of this strategy (one usr for both), too. Then one must be able to log-in or "su" to the apache-user to start tomcat, which I disallowed (book-advice ;-) by now. Or is there a way let apache start tomcat?
> Could you clarify? I hardly have any JSPs by now. We unfortunately have a directory with needed files outside WEB-INF, which I will change. The other thing I meant was that I find it difficult to write the [uri:] directives when Cocoon-Apps are involved - I think I would have to adopt the URIs used in cocoon-pipelines (and the directory structure) to the apache+tomcat task, too, they almost never have to do anything with the filesystem. Sonja Am Die, 2003-09-02 um 14.50 schrieb John Turner: > Could you clarify? > > If you are using Apache, and you have *.jsp mapped correctly, your > "programming resources" won't be shown to the world. > > Since all servlets are under WEB-INF, all you have to be concerned about > are JSP. Properties files, etc. go under WEB-INF, as well. Applciation > architecture best practices says don't put anything critical in a JSP, > so what's the big risk? > > Going back to your earlier question, I simply set up a certain user > account for both Apache and Tomcat. "webuser" or whatever. That user > has restricted permissions and is a member of its own group (also > "webuser" or whatever). Apache and Tomcat run as this user. Since > developers should never have access to the command line on a production > server, there's no problem. > > John > > Sonja L�hr wrote: > > > You are very right in that my greatest problem is to work out a pattern > > where to find the "static content" hides that Apache could perhaps serve a > > bit faster. Unfortunately, I can't tell Apache to serve ".gif" etc. but > > must come the other way round, perhaps ending up with URLs to single > > servlets. > > Many people cite security-reasons for the integration of the two, but all > > I've been bothered up to now is how to prevent Apache to show my programming > > ressources to the world (those unfortunately not located in WEB-INF). > > > > I'll be thinking about doing it separately, you really calmed me down :-) > > thanks very much > > Sonja > > > > > > > > ----- Original Message ----- > > From: "Eric J. Pinnell" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Monday, September 01, 2003 4:28 PM > > Subject: Re: permissions for Tomcat+Apache integration > > > > > > Hi, > > > > The question is do you need to secure your application from the outside > > world or do you need to secure it from users that might be logging on to > > your system? Or both? > > > > Usually you want to go with the "both" scenerio. > > > > But to keep it simple, pick a user that you want tomcat to run as. Untar > > Tomcat and chown -R tomcat jakarta-4.x.x (if the user is named "tomcat" > > which isn't a bad name for the Tomcat user ;) > > > > Then just run it. It will be ok just like that. If you are running > > Tomcat and Apache on the same machine really look at why you are running > > Apache at all. It's a popular misconception that you _must_ run Apache in > > front of Tomcat. That couldn't be more wrong. Running Tomcat alone will > > save you the hassle of Apache and the connectors. However you do need to > > run Apache if you are going to use load balanceing and the apache > > modules. However most times people just have Apache pipe everything back > > to Tomcat. In this case you don't need Apache at all. > > > > -e > > > > On Mon, 1 Sep 2003, [iso-8859-1] Sonja L�hr wrote: > > > > > >>Hello! > >> > >>Here is my second question, now concerning Apache+Tomcat integration on > >>Linux: > >>Could someone tell me a reasonable users, groups and file permissions > >>structure for apache, the tomcat-files itself and a typical webapp? - > > > > Java > > > >>security aside. > >> > >>1. Is it a good idea at all to place the webapps under apache's document > >>root, having to care about all WEB-INF and other sensible directories with > >>"deny from all" ? > >> > >>2. Which account in which group? > >>Apache needs access to static files somewhere in the webapp. (Which may be > >>very dispersed f.e. in case of cocoon). > >> If a "tomcat" user and the "apache" user account are in the same group > > > > with > > > >>restricted permissions, I can't assign permissions to a group of > > > > developers, > > > >>just another owner (me ;-). Ok, may it be. Additionally, if tomcat > > > > unpacks > > > >>war files, all resulting directories are owned by tomcat alone. So should > > > > I > > > >>put the "apache user into the "tomcat" group? > >> > >>3.How paranoid must I be about tomcat-files (server-directory f.e)? > >>Tomcat needs write access to some directories, but certainly I don't know > >>all processes tomcat. > >> > >>You probably guess by now that I'm not grown up with Unix-systems. > >>Spent my whole sunday with chmod and chown, now I would be very happy if > >>someone told me something SIMPLE :-) > >> > >>Thank you, > >>Sonja > >> > >> > >> > >> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
