NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Isaac - A couple of possibilities for you to consider - #1, are you running the Java security manager with the default security policy? If so, then you're getting this error because the default Tomcat security policy (catalina.policy) is not set up for THREDDS. Currently, there is no THREDDS-specific Java security policy, so you're on your own if you're trying that. #2, what does your deployment descriptor (web.xml) file specify for the "unpackwars" attribute? Is it true (the default) or false? If it is true, it's possible you're having the same issue as with the Red Hat-provided Tomcat: that there are a passel of symlinks between various /var/lib/tomcat dirs and /usr/share/tomcat dirs, and when you drop the Tomcat WAR file into the /webapps directory, the THREDDS servlet cannot construct the proper /content/thredds directories. If this is the case, change this attribute to false, and re-deploy the servlet and see if you get this error. I don't believe your suggestion of running everything as root would make a difference to this issue. Even if it did, you should not be running Tomcat as root on a production server - all the Tomcat files should be owned by tomcat user (for lots of discussion on this, see: http://marc.info/?t=104516038700003&r=1&w=2). In fact, if you are running Tomcat on an external-facing server, you should be running it front-ended by Apache Web server as a reverse proxy, with no direct external access to port 8080 (about five lines of Apache config for this - see http://www.jedi.be/blog/2009/03/03/using-apache-as-a-reverse-proxy-to-access-tomcat-in-virtual-machines/), and with other ports disabled in the Tomcat config files (and via your firewall rules), or some such secure configuration, if you can, and also ensure that you have locked down the Tomcat application itself - OWASP has an excellent document on securing Tomcat at: http://www.owasp.org/index.php/Securing_tomcat. Greg Isaac Vetter wrote: > Hi All; > > I'm trying to set up a production thredds server on a ubuntu server > (tomcat6, sun-java6, ubuntu server 8.10). I (and my sysadmin) would prefer > to use the OS repository's tomcat install, instead of downloading from > apache, in order to keep the upgrade process smooth. > > I cannot get 3.17, nor 4.0, to generate the content/thredds directory when > deployed inside of ubuntu's tomcat. Using 3.17, upon deploy, the logged > error is: > >> java.security.AccessControlException: access denied (java.io.FilePermission > /var/lib/tomcat6/content/thredds/logs read) > > (More of the stack trace is below). I'm interpreting this error to mean that > the content/thredds/log files that didn't get created cannot be read from. > > I've made /var/lib/tomcat6 (my CATALINA_BASE) owned by the user running > tomcat. I've even successfully deployed thredds in another tomcat and copied > the content/thredds directory into /var/lib/tomcat6/ to no avail. > > The ubuntu repository provided init script for tomcat uses jsvc to start > tomcat. I believe that if I just run tomcat as root, it'll work. The > tutorial documentation describes running tomcat as the same user that owns > all of the files in the tomcat install. Is this completely necessary? > > What files and directories do need to be writable by the user that's running > tomcat? Any other suggestions? > > Much Thanks, > > Isaac Vetter > Data Architect > College of Science > Purdue University > > > > Mar 12, 2009 10:36:22 PM org.apache.catalina.core.ApplicationContext log > SEVERE: StandardWrapper.Throwable > java.security.AccessControlException: access denied (java.io.FilePermission > /var/lib/tomcat6/content/thredds/logs read) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java > :323) > at > java.security.AccessController.checkPermission(AccessController.java:546) > at > java.lang.SecurityManager.checkPermission(SecurityManager.java:532) > at java.lang.SecurityManager.checkRead(SecurityManager.java:871) > at java.io.File.exists(File.java:731) > at thredds.servlet.ServletUtil.initLogging(ServletUtil.java:86) > > _______________________________________________ > thredds mailing list > thredds@xxxxxxxxxxxxxxxx > For list information or to unsubscribe, visit: http://www.unidata.ucar.edu/mailing_lists/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFJur+u8IR34NeP2BwRAjInAJwL6EWC/OFzKT41MMNmgig5aVO/FwCeJpll zI6TBGNxy+yYGe8YRavYDzg= =oj7B -----END PGP SIGNATURE-----
thredds archives: