tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Running Tomcat on a webserver that is on a workgroup
Date Tue, 19 Jul 2011 16:24:18 GMT
Leo Donahue - PLANDEVX wrote:
> André,
> 
>> -----Original Message-----
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Running Tomcat on a webserver that is on a workgroup
>>
>> There is probably more to it than that.  
> All they are going to do is join it to a workgroup.
> 
>>> I don't understand how Tomcat will be able to access resources from
>>> our domain, and vice versa, unless I'm running Tomcat as a local
>>> account, and that same local account is created on the other servers on the domain.
>>>
>> It all depends what you mean by "resources".  It will still be able to access other
hosts
>> via TCP (through the firewall, if the firewall allows it). But it will no longer
be able
>> to access "shares" or windows network printers e.g.
>>
>> What kind of network resources does your webserver need ?
> 
> Windows shares. Otherwise the size of the vm that is my current web server needs to grow
in order to support access to certain files, mostly images (over 500 GB), 

or I add the local account from the workgroup to the domain server containing the file share.
> 

That, as far as I know, is not possible. Ot let's say that it is at least self-defeating 
(or self-contradictory) : if you add that account to the DC, then it becomes a domain 
account, no ?
(And then of course the rightful question to ask would be what that changes, as compared 
to the current situation).

...

> 
>> What is the security issue that this change is supposed to cure ?
> 
> Other than making administration more difficult, I was hoping someone could tell me.
 Tomcat runs with a least privilege account anyway.  Is this a "feel good" thing?
> 
On the base of the provided information, it can only give soothing feelings to someone who

does not really know what they are doing.  Or someone who got some instructions from 
others who do not know what they are talking about (or don't care).  I'm thinking of some

global diktat like "no server than can be accessed from outside should be part of the 
domain, period".

Of course, you can always
- create a local account on the other fileserver which contains the files which you need 
to access
- give that local account permissions to access those files
- and then from your local Tomcat host, "net mount" that directory, providing the username

and password of the local account on the fileserver.
(And of course vice-versa if other systems need to access resources on the Tomcat host).

But, other than the fact that this is not easy to do if your Tomcat runs as a service, it

does indeed create a very confusing situation in terms of management, and more security 
holes to boot. (Like the fact that the password would need to be in clear somewhere).

Perhaps you should just wrap up these various considerations and questions and send a memo

to the responsible people asking if that is really what they want ?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message