tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: restrict per user public_html to serve static files only...
Date Wed, 27 Jun 2012 08:22:24 GMT
Kim wrote:
> Hi, Andre
> 
> How so ? can you explain ?
> After all, Tomcat itself has to know if the resource being served is a
> servlet or jsp page or something else, in order to serve it properly.
> So how come you cannot do the same ?
> ans : each user can have his/her own web.xml and can do whatever URL
> mapping in web.xml to serve his/her serlvet ... That's why I can not
> know in advance unless I go into the user WEB-INF to do the parsing

Right, so you /are/ trying to implement something like the ~userdir of Apache httpd.
I tend to agree with Mikolaj then, you may be better off keeping Apache httpd for that.

Or else, this is the kind of situation for which the "security manager" of Tomcat 
(actually of Java) may be the way to go.  If individual users can upload stuff and have it

served by Tomcat, at least restrict whatever these things can actually do.

Have a look first at the file (catalina_home)/conf/catalina.policy, section "WEB 
APPLICATION PERMISSIONS".
It seems to me that by not granting those permissions (other than to your own webapps), 
you can greatly restrict what users can do.

As long as the users don't have access to (catalina_base)/conf of course.

It also means of course that you /must/ grant these permissions to your own webapps, which

tends to be a p.i.t.a.  But then, you have an open system, so it belongs to you to close 
the holes.



> ...
> 
> Another question : where is this "public_html" directory (?) actually
> located, and what does/can it contain, other than static pages ?
> ans : I configure tomcat to enable per-user web as follows:
>  <Listener className="org.apache.catalina.startup.UserConfig"
>             directoryName="public_html"
>             homeBase=/share/home"
>             userClass="org.apache.catalina.startup.HomesUserDatabase"/>
> 
> Regards,
> Kim
> 
> 2012/6/27 André Warnier <aw@ice-sa.com>:
>> Regarding the style of communications : on this list, it is preferred if
>> posters answer *below* the respective text to which they refer, not on top
>> of the message.
>> It makes it so much easier to follow the flow of the conversation (rather
>> than having to scroll up and down to find the appropriate paragraph).
>>
>>
>> Kim wrote:
>>> Hi,Andre
>>> Thanks for the advice. I do implement a Valve class to capture all the
>>> request before forwarding to actual web app. However, I can not know
>>> in advance the actual url for the servlet or JSP ..
>>> i.e. I can not know from the URI  in the Valve class that the
>>> resources is static files or servlet ...
>>
>> How so ? can you explain ?
>> After all, Tomcat itself has to know if the resource being served is a
>> servlet or jsp page or something else, in order to serve it properly. So how
>> come you cannot do the same ?
>>
>> Another question : where is this "public_html" directory (?) actually
>> located, and what does/can it contain, other than static pages ?
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message