tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrey Kartashov <>
Subject Re: Tomcat 3.2.2 beta 4 (problem with shutdown code)
Date Fri, 04 May 2001 23:58:17 GMT
On Fri, May 04, 2001 at 10:57:20PM +0200, GOMEZ Henri wrote:

> I agree you could run multiples tomcat on the same box, and
> in that case each JVM will listen AJP12 to handle shutdown
> on a differents port.

What if we want to run them on different interfaces using same ports?
I would much rather remember different DNS names for these instances and
port 8080 than one name and bunch of ports. Than I'd have to remember 
which port is which:) This is the whole point of having DNS - it helps
you remember things:)

> >> Warning, Warning here. The "localhost" is used here for security
> >I strongly disagree with this:) If you configure your Ajp 
> >connector to listen
> >to a particular interface someone _CAN_ send you shutdown 
> >command regardless
> >of your shutdown code abilities.
> Let's be prudent here. The standard configuration must avoid 
> security hole. Many users will have tomcat in front and we
> must avoid someone outside shutdown their TC boxes. 

Let me clarify this:) I don't ask you guys to change default configuration.
I ask you to change shutdown code so that if I do change configuration from
default to something else - the code'll still work.

Also if I'm not mistaken - Tomcat binds to all interfaces by default as I don't
see inet="" option set to in default server.xml file for Ajp
connectors.  I'll double check that:)

> >If you want security - you need to think about your network 
> >configuration,
> >not the shutdown code. This is what sys admins are for:)
> Actually TC with it's localhost shutdown scheme is secure
> and why did you want to open the door to bad boys ?:)

We didn't:) I'm talking about development machine that sits behind the 
firewall (as well as the rest of us) and the only ports you can get to from
outside are 22 and 80:) All the developers have access to all Tomcats anyway:)
This means that someone from outside can't send the shutdown command, only
from the inside which is Ok anyway:)

> >There are 2 ways to set up Tomcat here:
> >	1) All Ajp connectors bound to the same but 
> >on different ports.
> >	2) Ports are the same but Ajp connectors are bound to 
> >different IP's
> I'm ok for the solution 1 and -1 for the solution 2.
As I said - the matter of style:)

> >We prefer second case. Why? - It's a matter of taste&style.
> >The problem is that in this case shutdown code misbehaves as 
> >you may guess:)
> >Solution to this is very simple and I had it attached to 
> >previous E-Mail.
> Don't forget that in web-server -> tomcat farm, web-servers
> will be in the 'sensible zone' and if they are compromized 
> the attacker could just send the AJP12 command to shutdown
> all your Tomcat
> Next is a standard schema to protect Tomcat behind firewall and web server !
I'm totally cool with standard schema:) What I'm talking about is a development
machine that has non-default configuration. Other things I've written were
examples, probably bad examples:)

My point is simple: If it is possible to configure the system the way I
described before - all of it should work including shutdown code:) I hope
you agree that the ability to bind it to specific interface is there for a 
reason and the only reason I can think of is to be able to use same ports
but different IP addresses.

oo Andrey
"All mail clients suck. This one just sucks less."
           --  Jeremy Blosser

View raw message