tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <its_toas...@yahoo.com>
Subject Connector warning message with native libraries
Date Thu, 05 Apr 2012 19:40:34 GMT
Folks:

I'm seeing a warning in my logs when I use request.secret for the AJP
connector when I load the APR native libraries. The warning is:

WARNING: [SetAllPropertiesRule]{Server/Service/Connector}
  Setting property 'request.secret' to 'somesillypassword' did not find a
  matching property.

I'm running a three node Tomcat cluster for testing with the following
configuraiton:

OS:     Fedora 15 32 bit
JVM:    java version "1.6.0_31"
        Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
        Java HotSpot(TM) Client VM (build 20.6-b01, mixed mode, sharing)
Tomcat: 6.0.35
Native: 1.1.22
APR:    apr-util-devel-1.3.12-1.fc15.i686 (Fedora RPM)
SSL:    openssl-devel-1.0.0g-1.fc15.i686 (Fedora RPM)

If I load the native libraries with the following setenv.sh
(CATALINA_BASE and CATALINA_HOME are set in a parent script):

#!/bin/bash
JMX_PORT=9004
CATALINA_OPTS="-Djava.library.path=$CATALINA_HOME/bin/libs \
               -Dcom.sun.management.jmxremote \
               -Dcom.sun.management.jmxremote.port=$JMX_PORT \
               -Dcom.sun.management.jmxremote.ssl=false \
               -Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="-Dlog4j.home=$CATALINA_BASE/logs"
export CATALINA_OPTS JAVA_OPTS

I get the WARNING message above.

If I comment out the native libraries and run the following setenv.sh
script:

#!/bin/bash
JMX_PORT=9004
# CATALINA_OPTS="-Djava.library.path=$CATALINA_HOME/bin/libs \
CATALINA_OPTS="-Dcom.sun.management.jmxremote \
               -Dcom.sun.management.jmxremote.port=$JMX_PORT \
               -Dcom.sun.management.jmxremote.ssl=false \
               -Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="-Dlog4j.home=$CATALINA_BASE/logs"
export CATALINA_OPTS JAVA_OPTS

I get a warning about not loading the native libraries, but no warning
about the connector.

Here's the snippet from my server.xml.

<!-- Define an AJP 1.3 Connector on port 8019 -->
<Connector port="8019" protocol="AJP/1.3" redirectPort="8453"
       request.secret="somesillypassword"
       connectionTimeout="600000"
       URIEncoding="UTF-8"/>

I'll post the entire server.xml if people think it's appropriate, but
since it has clustering and farm deployment in it, it's a bit long.

Here's the relevant portion of my workers.properties file:

worker.template.type=ajp13
worker.template.host=192.168.0.254
worker.template.socket_connect_timeout=5000
worker.template.socket_keepalive=true
worker.template.ping_mode=A
worker.template.ping_timeout=10000
worker.template.connection_pool_minsize=0
worker.template.connection_pool_timeout=600
worker.template.reply_timeout=300000
worker.template.recovery_options=3

worker.deimos.reference=worker.template
worker.deimos.port=8019

worker.lb.type=lb
worker.lb.error_escalation_time=0
worker.lb.max_reply_timeouts=10
worker.lb.balance_workers=deimos,mars,phobos

# work around a security issue
worker.lb.secret=somesillypassword

Snippets from httpd.conf:

# uses default DocumentRoot
<VirtualHost *:80>
ServerName phoenix.mdeggers.org
ServerAlias phoenix
ServerAlias localhost.localdomain
ServerAlias localhost
JkMountFile /etc/httpd/conf.d/uriworkermap.properties
</VirtualHost>

And snippets from uriworkermap.properties

#
# RPets - a random pet generator / matcher / test application
#
/RPets=lb
/RPets/*=lb

Here's the really odd thing. Even with the native libraries loaded and
the warning message in catalina.out, the cluster works. I start up the
cluster and then go to http://localhost/RPets, and the
application works as expected.

If the warning is real and the attribute is discarded, I would expect
the application to be unavailable when the native libraries are loaded.

Is this just a spurious warning? I suspect that it is, because
otherwise the Apache HTTPD - Tomcat AJP (via mod_jk 1.2.32) shouldn't
work.

And yes I know, with Tomcat 6.0.35 the attribute is no longer
necessary.

I also tried this with Tomcat 6.0.29 and got the same results (and
there the attribute IS necessary to avoid a security issue).

Puzzled . . . .

/mde/


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message