tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: [OT] Tomcat Security Limitation
Date Wed, 10 Oct 2012 14:23:04 GMT
Hash: SHA1


On 10/10/12 10:05 AM, André Warnier wrote:
> Christopher Schultz wrote:
>> Mouradk,
>> On 10/10/12 7:49 AM, Mouradk wrote:
>>> I am running a servlet that reads and writes to an remote
>>> instance of = Hbase/Hadoop on ec2. When the security manager is
>>> off, all is fine. But = when the manager is on, write and read
>>> operations fail.
>>> I have the following permissions on my 04webapps.policy file:
>> 04webapps.policy isn't a file I recognize as one that Tomcat
>> reads. Is this something that your local installation supports in
>> some way?
> Info: this looks very much like what the Linux Debian Tomcat
> package is doing : splitting up "catalina.policy" into chunks
> stored in /etc/tomcat/policy.d/*, which are then re-combined into 
> "catalina.policy" by the package's Tomcat startup script just
> before launching the JVM.
> Practically speaking, it is not a bad idea. catalina.policy as one
> big chunk is not very easy to read or edit.

Nor is it easy to keep up-to-date when Tomcat ships with a new version
of the policy file. This happens even with point-releases so it's not
like just syncing everything up when you do a major-version upgrade
and have to re-write server.xml essentially from scratch.

In general, I would advocate for splitting Tomcat's policy up into
several files, but that significantly complicates deployment across
multiple OSs and styles of launching Tomcat. With shell scripts (which
is how *NIX services all launch), it's easy. On Windows, it's not
quite so easy and would probably lead to confusion.

So, if Debian/Ubuntu wants to split the policy file for their
package-manager version I think it makes sense, but it would just add
complexity at the stock-Tomcat level... and configuring Tomcat is
already pushing the complexity limit for a lot of its users.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message