Re: [thredds] content/thredds permissions using repo tomcat

Hi Isaac, Greg,

I don't have much to add to Greg's comments. Just a few notes below.

Greg Keith wrote:
> A couple of possibilities for you to consider - #1, are you running
> the Java security manager with the default security policy? If so,
> then you're getting this error because the default Tomcat security
> policy (catalina.policy) is not set up for THREDDS. Currently, there
> is no THREDDS-specific Java security policy, so you're on your own if
> you're trying that.

If you are certain the user running Tomcat has permission to read and
write in the CATALINA_BASE directory, then Greg's #1 is at the top of my
list. Also, the details of the stack trace seem to point to the Java
security manager.

I don't know much about writing security policy. However, here's my take
on the places on the file system the TDS needs access to:

1) ${catalina.base}/content/thredds [*] - read and write

2) Any directory specified in the TDS configuration
catalogs by a datasetScan@location, datasetRoot@location
or datasetFmrc/netcdf/aggregation@scan - read (and, if
you are running any GRIB indexing, write as well)

3) Any caching directories specified in the threddsConfig.xml file -
read and write


[*] The location for "content/thredds" will be configurable in TDS 4.0.

> #2, what does your deployment descriptor (web.xml) file specify for
> the "unpackwars" attribute? Is it true (the default) or false? If it
> is true, it's possible you're having the same issue as with the Red
> Hat-provided Tomcat: that there are a passel of symlinks between
> various /var/lib/tomcat dirs and /usr/share/tomcat dirs, and when you
> drop the Tomcat WAR file into the /webapps directory, the THREDDS
> servlet cannot construct the proper /content/thredds directories. If
> this is the case, change this attribute to false, and re-deploy the
> servlet and see if you get this error.

Currently, the TDS will fail on initialization if it is not running with
an unpacked war. This will not be the case for TDS 4.0 when the
"content/thredds" directory is specified with an absolute directory
location.

Ethan

> I don't believe your suggestion of running everything as root would
> make a difference to this issue. Even if it did, you should not be
> running Tomcat as root on a production server - all the Tomcat files
> should be owned by tomcat user (for lots of discussion on this, see:
> http://marc.info/?t=104516038700003&r=1&w=2).
> 
> In fact, if you are running Tomcat on an external-facing server, you
> should be running it front-ended by Apache Web server as a reverse
> proxy, with no direct external access to port 8080 (about five lines
> of Apache config for this - see
> http://www.jedi.be/blog/2009/03/03/using-apache-as-a-reverse-proxy-to-access-tomcat-in-virtual-machines/),
> and with other ports disabled in the Tomcat config files (and via your
> firewall rules), or some such secure configuration, if you can, and
> also ensure that you have locked down the Tomcat application itself -
> OWASP has an excellent document on securing Tomcat at:
> http://www.owasp.org/index.php/Securing_tomcat.
> 
> Greg
> 
> Isaac Vetter wrote:
>
[snip]
> 
>> Mar 12, 2009 10:36:22 PM org.apache.catalina.core.ApplicationContext log
>> SEVERE: StandardWrapper.Throwable
>> java.security.AccessControlException: access denied (java.io.FilePermission
>> /var/lib/tomcat6/content/thredds/logs read)
>>     at
>> java.security.AccessControlContext.checkPermission(AccessControlContext.java
>> :323)
>>     at
>> java.security.AccessController.checkPermission(AccessController.java:546)
>>     at
>> java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
>>     at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
>>     at java.io.File.exists(File.java:731)
>>     at thredds.servlet.ServletUtil.initLogging(ServletUtil.java:86)


-- 
Ethan R. Davis                                Telephone: (303) 497-8155
Software Engineer                             Fax:       (303) 497-8690
UCAR Unidata Program Center                   E-mail:    edavis@xxxxxxxx
P.O. Box 3000
Boulder, CO  80307-3000                       http://www.unidata.ucar.edu/
---------------------------------------------------------------------------



  • 2009 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: