RE: Tomcat userid (was Re: Tomcat 3.3 / 4.0 ? When?)
>> I consider that a bug, and should probably file one. tomcat
>should not run as
>> the same user as apache, for security reasons.
>
>In previous versions the auto-generated config file looked like this:
>
>JkMount /mywebapp/*.jsp ajp12
><Location "/mywebapp/WEB-INF/">
> AllowOverride None
> deny from all
></Location>
><Location "/mywebapp/META-INF/">
> AllowOverride None
> deny from all
></Location>
>
>So static parts inside the /mywebapp directoy were served by
>Apache directly
>and dynamic parts (JSP pags and servlets) were passed to Tomcat using
>mod_jk. This changed in Tomcat 3.3: All files inside /mywebapp
>are handled
>by Tomcat now, like in this example:
>
>JkMount /mywebapp/* ajp13
It's not mandatory, many of us still didn't use the autoconf
feature of tomcat. Furthermore in next release of Tomcat 3.3/4.0
and mod_jk, the webapp will be discovered and sent via new
protocol ajp14 :)))
>If you want to restrict access to some files inside the webapp
>using UNIX
>file permissions both Apache and Tomcat need to run as the
>same user. If
>you want to run Tomcat as a different user you can do so by changin
>/etc/default/tomcat.
Yep, I added also in tomcat bin wrapper a :
chown -R tcuser:tcuser /var/tomcat/
to make sure that tomcat is running with the rigth profile
Reply to: