tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian J. Sayatovic" <>
Subject Re: How does Tomcat interact with filesystem file permissions
Date Thu, 24 Mar 2005 11:21:25 GMT
Well, I can create a special "Tomcat Service" account, and then be 
careful what groups I add it to, and make sure the Tomcat directory is 
accessible to it.  I'll also find the How To for running Tomcat as an NT 
service again to see if they address this.  And this isn't a 
corporation, this is just for my own personal use (though that's still 
not an excuse not to secure my own box!)

Regarding Tagish JAAS, this is the home page:

It's a bit out of support.  I found it through Chris Maeda's article on

On Chris Maeda's Blog, there were plenty of feedback comments.

A lot of folks couldn't get it to work with Tomcat outside of form-based 
authentication.  I wanted to use normal authentication where the browser 
just prompts you and was havign Tomcat's JVM die without a record of the 
cause!  Eventually with some debug tracing and looking at source code, I 
determined that the Win32 API call being used didn't like null (which 
are the default credentials returned by Tomcat's JAAS module when there 
is no authenticated user).  So, I modified the Tagish JAAS source code 
to simply through an authentication-related exception when null was sent 
to it.

So, now, Tagish JAAS is using XP for authentication!


Jason Bainbridge wrote:

>On Wed, 23 Mar 2005 20:38:31 -0500, Brian J. Sayatovic
><> wrote:
>>So is all file access from the DefaultServlet performed as the Local
>>System account?
>Sure is and running any service like Tomcat as LocalSystem is a bad
>idea, you should create either a domain or local account (some
>companies prefer domain accounts as it is "easier to manage") that
>only has the bare necessity of permissions to run Tomcat. I just went
>through this exercise myself and still need to document exactly what I
>did as I couldn't find any online resources about it.
>I have never used or heard of Tagisj JAAS though but that does sound
>like something that would be worthwhile looking into.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message