The permission denied can be generated one of two ways.
First, the catalina.policy file must grant the correct FilePermission.
Even if the correct FilePermission is granted in catalina.policy, you
still have to comply with normal unix file ownership/permissions.
If it is a catalina.policy configuration issue try defining the following
property when starting tomcat:
-Djava.security.debug=access,failure
Then review the logs for the failed file permission and look at what CodeBase
is identified as failing for the FilePermission.
Regards,
Glenn
Presenting "Tomcat Server and Application Security" session at
ApacheCon 2002, Las Vegas, NV Nov 18-21.
Pat Schaider wrote:
> Hello all --
>
> I have a configuration problem on my setup of Tomcat (v 4.0.3). I am
> managing this machine for my university's CS department, so there are
> issues of security that must be followed, namely that students should
> not be able to view each others source code (== cheating). We are using
> the security manager to enforce this (so one context cannot open files
> in another).
>
> Less than 5% of the pages on the system are static, so we are using
> Tomcat in standalone mode on a Linux system. We have made contexts for
> each user so that we can override the location of home directories, log
> files, etc. Note that students do not have logins on this machine;
> their Tomcat-related files are exported to student use machines. See
> the bottom of this email for pertinent config info.
>
> The server starts up correctly (./startup.sh -security) and deploys and
> serves the webapps fine. But here's the problem: when a user decides to
> make a new jsp file, Tomcat cannot compile or process that new file.
> The old files in the directory still display properly; Tomcat gives a
> Permission Denied error citing the working directory version of the new
> file in question.
>
> -> message
>
>/usr/local/jakarta-tomcat-4.0.3/work/localhost/user/tomcat/webapps/jsp/graderFiles/graderC$jsp.java
> (Permission denied)
>
> Here's some site-specific config info that will be useful.
> Tomcat version: 4.0.3 Standalone from binaries
> There are about 250 contexts that get loaded when the server starts. A
> `ps aux` listing shows about 500 processes associated with Tomcat
> running. The machine is a P3-800 with 512 MB of memory, and does not
> have any other heavy services running on it, so Tomcat has full run of
> the box. If you need more info for diagnosis, email me and I will
> provide it.
>
> Does anyone have experience setting up a system along these lines? I
> realize it's probably an extension of what Tomcat is supposed to be used
> for with all the different contexts, but there has to be a way! Any
> help is appreciated.
>
> server.xml without comments
> ===========================
> <Server port="8005" shutdown="SHUTDOWN" debug="0">
> <Service name="Tomcat-Standalone">
> <Connector
> className="org.apache.catalina.connector.http.HttpConnector"
> port="8080" minProcessors="5" maxProcessors="75"
> enableLookups="true" redirectPort="8443"
> acceptCount="10" debug="0" connectionTimeout="60000"/>
>
> <Engine name="Standalone" defaultHost="localhost" debug="0">
>
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="catalina_log." suffix=".txt"
> timestamp="true"/>
>
> <Host name="localhost" debug="0" appBase="webapps"
> unpackWARs="true">
>
> <!-- user1 -->
> <Context path="/user1" docBase="/tomcat/user1"
> debug="0" reloadable="true" crossContext="false">
> </Context>
> <!-- user2 -->
> <Context path="/user2" docBase="/tomcat/user2"
> debug="0" reloadable="true" crossContext="false">
> </Context>
>
> </Host>
> </Engine>
> </Service>
> </Server>
> ===========================
>
> Thanks in advance for any help you can provide. Apologies for the
> lengthy email.
>
> Pat Schaider
> doctor {at} wt {dot} net
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
