You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Eggers <it...@yahoo.com> on 2012/04/05 21:40:34 UTC
Connector warning message with native libraries
Folks:
I'm seeing a warning in my logs when I use request.secret for the AJP
connector when I load the APR native libraries. The warning is:
WARNING: [SetAllPropertiesRule]{Server/Service/Connector}
Setting property 'request.secret' to 'somesillypassword' did not find a
matching property.
I'm running a three node Tomcat cluster for testing with the following
configuraiton:
OS: Fedora 15 32 bit
JVM: java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) Client VM (build 20.6-b01, mixed mode, sharing)
Tomcat: 6.0.35
Native: 1.1.22
APR: apr-util-devel-1.3.12-1.fc15.i686 (Fedora RPM)
SSL: openssl-devel-1.0.0g-1.fc15.i686 (Fedora RPM)
If I load the native libraries with the following setenv.sh
(CATALINA_BASE and CATALINA_HOME are set in a parent script):
#!/bin/bash
JMX_PORT=9004
CATALINA_OPTS="-Djava.library.path=$CATALINA_HOME/bin/libs \
-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.port=$JMX_PORT \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="-Dlog4j.home=$CATALINA_BASE/logs"
export CATALINA_OPTS JAVA_OPTS
I get the WARNING message above.
If I comment out the native libraries and run the following setenv.sh
script:
#!/bin/bash
JMX_PORT=9004
# CATALINA_OPTS="-Djava.library.path=$CATALINA_HOME/bin/libs \
CATALINA_OPTS="-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.port=$JMX_PORT \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="-Dlog4j.home=$CATALINA_BASE/logs"
export CATALINA_OPTS JAVA_OPTS
I get a warning about not loading the native libraries, but no warning
about the connector.
Here's the snippet from my server.xml.
<!-- Define an AJP 1.3 Connector on port 8019 -->
<Connector port="8019" protocol="AJP/1.3" redirectPort="8453"
request.secret="somesillypassword"
connectionTimeout="600000"
URIEncoding="UTF-8"/>
I'll post the entire server.xml if people think it's appropriate, but
since it has clustering and farm deployment in it, it's a bit long.
Here's the relevant portion of my workers.properties file:
worker.template.type=ajp13
worker.template.host=192.168.0.254
worker.template.socket_connect_timeout=5000
worker.template.socket_keepalive=true
worker.template.ping_mode=A
worker.template.ping_timeout=10000
worker.template.connection_pool_minsize=0
worker.template.connection_pool_timeout=600
worker.template.reply_timeout=300000
worker.template.recovery_options=3
worker.deimos.reference=worker.template
worker.deimos.port=8019
worker.lb.type=lb
worker.lb.error_escalation_time=0
worker.lb.max_reply_timeouts=10
worker.lb.balance_workers=deimos,mars,phobos
# work around a security issue
worker.lb.secret=somesillypassword
Snippets from httpd.conf:
# uses default DocumentRoot
<VirtualHost *:80>
ServerName phoenix.mdeggers.org
ServerAlias phoenix
ServerAlias localhost.localdomain
ServerAlias localhost
JkMountFile /etc/httpd/conf.d/uriworkermap.properties
</VirtualHost>
And snippets from uriworkermap.properties
#
# RPets - a random pet generator / matcher / test application
#
/RPets=lb
/RPets/*=lb
Here's the really odd thing. Even with the native libraries loaded and
the warning message in catalina.out, the cluster works. I start up the
cluster and then go to http://localhost/RPets, and the
application works as expected.
If the warning is real and the attribute is discarded, I would expect
the application to be unavailable when the native libraries are loaded.
Is this just a spurious warning? I suspect that it is, because
otherwise the Apache HTTPD - Tomcat AJP (via mod_jk 1.2.32) shouldn't
work.
And yes I know, with Tomcat 6.0.35 the attribute is no longer
necessary.
I also tried this with Tomcat 6.0.29 and got the same results (and
there the attribute IS necessary to avoid a security issue).
Puzzled . . . .
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Connector warning message with native libraries
Posted by Mark Eggers <it...@yahoo.com>.
Replying to my own question.
See ============= COMMENT ================
----- Original Message -----
> From: Mark Eggers <it...@yahoo.com>
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc:
> Sent: Thursday, April 5, 2012 12:40 PM
> Subject: Connector warning message with native libraries
>
> Folks:
>
> I'm seeing a warning in my logs when I use request.secret for the AJP
> connector when I load the APR native libraries. The warning is:
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector}
> Setting property 'request.secret' to 'somesillypassword' did
> not find a
> matching property.
>
> I'm running a three node Tomcat cluster for testing with the following
> configuraiton:
>
> OS: Fedora 15 32 bit
> JVM: java version "1.6.0_31"
> Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
> Java HotSpot(TM) Client VM (build 20.6-b01, mixed mode, sharing)
> Tomcat: 6.0.35
> Native: 1.1.22
> APR: apr-util-devel-1.3.12-1.fc15.i686 (Fedora RPM)
> SSL: openssl-devel-1.0.0g-1.fc15.i686 (Fedora RPM)
>
> Here's the snippet from my server.xml.
>
> <!-- Define an AJP 1.3 Connector on port 8019 -->
> <Connector port="8019" protocol="AJP/1.3"
> redirectPort="8453"
> request.secret="somesillypassword"
> connectionTimeout="600000"
> URIEncoding="UTF-8"/>
>
============= COMMENT ================
It helps to read the fine javadoc for org.apache.coyote.ajp.AjpAprProtocol.
In there you will find a protected string called requiredSecret (much like Tomcat 7.x).
Indeed, changing request.secret to requiredSecret when loading the native libraries eliminates the warning.
However, a cursory glance at the online documentation didn't reveal any mention of this requirement for the AjpAprProtocol. It's not a problem for Tomcat 7.x obviously since this is the same attribute for both AprProtocol and AjpAprProtocol.
However, for Tomcat 6 this presents an issue.
So a note when loading the native libraries, using AjpAprProtocol, and Tomcat 6 with the "secret" attribute:
Change request.secret="somesillypassword" on the AJP/1.3 connector definition to requiredSecret="somesillypassword".
============= COMMENT ================
Sorry for the bandwidth.
. . . . just my two cents.
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org