tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Configuring access to an external directory
Date Sun, 25 Nov 2012 12:13:52 GMT
My 2 cent below

Baron Von Awsm wrote:
> Our web app may be deployed to a Tomcat version 6 or higher, hence Java
> version 5 or higher. It may be deployed to a Tomcat running on a
> Windows-derivative OS or Unix-derivative OS.
> We have a requirement that can be stated as follows,
> * The web app needs to be able to read from and write to a directory that
> is external to the webapp's own docBase and directory structure.

If there is no Java Security Manager in effect, a webapp can do whatever it wants, subject

to the restrictions of access determined by the user-id under which it runs (the Tomcat 
user-id) and the permissions on the filesystem.

> * The write access needs to be unrestricted in that the web app will need
> to create, modify and delete files and directories within the directory
> (but not be able to delete the directory itself).

See the above paragraph.

> * The directory needs to be a member of the webapp's classpath.

Meaning, I suppose, the classpath of the JVM running Tomcat ?
(but I don't really understand what you mean or what your needs are in terms of that 
"classpath" you are talking about.  Do you really mean, in essence, that others will be 
putting classes there, that need to be loaded and run by your webapp ?).

> * The directory contents must not be accessible via any url that can be
> directed at the webapp. 

It would not be, if it is not under the Tomcat appBase.
Unless you provide yourself some sneaky back-way to access them (like symlinks to it, from

your webapp directory).

(The external directory cannot be considered to be
> owned by the webapp. Other applications (not web applicaitons) own (in the
> logical sense) the directory. These applications write information to and
> read information from this directory. 

All irrelevant to the above, I think.

I need my web app to be a consumer
> and publisher of informoration in this directory without exposing any
> directory contents via a url).

See above.

> We're developing on Windows 7. In the development environment, we're simply
> placing the path to the external directory in the webapp's classpath in the
> web app's Tomcat context file. We're running Tomcat without the -security
> option and all works well. With the -security option, as expected, the
> webapp no longer has the permissions needed to read and write against the
> external directory with File operations.
> What do we need to do to configure Tomcat (running with the -security
> option) to allow us the access we're after to the external directory?

Provide the appropriate rules to allow your webapp to read and write there.
I believe that there are examples in the standard catalina.policy file that comes with 
Tomcat.  Note that this is a "Java thing", not specific to Tomcat.

Note: the Java Security Manager esentially provides a set of "fences" which limit what the

webapp can do.  If you write the webapps yourself, it protects you against your own 
mistakes in your own code.  If you allow other people to load webapps to your system, it 
protects you against what their code can do.
Of course this has a price in terms of overhead, beause once it is enabled, it has to 
check and filter every access to anything.

Note : in my own humble opinion, with the tone you are using and the kind of questions you

are asking, you are walking just on the fine line that separates the kind of thing for 
which people here will be willing to help you, and the kind of thing for which they would

send you back to Googling for yourself.
Do not forget that this is a mailing list manned by volunteers, with the objective of 
helping people who want to use Tomcat.  It is not a free resource to do your work for you.
There exist paid consultants for that.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message