1

I have a tomcat running on an elastic beanstalk EC2:

64bit Amazon Linux 2015.09 v2.0.4 running Tomcat 8 Java 8

I'm having trouble when the web app wants to create a new directory/file. I'm getting the following error in catalina.out

java.io.IOException: java.io.FileNotFoundException: /home/ec2-user/images/companydata/images/2/10/ac3feab8-a2db-4052-9614-eea41c0a509e.png (Permission denied)
        at org.apache.catalina.core.ApplicationPart.write(ApplicationPart.java:121)
        at org.springframework.web.multipart.support.StandardMultipartHttpServletRequest$StandardMultipartFile.transferTo(StandardMultipartHttpServletRequest.java:260)
        at controler.RestControllerCompanyMobilePOST.uploadImage(RestControllerCompanyMobilePOST.java:183)
        at controler.RestControllerCompanyMobilePOST$$FastClassBySpringCGLIB$$538488ab.invoke(<generated>)
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:717)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
        at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:68)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179)
        at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:653)
        at controler.RestControllerCompanyMobilePOST$$EnhancerBySpringCGLIB$$1e56492.uploadImage(<generated>)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:776)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:967)
        at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:869)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:843)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:316)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:126)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:122)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:168)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:48)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:213)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:116)
        at org.springframework.boot.context.web.ErrorPageFilter.access$000(ErrorPageFilter.java:60)
        at org.springframework.boot.context.web.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:91)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.boot.context.web.ErrorPageFilter.doFilter(ErrorPageFilter.java:109)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.io.FileNotFoundException: /home/ec2-user/images/companydata/images/2/10/ac3feab8-a2db-4052-9614-eea41c0a509e.png (Permission denied)
        at java.io.FileOutputStream.open0(Native Method)
        at java.io.FileOutputStream.open(FileOutputStream.java:270)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
        at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
        at org.apache.tomcat.util.http.fileupload.disk.DiskFileItem.write(DiskFileItem.java:395)
        at org.apache.catalina.core.ApplicationPart.write(ApplicationPart.java:119)
        ... 97 more

So,, I know it's a permissions issue so I googled and I've found how to find out what user started tomcat by typing:

[root@ip-172-31-1-99 tomcat8]# ps auxwww | grep -v grep | grep tomcat
ec2-user 25653  0.0  0.1 107940   676 pts/0    T    18:29   0:00 tail -F catalina.2016-01-03.log catalina.2016-01-04.log catalina.2016-01-05.log host-manager.2016-01-03.log host-manager.2016-01-05.log localhost.2016-01-03.log localhost.2016-01-05.log manager.2016-01-03.log manager.2016-01-05.log tomcat8-initd.log
ec2-user 25665  0.0  0.1 107940   752 pts/0    T    18:30   0:00 tail -F catalina.2016-01-03.log catalina.2016-01-04.log catalina.2016-01-05.log host-manager.2016-01-03.log host-manager.2016-01-05.log localhost.2016-01-03.log localhost.2016-01-05.log manager.2016-01-03.log manager.2016-01-05.log tomcat8-initd.log
ec2-user 25811  0.0  0.1 107940   656 pts/0    T    18:45   0:00 tail -F catalina.2016-01-03.log catalina.2016-01-04.log catalina.2016-01-05.log host-manager.2016-01-03.log host-manager.2016-01-05.log localhost.2016-01-03.log localhost.2016-01-05.log manager.2016-01-03.log manager.2016-01-05.log tomcat8-initd.log
tomcat   26525  4.7 72.0 2400404 436580 ?      Sl   19:22   4:49 /usr/lib/jvm/jre/bin/java -DJDBC_CONNECTION_STRING= -Xms256m -Xmx256m -XX:MaxPermSize=64m -classpath :/usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/usr/share/tomcat8 -Dcatalina.home=/usr/share/tomcat8 -Djava.awt.headless=true -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/cache/tomcat8/temp -Djava.util.logging.config.file=/usr/share/tomcat8/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager org.apache.catalina.startup.Bootstrap start

And I can see tomcat was started by the user tomcat.

So, I changed the root folder where I want to store all the details and gave chown to user tomcat and group tomcat, and also chmod 777 on it

/home/ec2-user/images/

drwxrwxrwx 2 tomcat tomcat 4096 Jan 5 19:40 images

But I'm getting the same permission denied error.

Here is the method:

String StoreImageHere = 
                    locationOfCompanyData 
                    + File.separator
                    + locationOfImage 
                    + File.separator
                    + user.getCompany_id() 
                    + File.separator +
                    + notUpdatedImage.getServer_questionnaire_attempt_key()
                    + File.separator  ; 

            File uploadedFileFolderLocation = new File(locationRoot, StoreImageHere);           
            uploadedFileFolderLocation.mkdirs();

            String storeImageName = StoreImageHere + notUpdatedImage.getImage_name();   
            File uploadedFile = new File(locationRoot, storeImageName);                     

            try {
                file.transferTo(uploadedFile);
            } catch (IllegalStateException e) {
                e.printStackTrace();
                logger.error(user.getUsers_email()
                        + "  /api/mobile/uploadImage/{server_image_id}/ " 
                        + " userID[" + user.getUsers_id() + "]"
                        + " error[" + e.getMessage() + "]");
            } catch (IOException e) {
                e.printStackTrace();
                logger.error(user.getUsers_email()
                        + "  /api/mobile/uploadImage/{server_image_id}/ " 
                        + " userID[" + user.getUsers_id() + "]"
                        + " error[" + e.getMessage() + "]");
            }

            if(uploadedFile.exists()) {
                notUpdatedImage.setSync(ENUM_SYNC_STATUS.SYNCED.getValue());
                notUpdatedImage = mobileManagment.updateImage(user, notUpdatedImage, ENUM_ACTIVITY_TYPE.ANSWER_INPUT_UPLOADED);         
                 return new Gson().toJson(notUpdatedImage); 
            } else {
                logger.error(user.getUsers_email()
                        + "  /api/mobile/"+VERSION+"/uploadImage/{server_image_id}/ " 
                        + " userID[" + user.getUsers_id() + "]"
                        + " dest.exists() == false ");
            }

I ran

setenforce 0

and it returned

setenforce: SELinux is disabled

On a windows machine, it takes this parameter

location.sever.root=C:/Users/killesk_beast/Desktop/temp/

and on the linux machine, it takes this

location.sever.root=/home/ec2-user/images/

Unless there is a simple mistake that I'm just not seeing

Hussain K
  • 613
  • 8
  • 16
Killesk
  • 2,734
  • 3
  • 22
  • 29

1 Answers1

6

You probably still have a permission issue. To be able to go through /home/ec2-user/images, your 'tomcat' user need to have 'x' right on all upper directories(ie. home and ec2-user). You can probably solve your issue by changing mode of those directories to allow Other group to execute them:

chmod o+x /home
chmod o+x /home/ec2-user

Nevertheless, you should not do that on a sensitive system. You might want to try writing and reading in an appropriate directory.

If it doesn't solve your issue, your problem might be related to SELinux.

You can try the following command to check:

setenforce 0
Thomas L.
  • 1,294
  • 9
  • 13
  • Hi Thomas, I ran that command and got -> setenforce: SELinux is disabled – Killesk Jan 06 '16 at 11:11
  • Hey Thomas, yep, I'm still seeing the same error message. I updated the question with my method and parameter values I'm using. Possibly there is a simple mistake somewhere with how I'm declaring the directory name. – Killesk Jan 06 '16 at 12:05
  • Updated my answer though. – Thomas L. Jan 06 '16 at 12:33
  • 1
    Hey, chmod o+x /home + chmod o+x /home/ec2-user worked. Thanks for your help Thomas!! – Killesk Jan 06 '16 at 12:45
  • @ThomasL. I am facing similar issue but when I change permission of ec2-user directory I can create new file from java program running in tomcat but this breaks SSH login and couldn't SSH into my instance next time. Killesk please update if you didn't face SSH issue after you change permission. – VinKrish Dec 14 '17 at 06:54
  • This answer could have saved my 3 days, even AWS support engineers couldn't give me right suggestion. I was changing write permission this was causing SSH error but then I only changed x permission and fixed the problem. – VinKrish Dec 14 '17 at 07:13