David Bussenschutt wrote:
> Q1,
> Thanks andreas, this fixed it:
> cd /path/to/tomcat/webapps/
> find . -type d -print | xargs -n1 chmod o+x
> find . -type f -print | xargs -n1 chmod o+r
> Is that going to be a security problem giving 'nobody' read access to all
> of 'webapps' ?
>
It should't (but see below). In fact, as you have discovered, Tomcat will not be
able to work without this.
One potential issue that a sysop might want to be aware of: many servlet based
applications customize themselves based on configuration files. For example, the
servlet container itself references a file named WEB-INF/web.xml (inside the
document root of each web application's base directory). Often, there is
sensitive information (such as username/password combinations for database
logins) in these files, and the issue is "can a remote user access this file?"
The servlet API expressly prohibits serving files from a WEB-INF directory
directly to a client user, so a request like this:
http://localhost:8080/myapplication/WEB-INF/web.xml
will fail. Therefore, the WEB-INF directory is a pretty good place to store
configuration files for your apps. Placing them anywhere else within the
document base directory for a web app risks compromising the information
contained in them.
>
> Everyone:
> Q2. I'm completely new to java and servlets (I'm just the sysop), but I'm
> guessing that in a development environment you'd be wanting to reload/stop
> a servlet frequently?
> Since all my ~3500 users are potential developers, then having just 1 (one)
> JVM might be a bad idea, and I doubt the server could cope with 3500 of
> them (actually it'd be more like 150-300 active at any one time).
> Any other ideas? Perhaps I could "cluster" the users into development
> "teams" and have a JVM for each? (giving them the power to restart their
> own JVM)
> If I wanted to have a JVM for every user(started on demand - I'm NOT
> running 3500 JVM's just in case some-one wants to use it) how would I go
> about arranging that? Is there a few hints in a how-to someplace?
>
If your developers are willing, one way to do this would be to have each user
have their own "$TOMCAT_HOME" directory. (A few tweaks to the standard scripts
would let you share most of the actual files.) Then, they could just run the
standard startup script when they wanted their own Tomcat to be running. The
hard part of administering this, though, will be making sure that two developers
are not trying to use the same network port at the same time.
If your developers are running on their own PCs, another approach might be to
have them run Tomcat locally, instead of on the server.
>
> David.
>
Craig McClanahan
