tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: running servlets as fileowner
Date Fri, 17 Jul 2009 09:05:32 GMT
Jan-Florian Hilgenberg wrote:
> thank you very much :-)
> just one question is left: when you said "have to modify the jvm to support
> uid/gid per thread"
> do you mean, that we have to change something in the source code or what?
> because, i have no idea how i have to setup such RMI things.

Just a Java dummy bumping in here.

I think that the (qualified) answer which you received previously 
basically meant "no, you can't do that".
Modifying indeed the JVM to allow it to start a thread with a different 
uid/gid, would probably be not trivial, specially considering all the 
security aspects of ditto.
The "RMI thing" would mean, for instance, that you start a separate 
server process under a separate JVM, running under the other uid/gid, 
and then from your own server, you call these applications via Remote 
Method Invocation.
Anyway, not something trivial for me, and maybe not anymore for you.

Another idea that could be tried however, assuming you really need to 
run this application under another uid/gid :
- run 2 separate Tomcats :
	- a Tomcat1 running under the "normal" uid/gid, and running the 
standard applications
	- a Tomcat2 running under the "special" uid/gid, only for this special 
application
- install an Apache httpd as a front-end to your 2 Tomcat's
- use this front-end Apache httpd as a proxy to distribute the calls to 
your two back-end Tomcats : the calls to this special app go to Tomcat 
2, the calls to the other webapps go to Tomcat1.
As proxying module, you can use either one of mod_proxy (HTTP), 
mod_proxy_ajp, or mod_jk.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message