Trying to deploy a grails application in Ubuntu/Debian tomcat 5.5

Stephan Hermann sh at
Thu Aug 21 12:46:24 BST 2008


On Thu, Aug 21, 2008 at 01:28:41PM +0200, Henning Sprang wrote:
> On Thu, Aug 21, 2008 at 8:12 AM, Stephan Hermann <sh at> wrote:
> > good to see you here on the list :)
> Yes, it's a while ago :)
> > I saw this behaviour some time ago, too.
> >
> > First, check your security settings. When you use the sun jdk you have
> > the security manager in place, which you can find somewhere under
> > /etc/tomcat5.5/policy.d/
> Hmm, ah, I see. With upstream Tomcat, this is usually turned off by
> default, and it seems Debian/Ubuntu tomcat has it turend on to be
> prepared for multi-client webapp hosting.
> Never saw that in action as we usually have only self-built webapps on
> internal appservers...


> > You can try to adjust the settings in 03catalina.policy or much better
> > the debian way ;) in 05user.policy.
> Hmm, yes. Looks quite complex - any hint to docs about setting this up
> correctly? (I found one,
> -
> seems good, but any other hints are welcome)

grant codeBase \
"file:${catalina.base}/webapps/<appname>/-" {

That should help, I'm not sure, but it helped me here ;)

> Usually I'd like to allow all webapps that they should be able to
> access at least all of their own resources (e.g. no restriction on
> anything that is below webapps/<MAYWEBAPPNAME> for each webapp. Is
> something like that possible, or do I always need to add a new policy
> entriy for every new webapp (despite of turning the security manager
> off until I do multi-client hosting or something like that on a single
> tomcat, which probably will never happen)?

Well, the fact is, that webapps should never "write" inside their
codebase (means, where the pre-compiled classes, jsps etc. are stored).
Furthermore, log4j logfiles should never go somewhere under WEB-INF or
something like that, but to the pre-configured locations for tomcat

I know that many webapp devs are not caring and they write where they
want to...but it's dangerous..I had a discussion with a consultant about
this behaviour and he said to me, that "when you see an app which does
this, let it go and kill the dev ;)". Actually, wihtout this security
manager stuff, we would have never found the problems, and after we
fixed this stuff, we killed the dev, just joking, the dev had to pay the
party in the pub ;)

But I think it's ok for a simple app, which is not going to the public,
that you can setup the security manager like this to run the webapp
without any problems.


Stephan '\sh' Hermann		| OSS Developer & Systemadministrator
JID: sh at	|
GPG ID: 0xC098EFA8		|
3D8B 5138 0852 DA7A B83F  DCCB C189 E733 C098 EFA8

More information about the Ubuntu-motu mailing list