private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
Table of Contents
On Unix based systems, port 80 is protected and can usually only be opened by the superuser root. As it is not desirable to run the server as root (for security reasons), the solution options are as follows:
Start Jetty as the root user, and use Jetty's setuid mechanism to switch to a non-root user after startup.
Configure the server to run as a normal user on port 8080 (or some other non protected port). Then, configure the operating system to redirect port 80 to 8080 using ipchains, iptables, ipfw or a similar mechanism.
The latter has traditionally been the solution, however Jetty 9 has Setuid feature.
If you are using Solaris 10, you may not need to use this feature, as Solaris provides a User Rights Management framework that can permit users and processes superuser-like abilities. Please refer to the Solaris documentation for more information.
In the Jetty etc
directory you will find the following jetty-setuid.xml file which can
be modified to suit your needs.
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//DTD Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> <!-- ================================================================ --> <!-- Configure the Jetty SetUIDServer --> <!-- This configuration file *must* be specified first in the list of --> <!-- configuration files and should be used in combination with other --> <!-- configuration files eg jetty.xml --> <!-- ================================================================ --> <Configure id="Server" class="org.eclipse.jetty.setuid.SetUIDServer"> <Set name="startServerAsPrivileged">false</Set> <Set name="umask">2</Set> <Set name="username">jetty</Set> <Set name="groupname">jetty</Set> <!-- uncomment to change the limits on number of open file descriptors for root --> <!-- <Call name="setRLimitNoFiles"> <Arg> <New class="org.eclipse.jetty.setuid.RLimit"> <Set name="soft">20000</Set> <Set name="hard">40000</Set> </New> </Arg> </Call> --> </Configure>
Options:
set this to true if you will start the server up as the root user
the umask setting you would like the process to have, optionally you may remove this line to leave it unchanged.
the name of the user you would like tthe process to run under after starting, set to jetty by default
the name of the group you would like the process to run under after starting, set to jetty by default
Additionally if you would like to set the file descriptor limits in the process you can uncomment the appropriate section above and set the soft and hard values accordingly.
The jetty-setuid.xml
file runs as a wrapper around the typical Jetty server
configuration so you must set this xml file to be processed before any others. This is already configured yet
commented out in the normal start.ini
file in the root of the jetty-distribution.
Open the start.ini
file and look for the following section:
#=========================================================== # Enable SetUID # To enable setuid you must have the jetty-setuid.xml as the # first xml file to be processed. # The default user and group is 'jetty' and if you are # starting as root you must change the run privledged to true #----------------------------------------------------------- # OPTIONS=setuid # etc/jetty-setuid.xml #===========================================================
Uncomment the OPTIONS line which will set the setuid libraries to be loaded when Jetty starts along with the
line following which will process the jetty-setuid.xml
file when jetty starts up. Take care
when modifying this file when the SetUID feature is in play as it MUST be the first xml file
to be processed.
The Setuid feature leverages the the JNI setup with the jvm so part of the feature is C code compiled for the
appropriate operating environment. By default we ship with .so
files for both Linux and Mac OS
X. The code for the entire SetUID feature is located in the Jetty toolchain. The Linux file is
built on a release machine, most typically an Ubunutu machine with a fairly standard setup. If the existing
distributed binaries do not work you can look to this project and fiddle with the appropriate linker and compiler
options until it works.
See an error or something missing? Contribute to this documentation at Github!