-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Isaac -
A couple of possibilities for you to consider - #1, are you running
the Java security manager with the default security policy? If so,
then you're getting this error because the default Tomcat security
policy (catalina.policy) is not set up for THREDDS. Currently, there
is no THREDDS-specific Java security policy, so you're on your own if
you're trying that.
#2, what does your deployment descriptor (web.xml) file specify for
the "unpackwars" attribute? Is it true (the default) or false? If it
is true, it's possible you're having the same issue as with the Red
Hat-provided Tomcat: that there are a passel of symlinks between
various /var/lib/tomcat dirs and /usr/share/tomcat dirs, and when you
drop the Tomcat WAR file into the /webapps directory, the THREDDS
servlet cannot construct the proper /content/thredds directories. If
this is the case, change this attribute to false, and re-deploy the
servlet and see if you get this error.
I don't believe your suggestion of running everything as root would
make a difference to this issue. Even if it did, you should not be
running Tomcat as root on a production server - all the Tomcat files
should be owned by tomcat user (for lots of discussion on this, see:
http://marc.info/?t=104516038700003&r=1&w=2).
In fact, if you are running Tomcat on an external-facing server, you
should be running it front-ended by Apache Web server as a reverse
proxy, with no direct external access to port 8080 (about five lines
of Apache config for this - see
http://www.jedi.be/blog/2009/03/03/using-apache-as-a-reverse-proxy-to-access-tomcat-in-virtual-machines/),
and with other ports disabled in the Tomcat config files (and via your
firewall rules), or some such secure configuration, if you can, and
also ensure that you have locked down the Tomcat application itself -
OWASP has an excellent document on securing Tomcat at:
http://www.owasp.org/index.php/Securing_tomcat.
Greg
Isaac Vetter wrote:
> Hi All;
>
> I'm trying to set up a production thredds server on a ubuntu server
> (tomcat6, sun-java6, ubuntu server 8.10). I (and my sysadmin) would prefer
> to use the OS repository's tomcat install, instead of downloading from
> apache, in order to keep the upgrade process smooth.
>
> I cannot get 3.17, nor 4.0, to generate the content/thredds directory when
> deployed inside of ubuntu's tomcat. Using 3.17, upon deploy, the logged
> error is:
>
>> java.security.AccessControlException: access denied
(java.io.FilePermission
> /var/lib/tomcat6/content/thredds/logs read)
>
> (More of the stack trace is below). I'm interpreting this error to mean
that
> the content/thredds/log files that didn't get created cannot be read from.
>
> I've made /var/lib/tomcat6 (my CATALINA_BASE) owned by the user running
> tomcat. I've even successfully deployed thredds in another tomcat and
copied
> the content/thredds directory into /var/lib/tomcat6/ to no avail.
>
> The ubuntu repository provided init script for tomcat uses jsvc to start
> tomcat. I believe that if I just run tomcat as root, it'll work. The
> tutorial documentation describes running tomcat as the same user that owns
> all of the files in the tomcat install. Is this completely necessary?
>
> What files and directories do need to be writable by the user that's
running
> tomcat? Any other suggestions?
>
> Much Thanks,
>
> Isaac Vetter
> Data Architect
> College of Science
> Purdue University
>
>
>
> Mar 12, 2009 10:36:22 PM org.apache.catalina.core.ApplicationContext log
> SEVERE: StandardWrapper.Throwable
> java.security.AccessControlException: access denied (java.io.FilePermission
> /var/lib/tomcat6/content/thredds/logs read)
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java
> :323)
> at
> java.security.AccessController.checkPermission(AccessController.java:546)
> at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
> at java.io.File.exists(File.java:731)
> at thredds.servlet.ServletUtil.initLogging(ServletUtil.java:86)
>
> _______________________________________________
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
http://www.unidata.ucar.edu/mailing_lists/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFJur+u8IR34NeP2BwRAjInAJwL6EWC/OFzKT41MMNmgig5aVO/FwCeJpll
zI6TBGNxy+yYGe8YRavYDzg=
=oj7B
-----END PGP SIGNATURE-----
