Re: [thredds] content/thredds permissions using repo tomcat

Hi Howard,

Glad you got it fixed.

That sounds like the right solution. I believe (but don't have a RHEL
machine handy to double check) that Tomcat is installed in
/var/lib/tomcat5. There are links in /usr/share/tomcat5 to each of the
subdirectories (bin, conf, webapps, etc). And Tomcat is started with a
call to /usr/share/tomcat5/bin.

At some point the TDS de-references the webapps symbolic link (with a
call to File.getCanonicalFile()) and tries to access the content/thredds
directory in /var/lib/tomcat5/content. It is at this point that this
problem occurs:

> Mar 12, 2009 10:36:22 PM org.apache.catalina.core.ApplicationContext log 
> SEVERE: StandardWrapper.Throwable
> java.security.AccessControlException: access denied (java.io.FilePermission 
> /var/lib/tomcat6/content/thredds/logs read)
>     at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
>     ...

I think the TDS could handle these directory paths more carefully and
not run into this problem. I'm going to add this issue to our toDo list.

Thanks for reporting,

Ethan


On 3/7/2011 3:01 PM, Howard wrote:
> Hi Ethan
> 
> So I did fix the problem, and the fix seems to be a bit obscure.  I
> ended up creating the content directory by hand and linking it in
> /usr/share/tomcat5.  But the obscure part is it turns out you have to
> put the content dir in a particular place, namely
> 
> /var/lib/tomcat5/content
> 
> I'm not sure why it cares so much, but it has something to do with the
> fact that the attempt to create/find the content directory is actually
> looking for
> 
> /usr/share/tomcat5/webapps/thredds/../../content/thredds
> 
> instead of /usr/share/tomcat5/content
> 
> Can you please ensure that this resolution finds it's way into the
> appropriate archive.
> 
> Thanks again
> Howard
> 
> 
> On 3/7/11 4:18 PM, Ethan Davis wrote:
>> Hi Howard,
>>
>> On 3/7/2011 1:13 PM, Howard wrote:
>>> Hi Ethan
>>>
>>> I found this thread on the mailing list archive, but I don't know how to
>>> reply. So please forgive the direct question.
>> No problem and I'm going to CC the thredds list so it is archived and
>> searchable ...
>>
>>> http://www.unidata.ucar.edu/mailing_lists/archives/thredds/2009/msg00057.html
>>>
>>> The part that I am interested in is this part:
>>>
>>>> #2, what does your deployment descriptor (web.xml) file specify for
>>>> the "unpackwars" attribute? Is it true (the default) or false? If it
>>>> is true, it's possible you're having the same issue as with the Red
>>>> Hat-provided Tomcat: that there are a passel of symlinks between
>>>> various /var/lib/tomcat dirs and /usr/share/tomcat dirs, and when you
>>>> drop the Tomcat WAR file into the /webapps directory, the THREDDS
>>>> servlet cannot construct the proper /content/thredds directories. If
>>>> this is the case, change this attribute to false, and re-deploy the
>>>> servlet and see if you get this error.
>>> I am trying to use the Redhat provided Tomcat to deploy thredds and I am
>>> having the same issue as the original poster.  Was there ever a
>>> resolution for this other than not unpacking the war (which at the time
>>> of the message (didn't work)? I tried creating the content directory by
>>> hand as the user tomcat.  No luck. Any ideas?
>> My understanding is that the RedHat provided Tomcat uses symbolic links
>> in a number of places and your content/thredds directory needs to be
>> linked in a similar manner. Here's a quote from another email to the
>> thredds list:
>>
>>   "3) Then I had to ensure new directory for THREDDS
>>    was created (/var/lib/tomcat5/content/), with
>>    ownership and permissions for theTomcat user,
>>    symlinked from /usr/share/tomcat5/content."
>>
>> There might be more of interest to you in the email so here's the link:
>>
>> http://www.unidata.ucar.edu/mailing_lists/archives/thredds/2009/msg00139.html
>>
>> Hope that helps,
>>
>> Ethan
>>
>>> Thanks
>>> Howard
>>>
>>> -- 
>>> Howard Lander <mailto:howard@xxxxxxxxx>
>>> Senior Research Software Developer
>>> Renaissance Computing Institute (RENCI) <http://www.renci.org>
>>> The University of North Carolina at Chapel Hill
>>> Duke University
>>> North Carolina State University
> 
> 
> -- 
> Howard Lander <mailto:howard@xxxxxxxxx>
> Senior Research Software Developer
> Renaissance Computing Institute (RENCI) <http://www.renci.org>
> The University of North Carolina at Chapel Hill
> Duke University
> North Carolina State University
> 100 Europa Drive
> Suite 540
> Chapel Hill, NC 27517
> 919-445-9651