IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories

Ullfig, Roberto Alfredo rullfig at
Tue Jun 27 16:10:34 UTC 2023

The problem was the lack of a global web.xml in the apt install of tomcat9 from Ubuntu. Copied the file over from the Centos server and everything works fine now. Thanks all!

Roberto Ullfig - rullfig at
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
From: users <users-bounces at> on behalf of Peter Schober via users <users at>
Sent: Tuesday, June 27, 2023 8:10 AM
To: users at <users at>
Cc: Peter Schober <peter.schober at>
Subject: Re: IDP 4.3.1 Ubuntu 22.04/Tomcat 9 - No Access to App Subdirectories

* Ullfig, Roberto Alfredo <rullfig at> [2023-06-27 14:31]:
> Yes I reloaded. I've been doing this for over a decade.

You shouldn't feel offended by someone trying to help you fix your problems.
And it's not like the most experienced of admins are incapable of
making simple mistakes. Maybe you're the exception, of course.

> Do you know where systemd logs denied write access because I can't
> see that logged anywhere.

I'm not aware that it does but that doesn't mean anything.
The systemd docs (or code) would tell you. Sorry if you already knew
that as well. (Hard to tell which suggestions are OK and which are not
because you know all that.)

> I only figured out to enable write access to the log from someone
> else's post.

That specific issue only occurs when someone is using a distribution
of Tomcat that's explicitly not supported by the Shibboleth project:

  "We also do not officially support any "packaged" containers provided
  by OS vendors. We do not test on these containers so we cannot
  assess what changes may have been made by the packaging process [...]"<>

I've personally reported about this issue and how to work around it
several times on this list, at least 3 times in 2020 alone, back when
this issue initially came up (by Debian and derivatives introducing
these additional hardening mechanisms in their tomcat packaging):<>

> It could be that tomcat is opening the directories R/W even though
> it doesn't need to write to them.

I never had to add any ReadWritePaths to make the IDP's default of
/idp/images/ work, which maps to the war in $IDP_HOME/war/idp.war or
an extracted copy thereof, which on Debian & friends would end up in
/var/lib/tomcat9/webapps/idp/ -- and /var/lib/tomcat9/webapps/ is
included in the default ReadWritePaths as distributed by Debian and

So no manual config changes would be needed to make the images
directory of the default IDP distribution work here, IMO.

Not even when putting those images into the ROOT context (which is the
alternative Keith W. suggested and what I'm using myself), outside of
the IDP's war mechanism, which on Debian & friends is in
/var/lib/tomcat9/webapps/ROOT/ and so still included in the default
systemd service's ReadWritePaths as well.

For Consortium Member technical support, see<>
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list