serve a GWT application from the app server root - apache

I have a GWT application, which I deploy as a WAR file to a Jetty 8 server.
I want it to be accessible via
http://<myserver>/
instead of
http://<myserver>:8080/MyApp/MyApp.html
I understand I can configure Jetty to run on port 80 instead of 8080 or have an apache instance running on port 80 and forwarding requests to Jetty running on 8080 (don't see a benefit of the latter, though).
but how can I deploy the GWT app to be accessible at the server ROOT?
so far I see I can create myapp.xml in Jetty/contexts folder and put
<Set name="contextPath">/</Set>
there. I can also rename MyApp.html to index.html. but I'm not sure this is the "recommended" approach

I think you pretty much answered your own question:
The application server (e.g. Jetty) is responsible for the context path, so you must set it somehow in the application server. This is different for each server, e.g. in Tomcat one possibility to achieve this is renaming the war file to ROOT.war. (I don't know all the possible ways how to do this in Jetty off-hand.)
Note: The file that is served when going directly to the context URL can be determined in your web.xml, using
<welcome-file-list>
<welcome-file>MyApp.html</welcome-file>
</welcome-file-list>
So you don't have to rename it to index.html.

ok, accepting my own answer:
create myapp.xml in Jetty/contexts folder
thank you, Chris!

Related

grails.app.context being ignored deploying to Tomcat

I have an Apache server proxying all traffic from mainhost.com/subdirectory to someec2instance/subdirectory. When I start Apache and hit someec2instance.com, I get the ROOT war page. That works fine. If I deploy my app as ROOT.war, everything works fine form someec2instance.com.
However, when I access mainhost.com/subdirectory, all the asset urls and link_to urls are wrong and point to mainhost.com instead of mainhost.com/subdirectory.
I've set grails.app.context and confirmed via application.properties that the correct grails.env is being set.
Why isn't grails.app.context being respected when I deploy as ROOT.war? I would expect the site to be accessible on someec2instance.com/context, but it's like it ignore grails.app.context entirely.
The reason is doesn't work is that those settings are for running locally, not when deployed as a WAR file. When you use the tomcat or jetty plugin in run-app we configure the container to make it look like it's running an "exploded" war (similar to when a WAR gets unpacked to the file system by various servers). Since the container is running in embedded mode, it's easy to configure it programmatically as needed.
But when you deploy a WAR file there's nowhere near as much configurability. In run-app the build logic of Grails starts the server, configures it, and deploys the app, but a WAR file deployed to a "real" server is managed by the server and not the other way around.

How to run Tomcat in a most secure way?

We are using Apache Tomcat 7 for my web applications and we have decided to go on production stage.
So now is the time to think about how to secure the Tomcat and the machine. After reading "Apache tomcat security considerations" we decided to go on run tomcat process on dedicated user with minimum scenario.
From what I understand the best option is to configure it in a way that the running tomcat process has only read privilege to all the tomcat files.
I figured I would do it in this way:
I would create 2 users:
-tomcat_process - only for running tomcat
-admin - this is the one all the files belong to
tomcat_process will have access to conf directory, and also will be able to run scripts from tomcat/bin/
My main problem is that Tomcat needs to write to some files in $CATALINA_HOME/$CATALINA_BASE. I know I can change the location of logs and work directory and I thought I would point them to tomcat_process home dir (is this even a good idea?).
But I can't find any information if I can change the path to /conf/Catalina dir. Is it possible?
I would like to avoid adding write access to conf directory, as the whole configurations sits in there.
Or do you think that I should live those directories where their are and just add write privileges to them for tomcat_process?
I was wondering if you could please tell me if this is a correct approach or can I do it better?
I'm so confused with all those security guides which are telling me to restrict privileges but not telling how to do it :(
Keeping it simple I think is the key:
Create a new tomcat for each (set of) web application(s) with their own user.
Limit the tomcat resources to only the tomcat user. In linux you can use the chmod/chown command for this.
Place the tomcat behind a reverse proxy: Internet (https) <- external Firewall -> Apache Reverse Proxy <- Internal Firewall (block all unless whitelisted) --> Tomcat
Delete all standard webapps 'manager', 'root', 'docs'
Disable the shutdown command in server.xml
As for java web applications try to contain them in their own sandbox, meaning own database, own users.
To safe maintenance effort, you could run multiple instances using one tomcat binary and a single tomcat user.
http://www.openlogic.com/wazi/bid/188102/How-to-Run-Multiple-Instances-of-Tomcat-on-a-Single-Server

Why does my work file work locally, but not on my webhosting server?

I developed a website and got a Tomcat account on Dailyrazor. My website runs fine when I start Tomcat from the command line and stick my war file in Apache's webapps folder. I access it by http://localhost:8080/dkashtanartportfolio/.
Now should it be as easy as dropping the war in my webapps folder on my DailyRazor Tomcat server? I expect to be able to access my website via http://www.<domain-name>.com/<war-file-name>/, which should look like http://www.dkartportfolio.com/dkashtanartportfolio/
I get a 404 error and I do not know why? Can anybody help?
Some of the DailyRazor accounts don't allow automatic deploy. So after uploading war you need to restart Tomcat. I use shell to execute tomcat_manage stop, followed by tomcat_manage start.
You may also be able to request restart by opening a help ticket.
For some reason, my accounts expect war's to be in public_html and not webapps. I have an old account so they may have changed the way new accounts work.
You need to look carefully into tomcat/conf/server.xml and make sure that you've specified correct path to app folder. Also you need to keep in mind that if you have shared tomcat you need to unpack your war file before requesting tomcat restart - it won't unpack automatically.

Configuring Drupal to work with an existing webapp

I have an existing web application which I have been building with an ant script and deploying as a .war file to Tomcat.
I am trying to add Drupal to my current technology stack to provide CMS and general UI-related functionality so that I don't have to write my html pages by hand and rather use templates.
During the installation of Drupal7, some of the instructions suggest that I go to this directory:
/etc/apache2/sites-available
and change the DocumentRoot to
/home/myuser/drupal/drupal7
If I make the docroot a basic directory on the file system, how will this impact how the application will work? In addition to Apache, I also have Tomcat server. My goal is to get them to all play nice together. How is this best accomplished?
If I make the docroot a basic directory on the filesystem
I'm not sure what you mean by this. There's no qualitative difference between /var/www and /home/mysuser/drupal/drupal7. The latter is longer and in the user's home directory, but assuming this user would be administering the service anyway that doesn't matter.
Next, the best way to make Tomcat and Apache get along is probably to run one of them on different subdomains. You could use the same domain, but that'd mean you had to run one of the daemons off a nonstandard port and that looks strange and might run into firewall trouble with some users.

How do you create "Aliases" in Apache Tomcat?

I am working on a web application that allows users to upload attachments. These attachments are stored on a different drive than that of the web application. How can I create an alias (equivalent to Apache HTTP server's aliases) to this drive so that users can download these attachments?
Currently I am creating a context file and dumping it in CATALINA_HOME/conf/Catalina/localhost, but it gets randomly deleted every so often. The context file is named attachments.xml and the contents are shown below. I have also read about virtual hosts, but if I understand correctly, then a virtual host is not what I am looking for. I am using version 6.0.18 of Apache Tomcat.
attachments.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase = "e:\uploads\attachments"
reloadable = "true"
crossContext = "true">
</Context>
I spent a lot more time researching this and found a solution that solves the random deletion of the context files. I found this excerpt on Apache's website under the host configuration section:
You can nest one or more Context
elements inside this Host element,
each representing a different web
application associated with this
virtual host.
The virtual hosts are stored in the server.xml file located at CATALINA_HOME\conf. Tomcat comes configured with localhost as the default host. So, if we add the contents of attachments.xml from the first post, we get the following:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
<Context path="/attachments"
docBase="e:\uploads\attachments"
reloadable="true"
crossContext="true" />
</Host>
This is as close as one can get to defining aliases similar to Apache's HTTP server, I think.
There are multiple options.
Use Apache as frontend, delegating to tomcat by mod_jk or mod_proxy
Provide a download servlet in your own application, serving the requested file
Make the directory that you want tomcat to deliver a web application
each has some drawbacks and some advantages. I strongly prefer the first solution for multiple reasons:
My main reasons apply to unixoid systems, which you are obviously not talking about: Only root can bind ports lower than 1024, e.g. 80. Therefor tomcat would need to run as root (I know that there are mechanics to allow users to bind to low ports, but I've never gotten to use them). Apache is usually started as root but drops these privileges as soon as port 80 is bound.
Apache is said to be a lot better in serving static resources than tomcat (I've never measured it, but find it hard to believe the contrary)
You obviously know how to create aliases in apache - it would be trivial to do so.
About the download servlet:
This way you'd have a servlet serving your static resources, which you might bind to the urls "/download/*" (e.g. in the application that also handles file uploads) You'd gain:
You need to configure the directory where your files are stored only once
If you need you might easily implement permission checks (e.g. login required for downloading)
You need to deploy only one completely selfcontained application.
The download servlet is trivial - find the file, set it's name and filetype in the output stream and stream it byte by byte, then close the output stream (be sure to handle attacking file names like "/download/../../../../etc/passwd" or "/download/C:/WINDOWS/someimportantfile.xxx"), e.g. by using the java.io.File constructor that gets the base directory as a separate parameter.
The third option has some severe drawbacks and opens you for attacks if you don't take special care of them:
Tomcat does not serve directories, but webapps. Therefor "E:/upload/attachments" would need at least a directory named "WEB-INF", containing "web.xml". Take care to not provide write access to this directory and file from the uploading web application. With this provision you might let tomcat serve the directory.
However: Configure the contained web.xml to not serve "*.jsp" as a jsp, otherwise tomcat would not just deliver jsp files but execute them. Imagine someone uploading "index.jsp" with <% System.exit(0); %> or more malicious content.
One additional thought: You don't need the extra crosscontext="true". This would imply that the webapplication that you deploy just to serve your files has access to other webapplications, e.g. is able to manage them or access their private data. Usually you don't need that at all, in the case of your question you definitely don't want that.
See the initial part of my newer question for ways to do this by editing the context.xml file
How do I add aliases to a Servlet Context in java?.
According to several people now, it is no longer necessary (2012: Tomcat 6 or 7) to use Apache for performance reasons over Tomcat for serving static content.