You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/02/05 12:30:29 UTC
[tomcat] branch 7.0.x updated: Change the default bind address for
AJP to the loopback address
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 0d633e7 Change the default bind address for AJP to the loopback address
0d633e7 is described below
commit 0d633e72ebc7b3c242d0081c23bba5e4dacd9b72
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Tue Jan 21 13:02:13 2020 +0000
Change the default bind address for AJP to the loopback address
---
java/org/apache/coyote/ajp/AjpAprProtocol.java | 2 ++
java/org/apache/coyote/ajp/AjpNioProtocol.java | 2 ++
java/org/apache/coyote/ajp/AjpProtocol.java | 2 ++
java/org/apache/tomcat/util/compat/Jre7Compat.java | 19 +++++++++++++++
java/org/apache/tomcat/util/compat/JreCompat.java | 28 ++++++++++++++++++++++
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/ajp.xml | 5 +---
7 files changed, 58 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/coyote/ajp/AjpAprProtocol.java b/java/org/apache/coyote/ajp/AjpAprProtocol.java
index 7b4a825..418d2ca 100644
--- a/java/org/apache/coyote/ajp/AjpAprProtocol.java
+++ b/java/org/apache/coyote/ajp/AjpAprProtocol.java
@@ -20,6 +20,7 @@ import org.apache.coyote.AbstractProtocol;
import org.apache.coyote.Processor;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.AprEndpoint;
import org.apache.tomcat.util.net.AprEndpoint.Handler;
@@ -61,6 +62,7 @@ public class AjpAprProtocol extends AbstractAjpProtocol<Long> {
public AjpAprProtocol() {
endpoint = new AprEndpoint();
+ endpoint.setAddress(JreCompat.getInstance().getLoopbackAddress());
cHandler = new AjpConnectionHandler(this);
((AprEndpoint) endpoint).setHandler(cHandler);
setSoLinger(Constants.DEFAULT_CONNECTION_LINGER);
diff --git a/java/org/apache/coyote/ajp/AjpNioProtocol.java b/java/org/apache/coyote/ajp/AjpNioProtocol.java
index 741cb22..8668323 100644
--- a/java/org/apache/coyote/ajp/AjpNioProtocol.java
+++ b/java/org/apache/coyote/ajp/AjpNioProtocol.java
@@ -23,6 +23,7 @@ import org.apache.coyote.AbstractProtocol;
import org.apache.coyote.Processor;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.NioChannel;
import org.apache.tomcat.util.net.NioEndpoint;
@@ -56,6 +57,7 @@ public class AjpNioProtocol extends AbstractAjpProtocol<NioChannel> {
public AjpNioProtocol() {
endpoint = new NioEndpoint();
+ endpoint.setAddress(JreCompat.getInstance().getLoopbackAddress());
cHandler = new AjpConnectionHandler(this);
((NioEndpoint) endpoint).setHandler(cHandler);
setSoLinger(Constants.DEFAULT_CONNECTION_LINGER);
diff --git a/java/org/apache/coyote/ajp/AjpProtocol.java b/java/org/apache/coyote/ajp/AjpProtocol.java
index 50f6f58..69c24eb 100644
--- a/java/org/apache/coyote/ajp/AjpProtocol.java
+++ b/java/org/apache/coyote/ajp/AjpProtocol.java
@@ -22,6 +22,7 @@ import org.apache.coyote.AbstractProtocol;
import org.apache.coyote.Processor;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.compat.JreCompat;
import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.JIoEndpoint;
import org.apache.tomcat.util.net.JIoEndpoint.Handler;
@@ -57,6 +58,7 @@ public class AjpProtocol extends AbstractAjpProtocol<Socket> {
public AjpProtocol() {
endpoint = new JIoEndpoint();
+ endpoint.setAddress(JreCompat.getInstance().getLoopbackAddress());
cHandler = new AjpConnectionHandler(this);
((JIoEndpoint) endpoint).setHandler(cHandler);
setSoLinger(Constants.DEFAULT_CONNECTION_LINGER);
diff --git a/java/org/apache/tomcat/util/compat/Jre7Compat.java b/java/org/apache/tomcat/util/compat/Jre7Compat.java
index 43513a9..d469f48 100644
--- a/java/org/apache/tomcat/util/compat/Jre7Compat.java
+++ b/java/org/apache/tomcat/util/compat/Jre7Compat.java
@@ -20,6 +20,7 @@ import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.net.InetAddress;
import java.sql.CallableStatement;
import java.sql.Connection;
import java.sql.DatabaseMetaData;
@@ -56,6 +57,7 @@ class Jre7Compat extends JreCompat {
private static final Method resultSetGetObjectName;
private static final Method statementCloseOnCompletion;
private static final Method statementIsCloseOnCompletion;
+ private static final Method getLoopbackAddress;
static {
Method m1 = null;
@@ -72,6 +74,7 @@ class Jre7Compat extends JreCompat {
Method m12 = null;
Method m13 = null;
Method m14 = null;
+ Method m15 = null;
Constructor<GZIPOutputStream> c = null;
try {
// Order is important for the error handling below.
@@ -91,6 +94,7 @@ class Jre7Compat extends JreCompat {
m12 = ResultSet.class.getMethod("getObject", String.class, Class.class);
m13 = Statement.class.getMethod("closeOnCompletion");
m14 = Statement.class.getMethod("isCloseOnCompletion");
+ m15 = InetAddress.class.getMethod("getLoopbackAddress");
} catch (SecurityException e) {
// Should never happen
log.error(sm.getString("jre7Compat.unexpected"), e);
@@ -118,6 +122,7 @@ class Jre7Compat extends JreCompat {
resultSetGetObjectName = m12;
statementCloseOnCompletion = m13;
statementIsCloseOnCompletion = m14;
+ getLoopbackAddress = m15;
}
@@ -353,6 +358,20 @@ class Jre7Compat extends JreCompat {
}
+ @Override
+ public InetAddress getLoopbackAddress() {
+ try {
+ return (InetAddress) getLoopbackAddress.invoke(null);
+ } catch (IllegalArgumentException e) {
+ throw new UnsupportedOperationException(e);
+ } catch (IllegalAccessException e) {
+ throw new UnsupportedOperationException(e);
+ } catch (InvocationTargetException e) {
+ throw new UnsupportedOperationException(e);
+ }
+ }
+
+
// Java 9 methods
@Override
diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java b/java/org/apache/tomcat/util/compat/JreCompat.java
index b3ba44f..e7a3b4f 100644
--- a/java/org/apache/tomcat/util/compat/JreCompat.java
+++ b/java/org/apache/tomcat/util/compat/JreCompat.java
@@ -21,8 +21,10 @@ import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Method;
+import java.net.InetAddress;
import java.net.URL;
import java.net.URLConnection;
+import java.net.UnknownHostException;
import java.sql.CallableStatement;
import java.sql.Connection;
import java.sql.DatabaseMetaData;
@@ -232,6 +234,32 @@ public class JreCompat {
}
+ public InetAddress getLoopbackAddress() {
+ // Javadoc for getByName() states that calling with null will return one
+ // of the loopback addresses
+ InetAddress result = null;
+ try {
+ result = InetAddress.getByName(null);
+ } catch (UnknownHostException e) {
+ // This would be unusual but ignore it in this case.
+ }
+ if (result == null) {
+ // Fallback to default IPv4 loopback address.
+ // Not perfect but good enough and if the address is not valid the
+ // bind will fail later with an appropriate error message
+ try {
+ result = InetAddress.getByName("127.0.0.1");
+ } catch (UnknownHostException e) {
+ // Unreachable.
+ // For text representations of IP addresses only the format is
+ // checked.
+ }
+ }
+
+ return result;
+ }
+
+
// Java 6 implementation of Java 8 methods
public static boolean isJre8Available() {
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 584867a..6760df4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -143,6 +143,10 @@
Disable (comment out in server.xml) the AJP/1.3 connector by default.
(markt)
</update>
+ <update>
+ Change the default bind address for the AJP/1.3 connector to be the
+ loopback address. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Jasper">
diff --git a/webapps/docs/config/ajp.xml b/webapps/docs/config/ajp.xml
index d0ba75b..90ed2c5 100644
--- a/webapps/docs/config/ajp.xml
+++ b/webapps/docs/config/ajp.xml
@@ -306,10 +306,7 @@
<attribute name="address" required="false">
<p>For servers with more than one IP address, this attribute
specifies which address will be used for listening on the specified
- port. By default, this port will be used on all IP addresses
- associated with the server. A value of <code>127.0.0.1</code>
- indicates that the Connector will only listen on the loopback
- interface.</p>
+ port. By default, the loopback address will be used.</p>
</attribute>
<attribute name="bindOnInit" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch 7.0.x updated: Change the default bind address
for AJP to the loopback address
Posted by Mark Thomas <ma...@apache.org>.
On 05/02/2020 13:03, Michael Osipov wrote:
> Am 2020-02-05 um 13:30 schrieb markt@apache.org:
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> markt pushed a commit to branch 7.0.x
>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>>
>>
>> The following commit(s) were added to refs/heads/7.0.x by this push:
>> new 0d633e7 Change the default bind address for AJP to the
>> loopback address
>> 0d633e7 is described below
>>
>> commit 0d633e72ebc7b3c242d0081c23bba5e4dacd9b72
>> Author: Mark Thomas <ma...@apache.org>
>> AuthorDate: Tue Jan 21 13:02:13 2020 +0000
>>
>> Change the default bind address for AJP to the loopback address
<snip/>
>> + public InetAddress getLoopbackAddress() {
>> + // Javadoc for getByName() states that calling with null will
>> return one
>> + // of the loopback addresses
>> + InetAddress result = null;
>> + try {
>> + result = InetAddress.getByName(null);
>> + } catch (UnknownHostException e) {
>> + // This would be unusual but ignore it in this case.
>> + }
>> + if (result == null) {
>> + // Fallback to default IPv4 loopback address.
>> + // Not perfect but good enough and if the address is not
>> valid the
>> + // bind will fail later with an appropriate error message
>> + try {
>> + result = InetAddress.getByName("127.0.0.1");
>
> This is wrong. localhost is not always 127.0.0.1. I have hosts where lo1
> is cloned with 127.0.0/29 and not local IPs are passed into Jails.
The code was designed with that in mind.
As the comments state, it isn't perfect but it is a fall-back for a
state that should happen rarely / not at all.
It is preferrable to use "127.0.0.1" and have the Connector fail than
the other options which are:
- fail immediately as that would prevent the user specifying an
alternative value for address; or
- have the Connector come up listening on all addresses.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch 7.0.x updated: Change the default bind address
for AJP to the loopback address
Posted by Michael Osipov <mi...@apache.org>.
Am 2020-02-05 um 13:30 schrieb markt@apache.org:
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch 7.0.x
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/7.0.x by this push:
> new 0d633e7 Change the default bind address for AJP to the loopback address
> 0d633e7 is described below
>
> commit 0d633e72ebc7b3c242d0081c23bba5e4dacd9b72
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Tue Jan 21 13:02:13 2020 +0000
>
> Change the default bind address for AJP to the loopback address
> ---
> java/org/apache/coyote/ajp/AjpAprProtocol.java | 2 ++
> java/org/apache/coyote/ajp/AjpNioProtocol.java | 2 ++
> java/org/apache/coyote/ajp/AjpProtocol.java | 2 ++
> java/org/apache/tomcat/util/compat/Jre7Compat.java | 19 +++++++++++++++
> java/org/apache/tomcat/util/compat/JreCompat.java | 28 ++++++++++++++++++++++
> webapps/docs/changelog.xml | 4 ++++
> webapps/docs/config/ajp.xml | 5 +---
> 7 files changed, 58 insertions(+), 4 deletions(-)
>
> diff --git a/java/org/apache/coyote/ajp/AjpAprProtocol.java b/java/org/apache/coyote/ajp/AjpAprProtocol.java
> index 7b4a825..418d2ca 100644
> --- a/java/org/apache/coyote/ajp/AjpAprProtocol.java
> +++ b/java/org/apache/coyote/ajp/AjpAprProtocol.java
> @@ -20,6 +20,7 @@ import org.apache.coyote.AbstractProtocol;
> import org.apache.coyote.Processor;
> import org.apache.juli.logging.Log;
> import org.apache.juli.logging.LogFactory;
> +import org.apache.tomcat.util.compat.JreCompat;
> import org.apache.tomcat.util.net.AbstractEndpoint;
> import org.apache.tomcat.util.net.AprEndpoint;
> import org.apache.tomcat.util.net.AprEndpoint.Handler;
> @@ -61,6 +62,7 @@ public class AjpAprProtocol extends AbstractAjpProtocol<Long> {
>
> public AjpAprProtocol() {
> endpoint = new AprEndpoint();
> + endpoint.setAddress(JreCompat.getInstance().getLoopbackAddress());
> cHandler = new AjpConnectionHandler(this);
> ((AprEndpoint) endpoint).setHandler(cHandler);
> setSoLinger(Constants.DEFAULT_CONNECTION_LINGER);
> diff --git a/java/org/apache/coyote/ajp/AjpNioProtocol.java b/java/org/apache/coyote/ajp/AjpNioProtocol.java
> index 741cb22..8668323 100644
> --- a/java/org/apache/coyote/ajp/AjpNioProtocol.java
> +++ b/java/org/apache/coyote/ajp/AjpNioProtocol.java
> @@ -23,6 +23,7 @@ import org.apache.coyote.AbstractProtocol;
> import org.apache.coyote.Processor;
> import org.apache.juli.logging.Log;
> import org.apache.juli.logging.LogFactory;
> +import org.apache.tomcat.util.compat.JreCompat;
> import org.apache.tomcat.util.net.AbstractEndpoint;
> import org.apache.tomcat.util.net.NioChannel;
> import org.apache.tomcat.util.net.NioEndpoint;
> @@ -56,6 +57,7 @@ public class AjpNioProtocol extends AbstractAjpProtocol<NioChannel> {
>
> public AjpNioProtocol() {
> endpoint = new NioEndpoint();
> + endpoint.setAddress(JreCompat.getInstance().getLoopbackAddress());
> cHandler = new AjpConnectionHandler(this);
> ((NioEndpoint) endpoint).setHandler(cHandler);
> setSoLinger(Constants.DEFAULT_CONNECTION_LINGER);
> diff --git a/java/org/apache/coyote/ajp/AjpProtocol.java b/java/org/apache/coyote/ajp/AjpProtocol.java
> index 50f6f58..69c24eb 100644
> --- a/java/org/apache/coyote/ajp/AjpProtocol.java
> +++ b/java/org/apache/coyote/ajp/AjpProtocol.java
> @@ -22,6 +22,7 @@ import org.apache.coyote.AbstractProtocol;
> import org.apache.coyote.Processor;
> import org.apache.juli.logging.Log;
> import org.apache.juli.logging.LogFactory;
> +import org.apache.tomcat.util.compat.JreCompat;
> import org.apache.tomcat.util.net.AbstractEndpoint;
> import org.apache.tomcat.util.net.JIoEndpoint;
> import org.apache.tomcat.util.net.JIoEndpoint.Handler;
> @@ -57,6 +58,7 @@ public class AjpProtocol extends AbstractAjpProtocol<Socket> {
>
> public AjpProtocol() {
> endpoint = new JIoEndpoint();
> + endpoint.setAddress(JreCompat.getInstance().getLoopbackAddress());
> cHandler = new AjpConnectionHandler(this);
> ((JIoEndpoint) endpoint).setHandler(cHandler);
> setSoLinger(Constants.DEFAULT_CONNECTION_LINGER);
> diff --git a/java/org/apache/tomcat/util/compat/Jre7Compat.java b/java/org/apache/tomcat/util/compat/Jre7Compat.java
> index 43513a9..d469f48 100644
> --- a/java/org/apache/tomcat/util/compat/Jre7Compat.java
> +++ b/java/org/apache/tomcat/util/compat/Jre7Compat.java
> @@ -20,6 +20,7 @@ import java.io.OutputStream;
> import java.lang.reflect.Constructor;
> import java.lang.reflect.InvocationTargetException;
> import java.lang.reflect.Method;
> +import java.net.InetAddress;
> import java.sql.CallableStatement;
> import java.sql.Connection;
> import java.sql.DatabaseMetaData;
> @@ -56,6 +57,7 @@ class Jre7Compat extends JreCompat {
> private static final Method resultSetGetObjectName;
> private static final Method statementCloseOnCompletion;
> private static final Method statementIsCloseOnCompletion;
> + private static final Method getLoopbackAddress;
>
> static {
> Method m1 = null;
> @@ -72,6 +74,7 @@ class Jre7Compat extends JreCompat {
> Method m12 = null;
> Method m13 = null;
> Method m14 = null;
> + Method m15 = null;
> Constructor<GZIPOutputStream> c = null;
> try {
> // Order is important for the error handling below.
> @@ -91,6 +94,7 @@ class Jre7Compat extends JreCompat {
> m12 = ResultSet.class.getMethod("getObject", String.class, Class.class);
> m13 = Statement.class.getMethod("closeOnCompletion");
> m14 = Statement.class.getMethod("isCloseOnCompletion");
> + m15 = InetAddress.class.getMethod("getLoopbackAddress");
> } catch (SecurityException e) {
> // Should never happen
> log.error(sm.getString("jre7Compat.unexpected"), e);
> @@ -118,6 +122,7 @@ class Jre7Compat extends JreCompat {
> resultSetGetObjectName = m12;
> statementCloseOnCompletion = m13;
> statementIsCloseOnCompletion = m14;
> + getLoopbackAddress = m15;
> }
>
>
> @@ -353,6 +358,20 @@ class Jre7Compat extends JreCompat {
> }
>
>
> + @Override
> + public InetAddress getLoopbackAddress() {
> + try {
> + return (InetAddress) getLoopbackAddress.invoke(null);
> + } catch (IllegalArgumentException e) {
> + throw new UnsupportedOperationException(e);
> + } catch (IllegalAccessException e) {
> + throw new UnsupportedOperationException(e);
> + } catch (InvocationTargetException e) {
> + throw new UnsupportedOperationException(e);
> + }
> + }
> +
> +
> // Java 9 methods
>
> @Override
> diff --git a/java/org/apache/tomcat/util/compat/JreCompat.java b/java/org/apache/tomcat/util/compat/JreCompat.java
> index b3ba44f..e7a3b4f 100644
> --- a/java/org/apache/tomcat/util/compat/JreCompat.java
> +++ b/java/org/apache/tomcat/util/compat/JreCompat.java
> @@ -21,8 +21,10 @@ import java.io.IOException;
> import java.io.OutputStream;
> import java.lang.reflect.AccessibleObject;
> import java.lang.reflect.Method;
> +import java.net.InetAddress;
> import java.net.URL;
> import java.net.URLConnection;
> +import java.net.UnknownHostException;
> import java.sql.CallableStatement;
> import java.sql.Connection;
> import java.sql.DatabaseMetaData;
> @@ -232,6 +234,32 @@ public class JreCompat {
> }
>
>
> + public InetAddress getLoopbackAddress() {
> + // Javadoc for getByName() states that calling with null will return one
> + // of the loopback addresses
> + InetAddress result = null;
> + try {
> + result = InetAddress.getByName(null);
> + } catch (UnknownHostException e) {
> + // This would be unusual but ignore it in this case.
> + }
> + if (result == null) {
> + // Fallback to default IPv4 loopback address.
> + // Not perfect but good enough and if the address is not valid the
> + // bind will fail later with an appropriate error message
> + try {
> + result = InetAddress.getByName("127.0.0.1");
This is wrong. localhost is not always 127.0.0.1. I have hosts where lo1
is cloned with 127.0.0/29 and not local IPs are passed into Jails.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org