<< January 2009 | Home | March 2009 >>

Solving Apache Derby and Continuum installation issue on Debian

Nothings ever easy is it.  No...

So I'm following the tomcat installation guide for continuum over at http://continuum.apache.org/docs/1.3.1/installation/tomcat.html and i start continuum and in the catalina log files it says:

2009-02-06 16:47:00.205 GMT Thread[main,5,main] java.io.FileNotFoundException: derby.log (Permission denied)
2009-02-06 16:47:00.528 GMT Thread[main,5,main] Cleanup action starting
ERROR XBM0H: Directory /var/lib/tomcat5.5/conf/Catalina/database/continuum cannot be created.

An no amount of messing with the Java Security Manager (see previous blog posts) seems to help.  I even tried disabling it in the file /etc/default/tomcat5.5 but to no avail.

What did fix the issue for me, was this:

mkdir /var/lib/derby
chmod a+w /var/lib/derby

then I edited /etc/init.d/tomcat5.5 and added "-Dderby.system.home=/var/lib/derby" to my CATALINE_OPTS line so it read:

CATALINA_OPTS="-Dappserver.home=$CATALINA_HOME -Dappserver.base=$CATALINA_HOME -Dderby.system.home=/var/lib/derby"

And yes, i'll tighten up those permission later, once the damn thing works!

After that continuum could be started and accessed via it's web interface.

Hope this helps as it seems I'm the first person to run into this issue (or at least document it) as searching google for the error code or paths above (in relation to continuum, tomcat and debian) was somewhat futile.

Solving Pebble deployment issues on Tomcat 5.5 caused by Java Security Manager policies on Debian

When you install Tomcat 5.5 on a debian 4 distro (apt-get install tomcat5.5) the Tomcat installation is locked down so that it's quite secure - explict permission must be given to webapps that need to write to the filesystem, especially if those webapps are not located in the default tomcat webApps directory (e.g. such as those times that you want to run an Engine with multiple Hosts that respond to different domain names (vhosts), e.g. on your development server.

When deploying Pebble (http://pebble.sourceforge.net/) to a blog.devserver.local I was seeing an error message in my /var/lib/tomcat5.5/logs/catalina_yyyy-mm-dd.log file:

"java.security.AccessControlException: access denied (java.io.FilePermission pebble.log write)"

After a bit of digging around in /etc/tomcat5.5/policy.d I found a file called "04webapps.policy" which seems to be the place to modify security settings for webapps, I added the following rule:

grant codeBase "file:/var/www/vhosts/blog.devserver.local/data/-" {
    permission java.security.AllPermission;
};

Note the  "/-" onthe end of the path, that means anything in that directory (recursively), more about the specification of the path can be read in the FilePermission API, here: http://java.sun.com/j2se/1.4.2/docs/api/java/io/FilePermission.html

My pebble.properties was also configured to use this directory vis this statement:

dataDirectory=/var/www/vhosts/blog.devserver.local/data/pebble

I also found that you can enable extra security related debugging information logging by modifying /etc/rc.d/tomcat5.5 and adding this statement:

CATALINA_OPTS=-Djava.security.debug=all

(Note that in previous versions of Tomcat that environment variable used to be TOMCAT_OPTS which threw me off for a while until I figured it had been renamed, a note to that effect i found here (http://logging.apache.org/log4j/1.2/manual.html) when I was when researching the next problem.)

So, after restarting tomcat I thought pebble should fire up now, but no, there's something else to fix:

"java.security.AccessControlException: access denied (java.io.FilePermission /WEB-INF/classes/logging.properties read)"

What's happening here is that the log4j is trying to read it's properties file, but it's not allowed to, adding this to 04webapps.policy fixes it (in a somewhat blanket fasion/less secure way):

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
    permission java.security.AllPermission;
};

Securing it up is done by changing it as follows.

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
//    permission java.security.AllPermission;
    permission java.io.FilePermission "/var/www/vhosts/blog.devserver.local/webApps/blog/WEB-INF/classes/logging.properties", "read";
};

After this I could finally deploy and start Pebble and I now feel confident about solving other Java Security Manager (http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html) related issues.