You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by co...@eng.sun.com on 2000/02/23 20:22:58 UTC

Re: Anybody can shutdown Tomcat 3.1M1?

Same is true for 3.0 or before - just make an RMI connection and the
right call.

Use the firewall... It is easy to add back the "secret" for ajp
connection, but it will make installing much more difficult.

( since we have authentication we will try to stop it through the admin
 interface and an authenticated HTTP call, but it's not a big priority )

Costin  

> import java.net.*;
> import java.io.*;
> 
> public class stop {
>         public static void main(String args[]) {
>                 try {
>                     Socket socket = new Socket(args[0],
> Integer.valueOf(args[1]).intValue());
>                     OutputStream os=socket.getOutputStream();
>                     byte stopMessage[]=new byte[2];
>                     stopMessage[0]=(byte)254;
>                     stopMessage[1]=(byte)15;
>                     os.write( stopMessage );
>                     socket.close();
>                 } catch(Exception ex ) {
>                     ex.printStackTrace();
>                 }
>         }
> 
> }
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>

Re: Anybody can shutdown Tomcat 3.1M1?

Posted by Gary Yang <yg...@yahoo.com>.

"Kevin A. Burton" wrote:

> costin@eng.sun.com wrote:
> >
> > Same is true for 3.0 or before - just make an RMI connection and the
> > right call.
> >
> > Use the firewall... It is easy to add back the "secret" for ajp
> > connection, but it will make installing much more difficult.
> >
> > ( since we have authentication we will try to stop it through the admin
> >  interface and an authenticated HTTP call, but it's not a big priority )
> <snip>
>
> Why not just allow localhost to shut down Tomcat instead of just
> anyone....
> --
> Kevin A Burton
> http://relativity.yi.org
> Linux - The revolution will NOT be televised
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

I've written a temporary patch:
replace line 312-322 of
src/share/org/apache/tomcat/service/connector/Ajp12ConnectionHandler.java
from
                        if ( signal== 15 ) {
                            // Shutdown - probably apache was stoped with
apachectl stop
                            contextM.stop();
                            // same behavior as in past, because it seems
that
                            // stopping everything doesn't work - need to
figure
                            // out what happens with the threads ( XXX )
                            System.exit(0);

                            shutdown=true;
                            return;
                        }
to

                        if ( signal== 15 ) {
                            if
(socket.getInetAddress().equals(InetAddress.getLocalHost())) {
                                // Shutdown - probably apache was stoped with

apachectl stop
                                contextM.stop();
                                // same behavior as in past, because it seems

that
                                // stopping everything doesn't work - need to

figure
                                // out what happens with the threads ( XXX )
                                System.exit(0);

                                shutdown=true;
                            }
                            return;
                        }

But I think it will be better if we can define which IP(s) can shutdown the
server in conf/server.xml.

Re: Anybody can shutdown Tomcat 3.1M1?

Posted by co...@eng.sun.com.

> > ( since we have authentication we will try to stop it through the admin
> >  interface and an authenticated HTTP call, but it's not a big priority )
> <snip>
> 
> Why not just allow localhost to shut down Tomcat instead of just
> anyone....

Time and priority. I don't think it's so bad, we have few workarounds and
the code will change. We even know few solutions.

If you have time to explore this problem - any bug fix is good.

Costin

Re: Anybody can shutdown Tomcat 3.1M1?

Posted by "Kevin A. Burton" <bu...@relativity.yi.org>.

costin@eng.sun.com wrote:
> 
> Same is true for 3.0 or before - just make an RMI connection and the
> right call.
> 
> Use the firewall... It is easy to add back the "secret" for ajp
> connection, but it will make installing much more difficult.
> 
> ( since we have authentication we will try to stop it through the admin
>  interface and an authenticated HTTP call, but it's not a big priority )
<snip>

Why not just allow localhost to shut down Tomcat instead of just
anyone....
-- 
Kevin A Burton
http://relativity.yi.org
Linux - The revolution will NOT be televised