• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Jeanne Boyarsky
  • Ron McLeod
Sheriffs:
  • Paul Clapham
  • Liutauras Vilda
  • Devaka Cooray
Saloon Keepers:
  • Tim Holloway
  • Roland Mueller
Bartenders:

Shared hosting w/ Security-manager

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm wondering if any Tomcat gurus can check my ideas here before I go charging down blind alleys.

Setup: Tomcat and Apache are rnning on the same server. Apache proxies requests to specific directories over to Tomcat, using mod_proxy_ajp.

Problem: Basic security. And we don't want to use many JVMs.

Directory form:
/var/www/account_1/virtual.example.com/...
/var/www/account_1/ethereal.example.com/...
/var/www/account_2/unreal.example.com/...
/var/www/account_2/eerie.example.com/...

Java code running from virtual.example.com or ethereal.com should have access to account_1 and subfolders, but no other files.

Similarly, code running from unreal or eerie should have access to account_2.

Right now we have some scripting which generates the apache config files etc., so a certain level of hardcoding is acceptable.

Question: Can I accomplish this using the SecurityManager policies? If so, can anyone provide tips?
 
Andrei Hager
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The answer, for anyone searching and finding this, is yes.

You can generate entries like this in catalina.policy:

So any code recursively under file:/var/www/accounts/account_1/ can read/write there. (Within the standard OS user security model, of course.)
[ April 10, 2008: Message edited by: Andrei Hager ]
 
Onion rings are vegetable donuts. Taste this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
reply
    Bookmark Topic Watch Topic
  • New Topic