users@glassfish.java.net

Privileged file access for Java EE applications

From: Rudolf Biczok <rcbiczok_at_googlemail.com>
Date: Mon, 4 Jul 2011 08:01:45 +0200

Dear Apache Tomcat members


I'm working on a new Java EE application that operates as a common UI for
our native UNIX applications. These UNIX applications are installed on
single server instance with several file servers attached to it and the UNIX
profiles for our customers are also on that server instance - and that's the
problem.

Any application call and file access made by the Java application server
(Glassfish) will be performed as www user, which is in fact not that what we
want. And becoming another user on a UNIX server is not that easy, because
the setuid system call requires a root privileged process (and running
Glassfish or any other application server/servlet container as root is also
not that what we want).

The work-around I developed out looks like this:

 

. Create a native application which calls setuid and creates another
process with the user privileges. This application will take a path to a JAR
file.

. This JAR file is an executable JAR and creates a RMI server.

. The EJB inside Glassfish establishes a secure RMI connection to the RMI
server and performs some operations.

. The helper-process will be killed at the same time where the user-session
expires.


Because this sounds a bit tricky and dirty, I would be really grateful for
any suggestion you can give.

I look forward to receiving your reply.


Regards,
Rudolf Biczok