[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)



>> I consider that a bug, and should probably file one.  tomcat 
>should not run as
>> the same user as apache, for security reasons.
>
>In previous versions the auto-generated config file looked like this:
>
>JkMount /mywebapp/*.jsp ajp12
><Location "/mywebapp/WEB-INF/">
>  AllowOverride None
>  deny from all
></Location>
><Location "/mywebapp/META-INF/">
>  AllowOverride None
>  deny from all
></Location>
>
>So static parts inside the /mywebapp directoy were served by 
>Apache directly
>and dynamic parts (JSP pags and servlets) were passed to Tomcat using
>mod_jk. This changed in Tomcat 3.3: All files inside /mywebapp 
>are handled
>by Tomcat now, like in this example:
>
>JkMount /mywebapp/* ajp13

It's not mandatory, many of us still didn't use the autoconf
feature of tomcat. Furthermore in next release of Tomcat 3.3/4.0
and mod_jk, the webapp will be discovered and sent via new
protocol ajp14 :)))

>If you want to restrict access to some files inside the webapp 
>using UNIX
>file permissions both Apache and Tomcat need to run as the 
>same user. If
>you want to run Tomcat as a different user you can do so by changin
>/etc/default/tomcat.

Yep, I added also in tomcat bin wrapper a :

chown -R tcuser:tcuser /var/tomcat/

to make sure that tomcat is running with the rigth profile



Reply to: