[SOLVEDRE] : UNIX+Apache+Tomcat Situtation

[earle . flynn]

Daniel,
Thank you for your excellent response. :) By the time I got it though I was
pretty much resolved to the idea that it was not a UNIX permission issue at
all. As I had many hours(read sore shoulder) into throwing every UNIX
permission switch in the book. Btw, it an HP environment but this solution
could apply to any *NIX setup.

The error was actually occuring in the graphics library JFreeChart. When the
developer logged into the workstation physically at the console and then
started Tomcat the graphics libraries in JFreeChart were able to draw to
X11. There was a 'head'. But remote users like root or tomcat_user were
'headless'. Hence the graphics methods failed because they were unable to
draw to a 'window'.

The solution is to install PJA libraries from http://www.eteks.com/pja/en/
which remedy the need to draw to a window. Note, this issue is resolved by
installing JDK 1.4 too but this was not an option. The situation is possibly
better explained by this para from the PJA site;

"When no X11 Display is available on a UNIX machine (also called headless
environment) or when GDI resources are low on Windows, it is impossible to
compute off-screen images with java.awt.Graphics methods under a JDK version
< 1.4, even if your program doesn't need to display these images. Typically,
this situation happens for servlets returning dynamically generated images
like pies, charts or web counters.
With PJA, you don't need to change your Java programs that you expected to
run : setting java.awt system property to com.eteks.awt.PJAToolkit is the
only required modification to your program with Java 1.1 (see PJA FAQ and
com.eteks.awt.PJAToolkit class documentation for more information)."

Regards,
Earle

-Original Message-
From: Daniel Gibby [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 21, 2003 3:48 PM
To: Tomcat Users List
Subject: Re: UNIX+Apache+Tomcat Situtation


This really sounds like it is a unix permissions issue, but it could be 
a Security issue with java as well. I don't know as much about the java 
Security model, but I can tell you things to check for with unix 
permissions:

So if 'developer' is the owner of the tomcat directory, and your webapps 
and all files that are trying to be written are under that directory, it 
sounds like it works fine for you when 'developer' starts tomcat- so 
tomcat is run as the developer user, and since developer has rights to 
create files under that directory, it works fine.
On the other hand your tomcat user doesn't sound like it has rights.

I would suggest that you always run tomcat as the tomcat user, and make 
developer and root start it as the tomcat user.
That can be easily done with a startup script instead of calling 
$TOMCAT_HOME/bin/startup.sh directly or whatever it is.
I would make sure that the directories all have the tomcat user as the 
owner and group, and then add root and developer to that group.

What Unix is this? Linux? Solaris?
Here is the format to make tomcat run as the tomcat user with a 
/etc/rc.d/tomcat

I also have catalina.out automatically rotated every time I start tomcat.

#!/bin/sh
 ##

# Comments to support chkconfig on RedHat Linux
# chkconfig: 2345 84 84
# description: A very fast and reliable J2EE Servlet Container.


timestamp=`date +%Y-%m-%d-%H%M%S`
echo "timestamp= $timestamp"

LD_ASSUME_KERNEL=2.2.5
export LD_ASSUME_KERNEL
echo "LD_ASSUME_KERNEL= $LD_ASSUME_KERNEL"

JAVA_HOME=/usr/local/java
export JAVA_HOME
echo "JAVA_HOME= $JAVA_HOME"

CLASSPATH=/usr/local/java/jre/lib/core.jar:/usr/local/java/jre/lib/server.ja
r
export CLASSPATH
echo "CLASSPATH= $CLASSPATH"

TOMCAT_HOME=/usr/local/jakarta-tomcat
export TOMCAT_HOME
echo "TOMCAT_HOME= $TOMCAT_HOME"

#CATALINA_OPTS="-Xms196m -Xmx896m -Dbuild.compiler.emacs=true"
#export CATALINA_OPTS
#echo "CATALINA_OPTS= $CATALINA_OPTS"

 case $1 in
 'start')
 su tomcat4 -c "mv $TOMCAT_HOME/logs/catalina.out 
$TOMCAT_HOME/logs/catalina.$timestamp"
 su tomcat4 -c "$TOMCAT_HOME/bin/startup.sh"
 sleep 10
 /usr/sbin/apachectl graceful
 ;;
 'stop')
 su tomcat4 -c "$TOMCAT_HOME/bin/shutdown.sh"
 ;;
 'status')
 ps auxw | fgrep tomcat | fgrep -v status | fgrep -v grep | fgrep -v 
tail
 ;;
 *)
 echo "usage: $0 {start|stop|status}"
 ;;
 esac
# END OF /etc/rc.d/tomcat

Daniel


[EMAIL PROTECTED] wrote:

>Hello,
>I have a situation where if a developer owns Tomcat 3 and stops/starts
>server the apps on that server all j2ee web-apps run fine. If I as root or
>'tomcat_user' or su to developer id stop/start Tomcat 3 then all j2ee
>web-apps run except modules that produce .jpegs dynamically. In the latter
>case Tomcat was setup so that the user who stop/started Tomcat owned all
>file/directories.
>
>My first response was to make all files/directories world
>read,write,execute. It must be a UNIX permission thing right. Also I
umask'd
>and source'd the UNIX personal env of each user to be w

RE: [SOLVEDRE] : UNIX+Apache+Tomcat Situtation

[Shapira, Yoav]

Howdy,
Just out of curiosity, why couldn't you move to JDK 1.4 (so you could
add
-Djava.awt.headless=true)?


Yoav Shapira
Millennium ChemInformatics


>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>Sent: Wednesday, October 22, 2003 3:29 PM
>To: [EMAIL PROTECTED]
>Subject: [SOLVEDRE] : UNIX+Apache+Tomcat Situtation
>
>Daniel,
>Thank you for your excellent response. :) By the time I got it though I
was
>pretty much resolved to the idea that it was not a UNIX permission
issue at
>all. As I had many hours(read sore shoulder) into throwing every UNIX
>permission switch in the book. Btw, it an HP environment but this
solution
>could apply to any *NIX setup.
>
>The error was actually occuring in the graphics library JFreeChart.
When
>the
>developer logged into the workstation physically at the console and
then
>started Tomcat the graphics libraries in JFreeChart were able to draw
to
>X11. There was a 'head'. But remote users like root or tomcat_user were
>'headless'. Hence the graphics methods failed because they were unable
to
>draw to a 'window'.
>
>The solution is to install PJA libraries from
http://www.eteks.com/pja/en/
>which remedy the need to draw to a window. Note, this issue is resolved
by
>installing JDK 1.4 too but this was not an option. The situation is
>possibly
>better explained by this para from the PJA site;
>
>"When no X11 Display is available on a UNIX machine (also called
headless
>environment) or when GDI resources are low on Windows, it is impossible
to
>compute off-screen images with java.awt.Graphics methods under a JDK
>version
>< 1.4, even if your program doesn't need to display these images.
>Typically,
>this situation happens for servlets returning dynamically generated
images
>like pies, charts or web counters.
>With PJA, you don't need to change your Java programs that you expected
to
>run : setting java.awt system property to com.eteks.awt.PJAToolkit is
the
>only required modification to your program with Java 1.1 (see PJA FAQ
and
>com.eteks.awt.PJAToolkit class documentation for more information)."
>
>Regards,
>Earle
>
>-Original Message-
>From: Daniel Gibby [mailto:[EMAIL PROTECTED]
>Sent: Tuesday, October 21, 2003 3:48 PM
>To: Tomcat Users List
>Subject: Re: UNIX+Apache+Tomcat Situtation
>
>
>This really sounds like it is a unix permissions issue, but it could be
>a Security issue with java as well. I don't know as much about the java
>Security model, but I can tell you things to check for with unix
>permissions:
>
>So if 'developer' is the owner of the tomcat directory, and your
webapps
>and all files that are trying to be written are under that directory,
it
>sounds like it works fine for you when 'developer' starts tomcat- so
>tomcat is run as the developer user, and since developer has rights to
>create files under that directory, it works fine.
>On the other hand your tomcat user doesn't sound like it has rights.
>
>I would suggest that you always run tomcat as the tomcat user, and make
>developer and root start it as the tomcat user.
>That can be easily done with a startup script instead of calling
>$TOMCAT_HOME/bin/startup.sh directly or whatever it is.
>I would make sure that the directories all have the tomcat user as the
>owner and group, and then add root and developer to that group.
>
>What Unix is this? Linux? Solaris?
>Here is the format to make tomcat run as the tomcat user with a
>/etc/rc.d/tomcat
>
>I also have catalina.out automatically rotated every time I start
tomcat.
>
>#!/bin/sh
> ##
>
># Comments to support chkconfig on RedHat Linux
># chkconfig: 2345 84 84
># description: A very fast and reliable J2EE Servlet Container.
>
>
>timestamp=`date +%Y-%m-%d-%H%M%S`
>echo "timestamp= $timestamp"
>
>LD_ASSUME_KERNEL=2.2.5
>export LD_ASSUME_KERNEL
>echo "LD_ASSUME_KERNEL= $LD_ASSUME_KERNEL"
>
>JAVA_HOME=/usr/local/java
>export JAVA_HOME
>echo "JAVA_HOME= $JAVA_HOME"
>
>CLASSPATH=/usr/local/java/jre/lib/core.jar:/usr/local/java/jre/lib/serv
er.j
>a
>r
>export CLASSPATH
>echo "CLASSPATH= $CLASSPATH"
>
>TOMCAT_HOME=/usr/local/jakarta-tomcat
>export TOMCAT_HOME
>echo "TOMCAT_HOME= $TOMCAT_HOME"
>
>#CATALINA_OPTS="-Xms196m -Xmx896m -Dbuild.compiler.emacs=true"
>#export CATALINA_OPTS
>#echo "CATALINA_OPTS= $CATALINA_OPTS"
>
> case $1 in
> 'start')
> su tomcat4 -c "mv $TOMCAT_HOME/logs/catalina.out
>$TOMCAT_HOME/logs/catalina.$timestamp"
> su tomca