Nothings ever easy is it.  No...

So I'm following the tomcat installation guide for continuum over at http://continuum.apache.org/docs/1.3.1/installation/tomcat.html and i start continuum and in the catalina log files it says:

2009-02-06 16:47:00.205 GMT Thread[main,5,main] java.io.FileNotFoundException: derby.log (Permission denied)
2009-02-06 16:47:00.528 GMT Thread[main,5,main] Cleanup action starting
ERROR XBM0H: Directory /var/lib/tomcat5.5/conf/Catalina/database/continuum cannot be created.

An no amount of messing with the Java Security Manager (see previous blog posts) seems to help.  I even tried disabling it in the file /etc/default/tomcat5.5 but to no avail.

What did fix the issue for me, was this:

mkdir /var/lib/derby
chmod a+w /var/lib/derby

then I edited /etc/init.d/tomcat5.5 and added "-Dderby.system.home=/var/lib/derby" to my CATALINE_OPTS line so it read:

CATALINA_OPTS="-Dappserver.home=$CATALINA_HOME -Dappserver.base=$CATALINA_HOME -Dderby.system.home=/var/lib/derby"

And yes, i'll tighten up those permission later, once the damn thing works!

After that continuum could be started and accessed via it's web interface.

Hope this helps as it seems I'm the first person to run into this issue (or at least document it) as searching google for the error code or paths above (in relation to continuum, tomcat and debian) was somewhat futile.

When you install Tomcat 5.5 on a debian 4 distro (apt-get install tomcat5.5) the Tomcat installation is locked down so that it's quite secure - explict permission must be given to webapps that need to write to the filesystem, especially if those webapps are not located in the default tomcat webApps directory (e.g. such as those times that you want to run an Engine with multiple Hosts that respond to different domain names (vhosts), e.g. on your development server.

When deploying Pebble (http://pebble.sourceforge.net/) to a blog.devserver.local I was seeing an error message in my /var/lib/tomcat5.5/logs/catalina_yyyy-mm-dd.log file:

"java.security.AccessControlException: access denied (java.io.FilePermission pebble.log write)"

After a bit of digging around in /etc/tomcat5.5/policy.d I found a file called "04webapps.policy" which seems to be the place to modify security settings for webapps, I added the following rule:

grant codeBase "file:/var/www/vhosts/blog.devserver.local/data/-" {
    permission java.security.AllPermission;
};

Note the  "/-" onthe end of the path, that means anything in that directory (recursively), more about the specification of the path can be read in the FilePermission API, here: http://java.sun.com/j2se/1.4.2/docs/api/java/io/FilePermission.html

My pebble.properties was also configured to use this directory vis this statement:

dataDirectory=/var/www/vhosts/blog.devserver.local/data/pebble

I also found that you can enable extra security related debugging information logging by modifying /etc/rc.d/tomcat5.5 and adding this statement:

CATALINA_OPTS=-Djava.security.debug=all

(Note that in previous versions of Tomcat that environment variable used to be TOMCAT_OPTS which threw me off for a while until I figured it had been renamed, a note to that effect i found here (http://logging.apache.org/log4j/1.2/manual.html) when I was when researching the next problem.)

So, after restarting tomcat I thought pebble should fire up now, but no, there's something else to fix:

"java.security.AccessControlException: access denied (java.io.FilePermission /WEB-INF/classes/logging.properties read)"

What's happening here is that the log4j is trying to read it's properties file, but it's not allowed to, adding this to 04webapps.policy fixes it (in a somewhat blanket fasion/less secure way):

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
    permission java.security.AllPermission;
};

Securing it up is done by changing it as follows.

grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
//    permission java.security.AllPermission;
    permission java.io.FilePermission "/var/www/vhosts/blog.devserver.local/webApps/blog/WEB-INF/classes/logging.properties", "read";
};

After this I could finally deploy and start Pebble and I now feel confident about solving other Java Security Manager (http://java.sun.com/j2se/1.4.2/docs/api/java/lang/SecurityManager.html) related issues.

I read with despair that yet again the EU seeks to penalise Microsoft for having the apparent gall to include some additional software (Internet Explorer) with Windows, based on the objections from a competing company (Opera).

I mean WTF.

What about all the other software that ALL operating system manufactures have ALWAYS included with their systems.

Imagine if there was a lawsuit or EU injunction against Microsoft or Apple because they included a game of Solitaire with their operating system, or how about a lawsuit because Apple included Finder and Microsoft included Windows Explorer so that users could perform operations on files.

I personally have written two a GUI based file manager (FMan for DOS and AFCopy for the Amiga) and you don’t hear about me filing lawsuits about loss of business.  Granted in my case no one uses DOS or the Amiga anymore, but there’s plenty of alternatives for Windows Explorer – Windows Commander, Directory Opus etc.  How many different versions of Solitare game are there for Windows and OSX, are the authors of those going to be able to get the EU to make Apple or Microsoft remove them from their Operating System?  No,  so then why the hell should Opera be given the privilidge.

Instead of hiring lawyers the company that builds the Opera browser should spend their money making better software that people actually want to use.  If it’s good enough people will install it!

You have to hand it to Lego, they make some seriously cool products that I find impossible to resist.  Even the new bionicle vehicles are cool.  This time though lego have out-done themselves with their new Lego Power Miners range!

Here's a wallpaper I found on lego's site.

And check out these cool minifig's:

I for one can't wait for someone to do some stop-motion animation with them in! heheh.

Power Miners!  What a concept!  Nice job Lego d00ds!

Click here to visit the power miner's mini-site on Lego.com

In order to setup this blog I needed Tomcat, I'm well versed with IIS and Apache vhost configurations but it took a little bit of research and fiddling to get vhosts up and runnign with tomcat,  the only reason I had such a problem was that I wanted my tomcat data on a different partition instead of having all my data in the tomcat installation directory.

I found I had to adjust a "Java Options" setting from it's default of: "-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 5.5"-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 5.5 to "-Dcatalina.base=D:\Data\Tomcat"
Here's the relevent bits from my server.xml in case you're interested:

<Engine name="Catalina" defaultHost="default">
	<Host name="default" appBase="default/webApps" unpackWARs="true"
		autoDeploy="false" xmlValidation="false" xmlNamespaceAware="false">
	</Host>

	<Host name="localhost" appBase="localhost/webApps" unpackWARs="true"
		autoDeploy="false" xmlValidation="false" xmlNamespaceAware="false">
		<Alias>127.0.0.1</Alias>

		<Valve className="org.apache.catalina.valves.RemoteHostValve"
			allow="localhost,127.0.0.1" />
	</Host>

	<Host name="dominicclifton.name" appBase="dominicclifton.name/webApps"
		unpackWARs="true" autoDeploy="false" xmlValidation="false"
		xmlNamespaceAware="false">
		<Alias>www.dominicclifton.name</Alias>
	</Host>

</Engine>

Then I had to move the conf directory to d:\Data\Tomcat and also create "d:\data\<hostname>\webApps" for each vhost.

The next problem was the ${user.home} setting for Tomcat, on windows this defaulted to "C:\Documents and Settings\Default User". Apparently you can override this in the Catalina.properties file but I've not tried it, instead I point each app that needs it to a specific directory, e.g. in Pebble.properties i set "dataDirectory=D:/Data/Tomcat/<hostname>/data"

The above method works fine for me, but if anyone knows a better way of doing this please comment below!