The Problem: Tomcat’s Security Sandbox
If you install Tomcat 9 or 10 using the default Ubuntu package manager (apt), it comes with strict security settings. Even if your folder permissions look correct on the surface, Ubuntu's systemd configuration prevents Tomcat from writing files to directories it doesn't explicitly "trust."
By default, Tomcat is blocked from writing to the DSpace folder. e.g. /opt/dspace, which is where DSpace needs to store uploaded content.
The Solution: Updating the Service File
I applied this solution to DSpace 7 & 8. To fix this, you need to tell the system that Tomcat has permission to write to your DSpace folder. Follow these steps:
Open the Service File: Find your Tomcat systemd unit file (usually located at /lib/systemd/system/tomcat10.service). Check the version of Tomcat.
Add the Path: Look for the [Security] section and find the lines starting with ReadWritePaths=. Add your DSpace installation path to this list. For example: ReadWritePaths=/opt/dspace
Check the User: Ensure the User= line in that same file matches the owner of your DSpace folder.
See how it looks after updating,
# Security
User=tomcat
Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
ReadWritePaths=/var/log/tomcat9/
ReadWritePaths=/opt/dspace
Reload and Restart: Save the file, then run these commands to apply the changes:
sudo systemctl daemon-reload
sudo systemctl restart tomcat10
Once these changes are made, the "sandbox" is opened, and your file uploads should work immediately.
No comments:
Post a Comment