INSTALLING TOMCAT
We’ll
need the tomcat6 package
to run Tomcat’s core components, as well as
the tomcat6-admin-webapps package
since we’ll use Tomcat’s Manager Application for application
deployments, either thru Maven’s Cargo component or thru the
web-browser. Since we’ll compile the authbind application from its
sources, we’ll also need gcc, the GNU C Compiler package which
contains all components to build an application on Linux. To install
all this, grab a terminal and execute:
yum -y install tomcat6 tomcat6-admin-webapps gcc
Usually
a web server is started automatically on system boot. This can be
achieved by
/sbin/chkconfig --levels 235 tomcat6 on
LISTENING ON PORTS<1024 IN LINUX WITH AN UNPRIVILEGED USER
There
are more options to achieve this:
- By using authbind which authorizes specific users to specific ports under 1024
- By using Jsvc, a set of libraries and applications for making Java applications run on UNIX more easily (Jsvc allows Tomcat application to perform some privileged operations as root (e.g. bind to a port < 1024), and then switch identity to a non-privileged user.)
- By configuring iptables to re-route the packets from port 80 to 8080
This article describes the authbind approach. But first, let's tell Tomcat to listen on port 80 instead of 8080.
- By using authbind which authorizes specific users to specific ports under 1024
- By using Jsvc, a set of libraries and applications for making Java applications run on UNIX more easily (Jsvc allows Tomcat application to perform some privileged operations as root (e.g. bind to a port < 1024), and then switch identity to a non-privileged user.)
- By configuring iptables to re-route the packets from port 80 to 8080
This article describes the authbind approach. But first, let's tell Tomcat to listen on port 80 instead of 8080.
CHANGING TOMCAT'S DEFAULT HTTP PORT
The
default HTTP port is defined in /etc/tomcat6/server.xml:
We
need to change this default port to 80 in server.xml. Either replace
by hand, or automatically: to replace the occurrences of port=”8080”
to port=”80”, execute the following script:
sed -i 's/port\=\"8080\"/port\=\"80\"/' /etc/tomcat6/server.xml
The
same for port 8443, which will be replaced with port 443:
sed -i 's/port\=\"8443\"/port\=\"443\"/' /etc/tomcat6/server.xml
We'll
start Tomcat with authbind. This can be achieved by changing
Tomcat's init-script in /etc/init.d,
replacing the line
TOMCAT_SCRIPT="/usr/sbin/tomcat6"
with
TOMCAT_SCRIPT="exec
authbind --deep /usr/sbin/tomcat6"
Again,
it can be automated like this:
sed -i 's/TOMCAT_SCRIPT=\"\/usr\/sbin\/tomcat6\"/TOMCAT_SCRIPT=\"exec authbind --deep \/usr\/sbin\/tomcat6\"/' /etc/init.d/tomcat6
We
have to tell Tomcat to use the IPv4 stack by default. This can be
done by appending the
line CATALINA_OPTS="-Djava.net.preferIPv4Stack=true" to
/etc/tomcat6/tomcat6.conf:
sed -i '$ a\CATALINA_OPTS=\"-Djava\.net\.preferIPv4Stack=true\"\n' /etc/tomcat6/tomcat6.conf
INSTALLING AND CONFIGURING AUTHBIND
Authbind
is installed the usual way, with the help of gcc and make. Please
note: For this step to succeed, the gcc package is needed. It is
already installed with the command yum
install gcc earlier,
when tomcat was installed.
cd ~ http://ftp.debian.org/debian/pool/main/a/authbind/authbind_1.2.0.tar.gz tar xzf authbind_1.2.0.tar.gz cd authbind_1.2.0 make make install
Authbind
is configured with some special files, for which we can assign our
arbitrary permissions for the users we want to give access to. Since
Tomcat is running with the Tomcat user, we'll tell authbind to allow
connections to the HTTP port 80 and the HTTPS port 443 for this
account:
touch /etc/authbind/byport/80 chmod 500 /etc/authbind/byport/80 chown tomcat /etc/authbind/byport/80 touch /etc/authbind/byport/443 chmod 500 /etc/authbind/byport/443 chown tomcat /etc/authbind/byport/443
For
the changes to take effect, Tomcat has to be restarted:
/etc/init.d/tomcat6 restart
No comments:
Post a Comment