Question on Tomcat and deployment access control.

[7h3_n3ck_r0m4nc3r]

I'm a Unix SA that has been asked to setup tomcat for our developers. I've
got Tomcat setup and running, and have sucessfully deployed a single .war
file. Having gotten that far, I want to secure things.

There are several different application-groups that wish to use Tomcat, each
with several different web-apps that they will wish to redeploy regularly.

How do I set up tomcat so that separate teams have sufficient access to
deploy their own applications, yet not have sufficient access to undeploy
(or otherwise interfere with other applications.)?


Any help appreciated,
Dan.


--
..............................................................................

"After we become a strong force as the result of the creation of the state,
we shall abolish partition and expand to the whole of Palestine. "

- Isreali founding father David Ben-Gurion

..............................................................................
(e-mail address removed) http://www.memeticcandiru.com

 

[IchBin]

I'm a Unix SA that has been asked to setup tomcat for our developers. I've
got Tomcat setup and running, and have sucessfully deployed a single .war
file. Having gotten that far, I want to secure things.

There are several different application-groups that wish to use Tomcat, each
with several different web-apps that they will wish to redeploy regularly.

How do I set up tomcat so that separate teams have sufficient access to
deploy their own applications, yet not have sufficient access to undeploy
(or otherwise interfere with other applications.)?


Any help appreciated,
Dan.

Personally, I would run Apache2 in from of Tomcat. You can control the
access much better with Apache2.. I think most people do it this way.
And their is no "devil in the detail" either, for this approach.

Thanks in Advance...
IchBin, Pocono Lake, Pa, USA
http://weconsultants.servebeer.com/JHackerAppManager
__________________________________________________________________________

'If there is one, Knowledge is the "Fountain of Youth"'
-William E. Taylor, Regular Guy (1952-)

 

[Tony Morris]

I'm a Unix SA that has been asked to setup tomcat for our developers.

Why don't your developers have their own instance of Tomcat locally?

 

[qu07a_f1ll3r]

Personally, I would run Apache2 in from of Tomcat. You can control the
access much better with Apache2.. I think most people do it this way.
And their is no "devil in the detail" either, for this approach.

My bad for not saying so, but we actually are running Tomcat along with
Apache. I've checked out the "Manager", which appears to give
indiscriminate access to deploy/undeploy indiscriminately once they've
successfully logged into it.


--
..............................................................................

"Even today I am willing to volunteer to do the dirty work for Israel, to
kill as many Arabs as necessary, to deport them, to expel and burn them, to
have everyone hate us."

-Ariel Sharon, 1982

..............................................................................
(e-mail address removed) http://www.memeticcandiru.com

 

[qu07a_f1ll3r]

Why don't your developers have their own instance of Tomcat locally?

I couldn't say why. They very well may have such for the early stages of
development. But that doesn't change the need to eventually deploy their
handiwork to an environment alongside other components.


--
..............................................................................

"Jewish villages were built in the place of Arab villages You do not even
know the names of these Arab villages, and I do not blame you because the
geography books no longer exist Not only do the books not exist, the Arab
villages are not there eitherThere is not one single place built in this
country that did not have a former Arab Population"

-Moshe Dayan, Israeli military hero and statesman
(Ha'aretz, 04/04/1969)

..............................................................................
(e-mail address removed) http://www.memeticcandiru.com

 

[Venkatesh]

I don't know how well this idea would work, but u can ask ur developers
to deploy the war in their home directories and put the appropriate
context in tomcat's server.xml.

That way, the wars are isolated and access protected.

-Venkatesh

 

[Juha Laiho]

(e-mail address removed) said:

....
My bad for not saying so, but we actually are running Tomcat along with
Apache. I've checked out the "Manager", which appears to give
indiscriminate access to deploy/undeploy indiscriminately once they've
successfully logged into it.

Yep, that is how the manager app works - and should you direct the
developers to use the Tomcat ant tasks, the situation would be the
same.

But now, do you have a real concern that the different groups would
be wreaking havoc on each others projects, or are you doing this
to avoid accidents? Are the groups truly hostile to each other?

If the former, then you could go to what was suggested in another post:
configure the application load locations in server.xml such that the
developers can only overwrite their own .war files, and set Tomcat
to automatically redeploy each time it sees a change in the .war file.

If the latter, you could [per policy, not per technology] prohibit
the developers from using the manager application, and direct them to
use the Tomcat ant tasks for deployment. This way, deployment would
be done programmatically, so as long as you don't fiddle with the
deployment script, they'd only redeploy their own application;
pretty much ruling out the possibility for honest mistakes.

 

[hym3n_h0l0c4$t]

Thank you for the useful information, Juha.

And to answer your question... There is no hostility - Just caution on my
part.

(e-mail address removed) said:

Yep, that is how the manager app works - and should you direct the
developers to use the Tomcat ant tasks, the situation would be the
same.

But now, do you have a real concern that the different groups would
be wreaking havoc on each others projects, or are you doing this
to avoid accidents? Are the groups truly hostile to each other?

If the former, then you could go to what was suggested in another post:
configure the application load locations in server.xml such that the
developers can only overwrite their own .war files, and set Tomcat
to automatically redeploy each time it sees a change in the .war file.

If the latter, you could [per policy, not per technology] prohibit
the developers from using the manager application, and direct them to
use the Tomcat ant tasks for deployment. This way, deployment would
be done programmatically, so as long as you don't fiddle with the
deployment script, they'd only redeploy their own application;
pretty much ruling out the possibility for honest mistakes.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

--
..............................................................................

"The human rights organization Amnesty International said in a report in
December that Israel has made about 16,700 Palestinians homeless by
destroying at least 2,650 houses since 1987"
-Associated Press (04/23/2000)

..............................................................................
(e-mail address removed) http://www.memeticcandiru.com

 

[none]

I'm a Unix SA that has been asked to setup tomcat for our developers. I've
got Tomcat setup and running, and have sucessfully deployed a single .war
file. Having gotten that far, I want to secure things.

There are several different application-groups that wish to use Tomcat, each
with several different web-apps that they will wish to redeploy regularly.

How do I set up tomcat so that separate teams have sufficient access to
deploy their own applications, yet not have sufficient access to undeploy
(or otherwise interfere with other applications.)?


Any help appreciated,
Dan.

If you were to set up a virtual host per development team, then there
would be a manager application for each virtual host. Each manager
application would have different passwords. Therefore one team would
only be allowed to deploy/stop/start/reload applications in their own
virtual host as they wouldn't know the passwords of the manager
applications in the other virtual hosts. Ant could also be used to
interact with the manager application instead of using it directly, but
instead by using your favorite IDE.

The root directory of each virtual host would also only be writable by
the owner and not by users of the other hosts. If each team had their
own ftp/scp user account then it would prevent files for being changed
in the virtual hosts of others.

This coupled with a security policy in tomcat restricting write
previledges to other's virtual host directories from applications
deployed in a context, would be a good idea.

Tim