My 2 cent below
Baron Von Awsm wrote:
Our web app may be deployed to a Tomcat version 6 or higher, hence Java
version 5 or higher. It may be deployed to a Tomcat running on a
Windows-derivative OS or Unix-derivative OS.
We have a requirement that can be stated as follows,
* The web app needs to be able to read from and write to a directory that
is external to the webapp's own docBase and directory structure.
If there is no Java Security Manager in effect, a webapp can do whatever it wants, subject
to the restrictions of access determined by the user-id under which it runs (the Tomcat
user-id) and the permissions on the filesystem.
* The write access needs to be unrestricted in that the web app will need
to create, modify and delete files and directories within the directory
(but not be able to delete the directory itself).
See the above paragraph.
* The directory needs to be a member of the webapp's classpath.
Meaning, I suppose, the classpath of the JVM running Tomcat ?
(but I don't really understand what you mean or what your needs are in terms of that
"classpath" you are talking about. Do you really mean, in essence, that others will be
putting classes there, that need to be loaded and run by your webapp ?).
* The directory contents must not be accessible via any url that can be
directed at the webapp.
It would not be, if it is not under the Tomcat appBase.
Unless you provide yourself some sneaky back-way to access them (like symlinks to it, from
your webapp directory).
(The external directory cannot be considered to be
owned by the webapp. Other applications (not web applicaitons) own (in the
logical sense) the directory. These applications write information to and
read information from this directory.
All irrelevant to the above, I think.
I need my web app to be a consumer
and publisher of informoration in this directory without exposing any
directory contents via a url).
See above.
We're developing on Windows 7. In the development environment, we're simply
placing the path to the external directory in the webapp's classpath in the
web app's Tomcat context file. We're running Tomcat without the -security
option and all works well. With the -security option, as expected, the
webapp no longer has the permissions needed to read and write against the
external directory with File operations.
What do we need to do to configure Tomcat (running with the -security
option) to allow us the access we're after to the external directory?
Provide the appropriate rules to allow your webapp to read and write there.
I believe that there are examples in the standard catalina.policy file that comes with
Tomcat. Note that this is a "Java thing", not specific to Tomcat.
Note: the Java Security Manager esentially provides a set of "fences" which limit what the
webapp can do. If you write the webapps yourself, it protects you against your own
mistakes in your own code. If you allow other people to load webapps to your system, it
protects you against what their code can do.
Of course this has a price in terms of overhead, beause once it is enabled, it has to
check and filter every access to anything.
Note : in my own humble opinion, with the tone you are using and the kind of questions you
are asking, you are walking just on the fine line that separates the kind of thing for
which people here will be willing to help you, and the kind of thing for which they would
send you back to Googling for yourself.
Do not forget that this is a mailing list manned by volunteers, with the objective of
helping people who want to use Tomcat. It is not a free resource to do your work for you.
There exist paid consultants for that.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
