tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Accessing a directory/file outside of the webapps directory
Date Fri, 04 Jun 2010 14:57:58 GMT
Bernard Giannetti wrote:
> Thanks - I'll try the second method.  I don't know if I am or am not running under a
security manager.  I've just got a standard install of Tomcat - so whatever comes out of the
box is what I'm running.
In addition to the comment by Chuck :
As far as I know, Ubuntu uses the same packages and package manager as 
In the Debian distribution, whether the Java security manager is active 
for Tomcat or not, is determined by a setting in the file 
/etc/default/tomcatxxx (with xxx depending on the version).
In that file, there is a line like
If you set it to "no" and restart Tomcat, it will run without security 

About the security manager :
As far as I understand it, this is a Java feature aimed at limiting what 
a Java application is allowed to do.
It is there to protect your system against
1) yourself, in the sense that it may block some unintended actions by 
your own applications
2) others, IF your system is such that other people can upload and run 
Java applications on your server, which might then do obnoxious things.

If neither of these conditions apply in your case, you can disable the 
security manager.

If your webapp is such that it reads and writes files onto the 
filesystem without going through one of the Tomcat embedded functions to 
do so, then they can theoretically do whatever they please, as long as 
the basic filesystem permissions allow them to do so, and Java's 
security manager is not activated (see above).
Tomcat runs under a specific user-id (e.g. "tomcat5").  All webapps 
running under Tomcat run in the same process, under that same user-id. 
If these webapps need to read/write files in some directory on the 
filesystem, then that directory needs to allow that user-id to do so.

You can achieve this for example by :
- set the target directory to belong to a new group xxx
- make the user tomcatxxx belong to that group xxx (as an additional group)
or use ACLs, if the filesystem supports it (and you are not turned off 
by the cryptic setfacl/getfacl syntax and logic).
Be careful not to create security holes when you do that kind of thing.
Also, this kind of thing tends to be OS-specific, so if your application 
must run in multi-platform context, choose a method that is portable.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message