On Sat, 15 Mar 2008 Dan Stromberg wrote: > Aside from the relative-untestedness of hanging Lenya 2.0 off of Tomcat, > are there other pluses or minuses to using a standalone (built in jetty) > or tomcat configuration of Lenya 2.0?
If you're concerned about web application security, you might want to run lenya in its own process, hence use the standalone jetty. There is tomcat's security manager, but I found it nearly impossible to use together with lenya (1.2). The problem is that you have to explicitly write down access rules for every single access outside the "sandbox". Some of these are obvious (like write access to the publication and cache subtrees), others less so (e.g. java.util.PropertyPermission and java.lang.RuntimePermission). I couldn't find a way to get a trace of every such access without tomcat throwing security exceptions. So I went through a modify-restart-exception cycle repeatedly until I decided that it's not worth the effort and switched off the security manager. If someone is interested, I can produce the catalina policy rules I made, but beware that they are incomplete. Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
