Tomcat 8 Permissions Issues (Windows)

javatomcatwindows-server-2012

I'm currently trying to troubleshoot an issue with a Java web application that is stumping me along with the vendor of the software. We're running on Windows Server 2012 with Tomcat 8. In my scenario, the application uses an installer to set up the files and environment. As part of the setup process, the service account that Tomcat will run under is supplied. For this example, I'll call the service account srvTomcat.

FAIL

Context: Tomcat running as Windows Service

User: srvTomcat

With Tomcat running in this context, we can log in and interact with the UI. However, the application fails when it attempts to create a new directory on disk. (E:\xxx\xxx) During troubleshooting, we've given the service account full control over the directory and a file share and the problem remains. The logs only tell us that a directory cannot be created.

SUCCESS

Context: Tomcat running from Administrator Command Prompt

User: srvTomcat

When Tomcat is launched in an administrator command prompt running under the same account as the the failure above, everything works. The application can create directories on disk.

There is no difference that I know of between the configuration options used when running as a Windows Service (failing) to running from a administrator command prompt (working). Are there any new security options with Windows Server 2012 that may be causing this issue?

Best Answer

A coworker of mine actually found the solution to the issue we were running into. In a nutshell, it boils down to running Windows Server 2012 on top of vSphere 5. In our case, the drive that the application was attempting to write to (D:) was seen as a hot pluggable device, which appears to be the default when running Windows Server 2012 on vSphere 5.0 and something our build process doesn't account for. When run via the console, Tomcat/Java security settings allow for writing to this type of drive. However, when running as a service, access was denied and writes failed.

The fix this issue, we had to make sure that Windows didn't see the drive as hot pluggable, which was done using the following steps:

  1. Connect to the ESXi/ESX host or vCenter Server using the vSphere Client.
  2. Power off the virtual machine.
  3. Right-click the virtual machine and click Edit Settings.
  4. Click the Options tab.
  5. Click General > Configuration Parameters > Add Row.
  6. Insert a new row with the name devices.hotplug and a value of false.
  7. Power on the virtual machine.

The steps above were found at http://www.jonathanmedd.net/2013/06/windows-server-2012-on-vsphere-5-0-the-case-of-the-missing-d-drive.html.

Related Topic