tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miguel Torres Fernández <miguel.torres....@juntadeandalucia.es>
Subject Re: Set System variables.
Date Mon, 26 Oct 2009 10:24:07 GMT
André Warnier escribió:
> Miguel Torres Fernández wrote:
>> Good Morning.
>>
>> At firts say hello, this is my first message to the list.
>>
>> I'm a system admin and i have a problem with applications thats set 
>> system variables like proxy of the system (system.setProperties). 
>> It's a big problem for us, i have an instance of tomcat with more 
>> than ten applications and the past week two of them modify parameters 
>> of the system like proxy or trustkeystore.
>>
>> Exist some jdk options to avoid applications to set this parameters?
>>
> Hola Miguel.
> Simple answer : don't run these applications.  The developers of these 
> applications should know that when they set such a "system" property, 
> it sets it for the entire JVM, and they should think about the 
> consequences.
>
> As a sysadmin, you can probably forbid these applications from doing 
> that, by running Tomcat with a security manager.  Look at the Tomcat 
> startup scripts to see if there are default options being loaded 
> somewhere.  If you are under Linux, you may find something in, for 
> example, /etc/defaults/tomcat.
>
> But the problem is, such a security manager is also valid for the 
> entire JVM, and thus the entire Tomcat and all its (other) applications.
> So you may have to do a lot of individual tuning of the permissions of 
> each application, just to control these two misbehaving applications.
>
> Also, by setting these permissions, the most likely result is that 
> these two applications will now crash, since they will get a 
> permission error when they try to do what they do.
>
> So, back to the simple answer above.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Hello André!

The first step, as work arround, has been put this apps in quarantine, 
the other apps needs to be in production, but now I need to make a 
system to avoid future apps to set this parameters. If bad apps doesn't 
work it not my fault and i told the developers which problems involve 
their apps and that they need to fix it.

Thank you very much.

-- 
Miguel Torres Fernández



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message