While trying to configure Tomcat and Apache for Virtual Hosting customers, I found Glen Nielson's post from the tomcat-users list archives and wanted to say thanks a ton - it has been invaluable!
Of course our configuration doesn't match that one exactly and I can't seem to get past one hurdle - Deploying the manager app safely to a customer. I'm sure it's a config issue and I'll try to explain briefly. I have noticed that a customer who has the manager app deployed can install a web app that is not in his own appBase directory if he knows where the sources (war or directory) are. For example, a customer can log into the manager webapp and submit a url such as http://customerdomain.com/manager/install?path=/webdav&war=file:/path/to/web dav and it works, even though he shouldn't have access to the webdav directory (and doesn't) from a regular telnet session. I don't care about webdav per se but certainly don't want customerA to be able to install and run CustomerB's webapp without permission. We run tomcat as with it's own id and have (I think) set up the file permissions properly. I suspected the Realm at one point but the customer account has it's own ream that it seems to be using properly. I'd be happy to send more specific config info if necessary. Any help would be greatly appreciated - I must admit that I'm stumped on this one. Daniel F. Dugal, Jr. AFFINA - The Customer Relationship Company
