Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)

To: debian-java@lists.debian.org
Subject: Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)
From: Stefan Gybas <gybas@trustsec.de>
Date: Mon, 3 Dec 2001 14:14:19 +0100
Message-id: <[🔎] 20011203141419.A26999@avoive.trustsec.de>
In-reply-to: <Pine.LNX.4.33.0111301442560.1053-100000@gradall.private.brainfood.com>
References: <20011129124804.A3985@avoive.trustsec.de> <Pine.LNX.4.33.0111301442560.1053-100000@gradall.private.brainfood.com>

On Fri, Nov 30, 2001 at 02:43:31PM -0600, Adam Heath wrote:

> I consider that a bug, and should probably file one.  tomcat should not run as
> the same user as apache, for security reasons.

In previous versions the auto-generated config file looked like this:

JkMount /mywebapp/*.jsp ajp12
<Location "/mywebapp/WEB-INF/">
  AllowOverride None
  deny from all
</Location>
<Location "/mywebapp/META-INF/">
  AllowOverride None
  deny from all
</Location>

So static parts inside the /mywebapp directoy were served by Apache directly
and dynamic parts (JSP pags and servlets) were passed to Tomcat using
mod_jk. This changed in Tomcat 3.3: All files inside /mywebapp are handled
by Tomcat now, like in this example:

JkMount /mywebapp/* ajp13

If you want to restrict access to some files inside the webapp using UNIX
file permissions both Apache and Tomcat need to run as the same user. If
you want to run Tomcat as a different user you can do so by changin
/etc/default/tomcat.

-- 
Stefan Gybas

Reply to:

Follow-Ups:
- Re: Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)
  - From: Guy Geens <ggeens@iname.com>

Prev by Date: RE: [summary] Re: policy proposition for javadoc installation
Next by Date: RE: Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)
Previous by thread: RE: [summary] Re: policy proposition for javadoc installation
Next by thread: Re: Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)
Index(es):
- Date
- Thread