private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
Table of Contents
On Unix based systems, port 80 is protected and can usually only be opened by the superuser root. As it is not desirable to run the server as root (for security reasons), the solution options are as follows:
Start Jetty as the root user, and use Jetty's setuid mechanism to switch to a non-root user after startup.
Configure the server to run as a normal user on port 8080 (or some other non protected port). Then, configure the operating system to redirect port 80 to 8080 using ipchains, iptables, ipfw or a similar mechanism.
The latter has traditionally been the solution, however Jetty 9 has Setuid feature.
If you are using Solaris 10, you may not need to use this feature, as Solaris provides a User Rights Management framework that can permit users and processes superuser-like abilities. Please refer to the Solaris documentation for more information.
If the environment variable JETTY_USER is set for the startup process and jetty.sh is used, jetty-setuid will not work! So if you want to use jetty-setuid, make sure JETTY_USER is not set!
In the Jetty
etc directory you will find the following jetty-setuid.xml file which can
be modified to suit your needs.
set this to true if you will start the server up as the root user
the umask setting you would like the process to have, optionally you may remove this line to leave it unchanged.
the name of the user you would like tthe process to run under after starting, set to jetty by default
the name of the group you would like the process to run under after starting, set to jetty by default
Additionally if you would like to set the file descriptor limits in the process you can uncomment the appropriate section above and set the soft and hard values accordingly.
jetty-setuid.xml file runs as a wrapper around the typical Jetty server
configuration so you must set this xml file to be processed before any others. This is already configured yet
commented out in the normal
start.ini file in the root of the jetty-distribution.
start.ini file and look for the following section:
Uncomment the OPTIONS line which will set the setuid libraries to be loaded when Jetty starts along with the
line following which will process the
jetty-setuid.xml file when jetty starts up. Take care
when modifying this file when the SetUID feature is in play as it MUST be the first xml file
to be processed.
The Setuid feature leverages the the JNI setup with the jvm so part of the feature is C code compiled for the
appropriate operating environment. By default we ship with
.so files for both Linux and Mac OS
X. The code for the entire SetUID feature is located in the Jetty toolchain. The Linux file is
built on a release machine, most typically an Ubunutu machine with a fairly standard setup. If the existing
distributed binaries do not work you can look to this project and fiddle with the appropriate linker and compiler
options until it works.