Tomcat Configuration - Home, Base and catalina.policy

Here is some generic information regarding Tomcat 5.5 configuration and giving read write execute permissions to a servlet. Java's security manager can be quite complex and usually leads to a lot of pain when configuring a servlet to do something that is above and beyond the standard "read", "write", "execute" such as delete. Debugging such Security Manager permission error can be fairly daunting.

Tomcat configuration has two variables catalina.home and catalina.base. The purpose of this is to allow multiple instances of tomcat run from a single installation.

catalina.home is the installation directory and contains the directories bin, common, server.

catalina.base is your instance directory and contains the instance directories such as work, shared, conf, webapps.


In your conf directory there is another directory called policy.d. Inside the policy.d directory there are a few files. All of these files are merged into one and written to the catalina.policy file in the conf directory. DO NOT edit the catalina.policy file as this will have no effect. You have to edit the files inside the policy.d directory.

To give your servlet extra permissions edit the file 50users.policy and add your servlet
 1. grant codeBase "file:${catalina.base}/webapps/Android/WEB-INF/-" {
 2.  permission "${catalina.base}/webapps/Android/-", "read,write,execute,delete";
 3. };
Hide line numbers

You must be careful here. If, for example you are using another package to modify some files such as the DeleteQuietly function in the io-commons.jar package, then you must give this jar file the permissions too, if it is in another directory.

Debugging Security

To debug you must start tomcat with the option

If you are using the startup script in /etc/init.d/tomcat5.5 then you should edit the tomcat5.5 file and add the setting as shown below.

 1. if [ "$TOMCAT5_SECURITY" = "yes" ]; then
 2.         JAVA_OPTS="$JAVA_OPTS$CATALINA_BASE/conf/catalina.policy"
 3. fi
Hide line numbers

This will give you a huge amount of logging info, but you can easily search the output for something like 'access denied' to find out what is causing the problem