tags:

views:

1619

answers:

1
+2  Q: 

Setting catalina.policy to allow file access by servlets

We have a locally-developed triple store based on b-trees which I want to use for persistent storage in a number of servlet applications. Rather than embed the b-tree index files in the servlet .war, I would like to store them at a known location and have the servlets access them directly. This all works in Jetty, but raises a security exception when I try it in Tomcat. I'm told that Tomcat's security model requires explicit permissions for a servlet to access files outside the directory tree where the .war is unpacked. If I've understood the Tomcat (version 5.5) documentation correctly, the following added to catalina.policy should allow the servlet to access the directories where the index files are:

grant codeBase "jar:file:${catalina.home}/webapps/mytestapp/-"
{
  permission java.io.FilePermission "/var/data/tdb/-", "read, write, delete"; 
}

However, I still get a security exception:

java.io.FileNotFoundException: 
                    /var/data/tdb/kb/node2id.idn (Permission denied)
    at java.io.RandomAccessFile.open(Native Method)
    ...

To tick off the obvious dumb errors: I've checked that the index files are at the correct location, with the correct permissions, and are not corrupted. Any suggestions or hints at what I've got wrong in the security settings would be gratefully received.

+1  A:  
java.io.FileNotFoundException: 
                /var/data/tdb/kb/node2id.idn (Permission denied)

This is your OS denying access, not Java security. If it was Java security you would get an AccessControlException (or some other form of SecurityException). The user you are running the Tomcat process as presumably does not have access to that file.

Tom Hawtin - tackline  2009-02-23 20:49:20
Hi Tom,Thanks for the info. That was my first thought, but I've already chown'ed and chgrp'ed the files, and directory they are in, to the same user and group as the Tomcat process. Still, it gives me a pointer to investigate. Thanks.
Ian Dickinson  2009-02-23 21:03:58
Tom was right, it was an OS file permissions problem, not Tomcat. I haven't quite got to the bottom of it, but temporarily opening the file permissions on the test server to a+rw removes the exception. Now I just have to figure out a more restrictive setting that doesn't leave the store wide open!
Ian Dickinson  2009-02-23 21:38:56

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java