Hello, I am just setting up a fresh DSpace instance of the most recent version released.
It is a long time since I set up everything from scratch and I refrain from copying any old stuff from my other instance just to get it up quickly. I have got the feeling that I tweaked and cheated in so many places before, just to get it working anyhow, that I wanted to know whether I can manage to get it running in a cleaner way relying on experience gathered meanwhile. Debian Lenny, the default Tomcat package is a Tomcat 5.5 with Security Manager enabled. Today, I spent a whole day to write a policy file to make DSpace work with Tomcats Security Manager turned on. It did not work out so far and I am really tempted to skip this. But come on, it should be possible to get this done. So here is what I did so far. So either use it if you are about to accomplish the same or give me a hint if you are one step ahead. I found a year old thread initiated by Andrew Peter Marlow with subject "trouble with tomcat, java security and logging" on this list as a starter, but it did not help me much. The DSpace Wiki seems to lack this kind of info as well. I read the following docs up and down. As of my perception, they explain quite a bit but they are by far not exhaustive when it comes to syntax details: <http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html> <http://java.sun.com/j2se/1.5.0/docs/guide/security/PolicyFiles.html#FileSyntax> <http://java.sun.com/j2se/1.5.0/docs/guide/security/permissions.html#RuntimePermission> In Debian, the $Catalina.home/conf/catalina.policy file gets constructed upon start by concatenating the files contents from this directory: /etc/tomcat5.5/policy.d/. I created a new file 60dspace.policy within this directory containing the following rules: grant { permission java.io.FilePermission "/srv/dspace/handle-server/-", "read, write"; permission java.io.FilePermission "/srv/dspace/history/-", "read, write"; permission java.io.FilePermission "/srv/dspace/log/-", "read, write"; permission java.io.FilePermission "/srv/dspace/reports/-", "read, write"; permission java.io.FilePermission "/srv/dspace/search/-", "read, write"; permission java.io.FilePermission "/srv/dspace/solr/-", "read, write"; permission java.io.FilePermission "/srv/dspace/upload/-", "read, write"; permission java.io.FilePermission "/srv/dspace/-", "read"; permission java.io.FilePermission "${catalina.base}/-", "read"; permission java.io.FilePermission "/usr/share/java/*", "read"; permission java.util.PropertyPermission "dspace.*", "read"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "org.*", "read"; permission java.util.PropertyPermission "solr.*", "read"; permission java.util.PropertyPermission "user.*", "read"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.net.SocketPermission "127.0.0.1:5432", "connect"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.management.MBeanPermission "org.*", "registerMBean"; }; Note that my dspace.dir is set to /srv/dspace to conform to the File Hierarchy Standard. I found a hint on the web, that it should be possible to put a policy file into the WEB-INF directory of a web application which I think would be a great solution, but it has to work before. The only logfile that is not empty so far is the catalina.log. I added a line in my policy file for each line starting with "SEVERE:" or "Caused". Most of the lines are there to satisfy the requirements of Solr. It is hard to determine which file actually requires a certain permission, so I have only one large grant policy without a codeBase attribute. It remains a bit unclear whether one might write a list of probably comma separated targets in one permission statement - I did not try. It is also not clear in which way several permissions for a certain target get combined. So I wrote the most specific target first with all actions desired. This is why /srv/dspace/log/ and other subdirectories are listed before /srv/dspace/ and why they carry both actions, read and write, although the read action is specified for the parent directory with all its subdirectories later on again. Also, the different meaning of * (current directory) and - (all subdirectories) was explained for codeBase but seems to apply to targets as well. The strand syntax "driver.jar!/-" found in the example files in conjuntion with database connections was not explained anywhere (the .jar file, but not the files expanded from the .jar?). Tomcat Documentation says that the catalina.policy replaces the default java.policy but I doubt that because the Java Documentation says that it requires a == to replace the default policy instead of adding to it. Currently, I am stuck with some log entries like this: 06.04.2010 23:14:38 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 06.04.2010 23:14:38 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5 06.04.2010 23:14:38 org.apache.catalina.core.StandardHost start INFO: XML validation disabled 06.04.2010 23:14:41 org.apache.catalina.core.StandardContext start SEVERE: Error listenerStart 06.04.2010 23:14:41 org.apache.catalina.core.StandardContext start SEVERE: Context [/xmlui] startup failed due to previous errors These messages disappear when I remove all webapps from the webapps directory. So, the $catalina.home/conf/context.xml seems to be read only if there are other webapps. The content of this file is: <Context><WatchedResource>WEB-INF/web.xml</WatchedResource></Context> Google spit out a lot of stuff, but nothing was helpful for me so far. Bye, Christian ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ DSpace-tech mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspace-tech
