tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sonjalo...@t-online.de (Sonja Löhr)
Subject Re: permissions for Tomcat+Apache integration
Date Wed, 03 Sep 2003 06:43:55 GMT
With the users: I thought of this strategy (one usr for both), too. Then
one must be able to log-in or "su" to the apache-user to start tomcat,
which I disallowed (book-advice ;-) by now. Or is there a way let apache
start tomcat?

> Could you clarify?

I hardly have any JSPs by now.
We unfortunately have a directory with needed files outside WEB-INF,
which I will change. 
The other thing I meant was that I find it difficult to write the [uri:]
directives when Cocoon-Apps are involved - I think I would have to adopt
the URIs used in cocoon-pipelines (and the directory structure) to the
apache+tomcat task, too, they almost never have to do anything with the
filesystem.

Sonja




Am Die, 2003-09-02 um 14.50 schrieb John Turner:
> Could you clarify?
> 
> If you are using Apache, and you have *.jsp mapped correctly, your 
> "programming resources" won't be shown to the world.
> 
> Since all servlets are under WEB-INF, all you have to be concerned about 
> are JSP.  Properties files, etc. go under WEB-INF, as well.  Applciation 
> architecture best practices says don't put anything critical in a JSP, 
> so what's the big risk?
> 
> Going back to your earlier question, I simply set up a certain user 
> account for both Apache and Tomcat.  "webuser" or whatever.  That user 
> has restricted permissions and is a member of its own group (also 
> "webuser" or whatever).  Apache and Tomcat run as this user.  Since 
> developers should never have access to the command line on a production 
> server, there's no problem.
> 
> John
> 
> Sonja Löhr wrote:
> 
> > You are very right in that my greatest problem is to work out a pattern
> > where to find the "static content" hides that Apache could perhaps serve a
> > bit faster.  Unfortunately, I can't tell Apache to serve ".gif" etc. but
> > must come the other way round, perhaps ending up with URLs to single
> > servlets.
> > Many people cite security-reasons for the integration of the two, but all
> > I've been bothered up to now is how to prevent Apache to show my programming
> > ressources to the world (those unfortunately not located in WEB-INF).
> > 
> > I'll be thinking about doing it separately, you really calmed me down :-)
> > thanks very much
> > Sonja
> > 
> > 
> > 
> > ----- Original Message ----- 
> > From: "Eric J. Pinnell" <eric@iCky.org>
> > To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
> > Sent: Monday, September 01, 2003 4:28 PM
> > Subject: Re: permissions for Tomcat+Apache integration
> > 
> > 
> > Hi,
> > 
> > The question is do you need to secure your application from the outside
> > world or do you need to secure it from users that might be logging on to
> > your system?  Or both?
> > 
> > Usually you want to go with the "both" scenerio.
> > 
> > But to keep it simple, pick a user that you want tomcat to run as.  Untar
> > Tomcat and chown -R tomcat jakarta-4.x.x  (if the user is named "tomcat"
> > which isn't a bad name for the Tomcat user ;)
> > 
> > Then just run it.  It will be ok just like that.  If you are running
> > Tomcat and Apache on the same machine really look at why you are running
> > Apache at all.  It's a popular misconception that you _must_ run Apache in
> > front of Tomcat.  That couldn't be more wrong.  Running Tomcat alone will
> > save you the hassle of Apache and the connectors.  However you do need to
> > run Apache if you are going to use load balanceing and the apache
> > modules.  However most times people just have Apache pipe everything back
> > to Tomcat.  In this case you don't need Apache at all.
> > 
> > -e
> > 
> > On Mon, 1 Sep 2003, [iso-8859-1] Sonja Löhr wrote:
> > 
> > 
> >>Hello!
> >>
> >>Here is my second question, now concerning Apache+Tomcat integration on
> >>Linux:
> >>Could someone tell me a reasonable users, groups and file permissions
> >>structure for apache, the tomcat-files itself and a typical webapp?  -
> > 
> > Java
> > 
> >>security aside.
> >>
> >>1. Is it a good idea at all to place the webapps under apache's document
> >>root, having to care about all WEB-INF and other sensible directories with
> >>"deny from all" ?
> >>
> >>2. Which account in which group?
> >>Apache needs access to static files somewhere in the webapp. (Which may be
> >>very dispersed f.e. in case of cocoon).
> >> If a "tomcat" user and the "apache" user account are in the same group
> > 
> > with
> > 
> >>restricted permissions, I can't assign permissions to a group of
> > 
> > developers,
> > 
> >>just another owner (me ;-).  Ok, may it be. Additionally, if tomcat
> > 
> > unpacks
> > 
> >>war files, all resulting directories are owned by tomcat alone. So should
> > 
> > I
> > 
> >>put the "apache user into the "tomcat" group?
> >>
> >>3.How paranoid must I be about tomcat-files (server-directory f.e)?
> >>Tomcat needs write access to some directories, but certainly I don't know
> >>all processes tomcat.
> >>
> >>You probably guess by now that I'm not grown up with Unix-systems.
> >>Spent my whole sunday with chmod and chown, now I would be very happy if
> >>someone told me something SIMPLE  :-)
> >>
> >>Thank you,
> >>Sonja
> >>
> >>
> >>
> >>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >>
> >>
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 


Mime
View raw message