tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Downey <>
Subject Re: multiuser tomcat environment
Date Mon, 05 Jan 2004 14:22:14 GMT
Tsirkin Evgeny wrote:

> Many thanks for your reply.
> Does your solution works with NIS?
> Also I have found on the server config site that :
>     "The operating system username under which Catalina is executed MUST
>     have read access to each user's web application directory, and all 
> of its contents."
> In my case that probably means that I will have to run Catalina as root.
> Are there any known security problems with that?

The safest way is to start tomcat as root and switch id to nobody, and 
to place all
your users in the same group. The users give no access to group, but rw 
to others.

Be sure to run with security turned on. All servlets will run with the 
permissions of the
id that tomcat is executed as. With security on, by default servlets can 
only rw files in
its class directory.

If you run tomcat as a normal user, be sure this id is not in the same 
group as all the
other users.

All users should authenticate for access to the webapps.

> About implementing my own manager ,I am not realy a java programmer
> Does anybody knows about such a thing already done?

I like the idea that someone else suggested about virtual hosts.
As an alternative, you could have an authenticated servlet that executes an
ant script that will access the manager. The servlet would only allow start,
stop and reload.

> Thanks.
> On Fri, 02 Jan 2004 11:00:24 -0500, Tim Downey <> 
> wrote:
>>  >> The main perpose of the server - a programming course,the
>>  >> students should develope their projects on it.
>>  >> Students probably should be able to do the folowing:
>>  >> [1] deploy/redeply/reload their applications
>> Using Tomcat as a stand-alone server, you can create a ~ directory 
>> for each
>> user in /etc/passwd. Add a Listener for UserConfig in the Host.
>>  >> [2] they should NOT be able to do the same for the
>>  >>    other students applications
>> The ~ directories have individual user access privileges.
>>  >> [3] they can't restart the server ,of course, since
>>  >>     students don't have root access.
>> I am unfamiliar with creating a new manager, but it seems that you 
>> should
>> be able to write a servlet that can only be accessed by registered 
>> users.
>> This servlet will send stop/start for a particular user's web app 
>> directory.
>> It is possible to send messages to the manager via HTTP. Your servlet
>> will need to authenticate as the manager, and then send the correct HTTP
>> request.
>> Perhaps someone else has a slicker solution. I would love to hear it.
>>  >> So,using manager app is not appropriate - that way all the
>>  >> students will be able to manage all the application.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Tim Downey

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message