Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: local policy includes SPF record at
 spf.trusted-forwarder.org)
Message-ID: <529D0911.4010903@christopherschultz.net>
Date: Mon, 02 Dec 2013 17:26:25 -0500
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: install war with xml and define environment values
References: <A91AE052-595F-4566-8970-8757FFB1368E@tu-clausthal.de>
 <BLU172-W890D9012D83B8660E0D4AAEEB0@phx.gbl>
 <3DE8AE9B-AED4-49A2-BBD9-5BE00F79EBD6@tu-clausthal.de>
 <529BBACF.8000102@yahoo.com>
 <B9DA42D5-F503-4F30-8822-8199EC61C17E@tu-clausthal.de>
 <529CB3F7.3070705@yahoo.com>
In-Reply-To: <529CB3F7.3070705@yahoo.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 12/2/13, 11:23 AM, Mark Eggers wrote:
> On 12/1/2013 10:49 PM, Philipp Kraus wrote:
>> Hello,
>> 
>> Am 01.12.2013 um 23:40 schrieb Mark Eggers
>> <its_toasted@yahoo.com>:
>> 
>>> Run Tomcat as an unprivileged user.
>>> 
>>> If you need to have Tomcat serve on port 80, use jsvc, iptables
>>> to map port 80 to port 8080, or place an Apache HTTPD server in
>>> front of Tomcat using mod_proxy_http, mod_proxy_ajp, or
>>> mod_jk.
>>> 
>>> You could also unpack the WAR file, change the param value,
>>> and repackage the WAR file. Of course, the user Tomcat is
>>> running under will need to have privileges to the directory you
>>> change the param value to.
>> 
>> On my test system Tomcat 7 runs with root access, but on my 
>> production system it runs with an unprivileged user on port 9090
>> and a Nginx works like a proxy for https. This works fine, but on
>> the Tomcat runs Jenkins and a project planning system. My
>> Jenkins installation is configures by a XML file in the
>> /etc/tomcat7 directory with this content:
>> 
>> <Context docBase="/usr/share/jenkins/jenkins.war"
>> privileged="true" allowLinking="true" crossContext="true"
>> autoDeploy="true" > <Environment name="JENKINS_HOME"
>> value="/home/jenkins/" type="java.lang.String"/> </Context>
>> 
>> With the value JENKINS_HOME I can change the data directory of 
>> Jenkins.
>> 
>> The project planning system uses only ${user.home}, so I would
>> like to redefine this environment value for this war only
>> (because the backup system runs over the /home dir). I'm working
>> the first time with tomcat but not with java.
>> 
>> Thanks Phil
> 
> I don't know about your project planning system, but my
> installation of Jenkins doesn't need crossContext, privileged, or
> allowLinking. I'm not sure what autoDeploy accomplishes as a
> Context attribute (nothing?).

It produces a lovely warning message.

> Do other people use your machine, or are you the sole user?
> 
> If you're the sole user, set up Tomcat within your home directory,
> take the defaults, drop the WAR files in $CATALINA_BASE/webapps,
> and you're done.
> 
> If not, then set up your system much like your production system.
> That way others can access it on port 80, the unprivileged user
> gets everything backed up (provided the account is in
> /home/unprivileged), and again you can just take the defaults.
> 
> This really is a Java issue and not a Tomcat issue. The application
> is using the environment variable user.home. Setting aside whether
> this is a good idea or not, I think you have a few alternatives (if
> you don't set things up as above).

+1

<Environment> doesn't do what the OP thinks it does. OP wants to
redefine a *system property* when running a particular web
application, but not affect that value for other applications running
in the same JVM. This is simply not possible.

Phillipp, you've mentioned 3 different ways to configure things:

1. Using web.xml <init-param>
2. Using context.xml <Environment>
3. Using ${user.home} system property

It's unclear to me which of these you actually want to use and for
what. You have mentioned both Jenkins (which ought to be configurable
in a number of ways, given the wide range of environments in which it
is probably run) and an otherwise unspecified "project planning system".

Is Jenkins simply a red herring?

If your project planning system (that's the one you want to
reconfigure, right?) reads the system property "user.home", then you
are simply going to have to change it to read something else unless
you want to redefine the value of "user.home" for the entire JVM.

> 1. Unpack the WAR, change the param, repack the WAR, run the
> altered WAR
> 
> This may or may not work, and depends on whether the application
> uses System.getenv("user.home") elsewhere to write to the
> directory.

The most straightforward to code would be to read <init-param> from
web.xml using ServletContext.getInitParameter. But, as you've
mentioned, changing an init-param's value within a WAR is kind of a
PITA. If you use <Environment> in your webapp's META-INF/context.xml
(or CATALINA_BASE/conf/[Engine]/[Host]/[webapp].xml) then that *can*
be easier to configure (if you put your file in conf/ as shown above)
but then the code for fetching values from JNDI is semi-awkward.

> 2. Set the environment variable user.home
> 
> I don't know what other impacts this will have. You can do this by
> the following:
> 
> a. create a file called setenv.sh in $CATALINA_BASE/bin b. in that
> file put something like the following:
> 
> CATALINA_OPTS="-Duser.home=some-location" export CATALINA_OPTS

Phillip could also do something crazy like inventing a *new* system
property that only his application cares about. How about
project.planning.user.home, or whatever makes more sense for you?

CATALINA_OPTS="-Dproject.planning.user.home=some-location"
export CATALINA_OPTS

Now modify your code to read the system property
"project.planning.user.home" and be done with it. There's no need to
try to figure out how to make "user.home" look different to multiple
webapps.

This is a fairly clear case of holding a nail and looking everywhere
for a hammer when you clearly need to decide that a screw is more
appropriate and use the screwdriver you already have in your other hand.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSnQkPAAoJEBzwKT+lPKRYspkP/iF4gPfTmj+bQL1knPx/a0FX
/v460Tna/FVIqfADkMdrJqPidWtoPNwK4rlnf36e3qxEJ34OG4zj/JJeGTXVDEsv
AsQSzg+Csuc1K9XycCQT8rs2DtCAuuhtVhtCCjBV/LjZi6SetVdeZFNKmX3u6OyO
HyMbCt1gsVfNPSdpnyTZL8fAZwDzg7qLPjPSShJ/gSJ0FXUD7aVXcWuBQXPZCoO+
Chy9n7fEmw8HZ4zqVKlyhmkuywiDHLsDwRZNnqiJALR2f1kUrmkYcu/CcOqzcGsV
ee/sCMO4StdNBbFiDCNPU6oPFB+MnLfC94rRcqFWkttOJruulW/CkVm528weDFbf
p1hxXO0qDk0eWRsJb+4bDlPCgpA4Gel0h3tDxMXLyTc4NEoNt24tBPlPCbj/80Af
AKTyM9LeiV710NIUxeEXso6MLrwhf8oEzpMj8L6GAlFNMTPbV4+MyG+tvMrqo/gR
/NEe1Qr0OTmjp5E5S/o2kTEu8hlyyUGZ0nIzn1Fnb139LYOELkeRlvDq3bVLBeGh
PEvXJObrSdd3kzzR2op1beqIYmw97id6T7xGnr5Og/wUueUnWY6kbSx7wtPOsrkR
yC0loVVrKYiZoMVQsyh9ddEsdok7nNli8uXvOhX/bgae35WNonAFf2rlBc+oz66y
L4HN+rcZo9KDLsxBi/Zp
=0LRF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org