Superpatterns Pat Patterson on the Cloud, Identity and Single Malt Scotch


OpenSSO on Tomcat in Ubuntu

The 'single WAR' deployment of OpenSSO allows you to simply deploy a WAR file into a web container such as Glassfish or Tomcat. The first time you hit the OpenSSO URL, a configurator runs, collecting some basic parameters, saving them to configuration files and setting up OpenSSO for use. You can save this configuration anywhere in the file system; the configurator saves that location in a file in the home directory of user as which the web container is running (that's a really clumsy way to put it, but hopefully the meaning is almost clear).

Numerous folks are deploying OpenSSO on Tomcat. In a typical 'developer' installation, where you run Tomcat from the command line, all works well - you get a file named something like AMConfig_localhost_opensso_ in your home directory. AMConfig is a constant prefix and _localhost_opensso_ is OpenSSO's deployment location (/localhost/opensso/) with slashes replaced by underscores. Ubuntu installs Tomcat on 'localhost', and I deployed the OpenSSO war file into /opensso, so I get a file called AMConfig_localhost_opensso_ whose content is simply the path to the main configuration data. Your mileage will vary!

Now - I'm running Ubuntu on my laptop, with the default Ubuntu distribution of Tomcat 5.5. The first time I tried to deploy OpenSSO it failed - looking at Tomcat's logs, I could see access denied (java.util.PropertyPermission user.home read)

Tomcat is running with the Security Manager and is denying access to the user.home property. From previous experience, the quickest way round this (short of completely disabling the security manager) is to grant your web application all rights. I added the following to /etc/tomcat5.5/policy.d/99examples.policy:

grant codeBase "file:${catalina.home}/webapps/opensso/-" {

You could, of course, specify much more granular permissions, but this gets you going with the minimum fuss.

So - try again. This time, OpenSSO gets a little further, but fails again with /usr/share/tomcat5.5/AMConfig_localhost_opensso_ (Permission denied)

Although OpenSSO can now locate the user's home directory, it can't actually write to a file there, since, in this configuration, Tomcat is running as the tomcat5 user, whose home directory (/usr/share/tomcat5.5) is owned by root and is not writable by tomcat5. One solution is to temporarily make that directory writable by all (sudo chmod 777 /usr/share/tomcat5.5), flipping it back after OpenSSO configures itself successfully (sudo chmod 755 /usr/share/tomcat5.5). A more elegant approach, and one which doesn't require you to go back and tidy up, is to do

sudo touch /usr/share/tomcat5.5/AMConfig_localhost_opensso_
sudo chown tomcat5 /usr/share/tomcat5.5/AMConfig_localhost_opensso_

Now, you just need to ensure that you give the configurator a directory that is writable by tomcat5 and all is well - a working OpenSSO and an interesting excursion through the mechanisms that Tomcat and Ubuntu use to prevent web applications from running arbitrary code.

Filed under: OpenSSO Leave a comment
Comments (6) Trackbacks (0)
  1. hi Pat,

    I have opensso.war up and running without these problems on tomcat 5.5 on Solaris 10. I have tomcat user as root. 🙂

    For non-root, setup these before deploying the opensso.war

    1. set
      permission java.util.PropertyPermission "user.home", "read";
    2. make sure that the tomcat admin user has read and write permission to his home directory.


  2. Awesome !! I had trouble when I tried earlier but never had the time to debug and fix. Thanks for the ‘education’. Works like a champ now !!

  3. Hi Dennis

    (1) doesn’t the OpenSSO web app require many more permissions than merely reading the “user.home” property? I seem to remember, the last time I tried setting granular permissions for a web app (a while ago, admittedly, pre-OpenSSO) I got into a long game of ‘whac-a-mole’ trying to find every permission it needed before I gave up and granted everything.

    (2) I thought about that one, then thought “there must be a reason for this, it feels wrong to just change directory ownership to tomcat 5 or (worse) make it world-writable. The method I described opens the door just enough for it to work.

  4. Hi Shesh

    Glad it helped you out!

  5. Hi Pat,
    I’m gonna give openjdk, glassfish,opensso,light on ubuntu a shot and let you know how it goes…. I may require help along the way and hope yo have a few cycles of your time to spare…

  6. Thank you so much!! That’s why I’m convinced I’m making the right choice by using Linux and other open source software – any problem I run into there’s some knowledgeable and big hearted person who can answer the exact thing I’ve been fighting for hours; keep up the great work 🙂

Leave a comment

No trackbacks yet.