Killesk
Reputation: 3204
AWS EC2 tomcat permission denied creating/writing to file
I have a tomcat running on an elastic beanstalk EC2:
64bit Amazon Linux 2015.09 v2.0.4 running Tomcat 8 Java 8
I'm having trouble when the web app wants to create a new directory/file. I'm getting the following error in catalina.out
java.io.IOException: java.io.FileNotFoundException: /home/ec2-user/images/companydata/images/2/10/ac3feab8-a2db-4052-9614-eea41c0a509e.png (Permission denied)
at org.apache.catalina.core.ApplicationPart.write(ApplicationPart.java:121)
at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest$StandardMultipartFile.transferTo(StandardMultipartHttpServletRequest.java:260)
at controler.RestControllerCompanyMobilePOST.uploadImage(RestControllerCompanyMobilePOST.java:183)
at controler.RestControllerCompanyMobilePOST$$FastClassBySpringCGLIB$$538488ab.invoke(<generated>)
at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:717)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:68)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:653)
at controler.RestControllerCompanyMobilePOST$$EnhancerBySpringCGLIB$$1e56492.uploadImage(<generated>)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:776)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:316)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:168)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:213)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:116)
at org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:60)
at org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:91)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:109)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.FileNotFoundException: /home/ec2-user/images/companydata/images/2/10/ac3feab8-a2db-4052-9614-eea41c0a509e.png (Permission denied)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
at org.apache.tomcat.util.http.fileupload.disk.DiskFileItem.write(DiskFileItem.java:395)
at org.apache.catalina.core.ApplicationPart.write(ApplicationPart.java:119)
... 97 more
So,, I know it's a permissions issue so I googled and I've found how to find out what user started tomcat by typing:
[root@ip-172-31-1-99 tomcat8]# ps auxwww | grep -v grep | grep tomcat
ec2-user 25653 0.0 0.1 107940 676 pts/0 T 18:29 0:00 tail -F catalina.2016-01-03.log catalina.2016-01-04.log catalina.2016-01-05.log host-manager.2016-01-03.log host-manager.2016-01-05.log localhost.2016-01-03.log localhost.2016-01-05.log manager.2016-01-03.log manager.2016-01-05.log tomcat8-initd.log
ec2-user 25665 0.0 0.1 107940 752 pts/0 T 18:30 0:00 tail -F catalina.2016-01-03.log catalina.2016-01-04.log catalina.2016-01-05.log host-manager.2016-01-03.log host-manager.2016-01-05.log localhost.2016-01-03.log localhost.2016-01-05.log manager.2016-01-03.log manager.2016-01-05.log tomcat8-initd.log
ec2-user 25811 0.0 0.1 107940 656 pts/0 T 18:45 0:00 tail -F catalina.2016-01-03.log catalina.2016-01-04.log catalina.2016-01-05.log host-manager.2016-01-03.log host-manager.2016-01-05.log localhost.2016-01-03.log localhost.2016-01-05.log manager.2016-01-03.log manager.2016-01-05.log tomcat8-initd.log
tomcat 26525 4.7 72.0 2400404 436580 ? Sl 19:22 4:49 /usr/lib/jvm/jre/bin/java -DJDBC_CONNECTION_STRING= -Xms256m -Xmx256m -XX:MaxPermSize=64m -classpath :/usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.awt.headless=true -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat8/temp -Djava.util.logging.config.file=/usr/share/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start
And I can see tomcat was started by the user tomcat.
So, I changed the root folder where I want to store all the details and gave chown to user tomcat and group tomcat, and also chmod 777 on it
/home/ec2-user/images/
drwxrwxrwx 2 tomcat tomcat 4096 Jan 5 19:40 images
But I'm getting the same permission denied error.
Here is the method:
String StoreImageHere =
locationOfCompanyData
+ File.separator
+ locationOfImage
+ File.separator
+ user.getCompany_id()
+ File.separator +
+ notUpdatedImage.getServer_questionnaire_attempt_key()
+ File.separator ;
File uploadedFileFolderLocation = new File(locationRoot, StoreImageHere);
uploadedFileFolderLocation.mkdirs();
String storeImageName = StoreImageHere + notUpdatedImage.getImage_name();
File uploadedFile = new File(locationRoot, storeImageName);
try {
file.transferTo(uploadedFile);
} catch (IllegalStateException e) {
e.printStackTrace();
logger.error(user.getUsers_email()
+ " /api/mobile/uploadImage/{server_image_id}/ "
+ " userID[" + user.getUsers_id() + "]"
+ " error[" + e.getMessage() + "]");
} catch (IOException e) {
e.printStackTrace();
logger.error(user.getUsers_email()
+ " /api/mobile/uploadImage/{server_image_id}/ "
+ " userID[" + user.getUsers_id() + "]"
+ " error[" + e.getMessage() + "]");
}
if(uploadedFile.exists()) {
notUpdatedImage.setSync(ENUM_SYNC_STATUS.SYNCED.getValue());
notUpdatedImage = mobileManagment.updateImage(user, notUpdatedImage, ENUM_ACTIVITY_TYPE.ANSWER_INPUT_UPLOADED);
return new Gson().toJson(notUpdatedImage);
} else {
logger.error(user.getUsers_email()
+ " /api/mobile/"+VERSION+"/uploadImage/{server_image_id}/ "
+ " userID[" + user.getUsers_id() + "]"
+ " dest.exists() == false ");
}
I ran
setenforce 0
and it returned
setenforce: SELinux is disabled
On a windows machine, it takes this parameter
location.sever.root=C:/Users/killesk_beast/Desktop/temp/
and on the linux machine, it takes this
location.sever.root=/home/ec2-user/images/
Unless there is a simple mistake that I'm just not seeing
Upvotes: 1
Views: 7899
Answers (1)
Thomas L.
Reputation: 1314
You probably still have a permission issue. To be able to go through /home/ec2-user/images, your 'tomcat' user need to have 'x' right on all upper directories(ie. home and ec2-user). You can probably solve your issue by changing mode of those directories to allow Other group to execute them:
chmod o+x /home
chmod o+x /home/ec2-user
Nevertheless, you should not do that on a sensitive system. You might want to try writing and reading in an appropriate directory.
If it doesn't solve your issue, your problem might be related to SELinux.
You can try the following command to check:
setenforce 0
Upvotes: 6