[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)

On Fri, Nov 30, 2001 at 02:43:31PM -0600, Adam Heath wrote:

> I consider that a bug, and should probably file one.  tomcat should not run as
> the same user as apache, for security reasons.

In previous versions the auto-generated config file looked like this:

JkMount /mywebapp/*.jsp ajp12
<Location "/mywebapp/WEB-INF/">
  AllowOverride None
  deny from all
<Location "/mywebapp/META-INF/">
  AllowOverride None
  deny from all

So static parts inside the /mywebapp directoy were served by Apache directly
and dynamic parts (JSP pags and servlets) were passed to Tomcat using
mod_jk. This changed in Tomcat 3.3: All files inside /mywebapp are handled
by Tomcat now, like in this example:

JkMount /mywebapp/* ajp13

If you want to restrict access to some files inside the webapp using UNIX
file permissions both Apache and Tomcat need to run as the same user. If
you want to run Tomcat as a different user you can do so by changin

Stefan Gybas

Reply to: