You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/12/18 10:53:09 UTC
[tomcat] branch 7.0.x updated: Deprecate the JmxRemoteLifecycleListener

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/7.0.x by this push:
     new 81fb6d6  Deprecate the JmxRemoteLifecycleListener
81fb6d6 is described below

commit 81fb6d66c60f3fa57dfd41c02d52f33c5eec9cae
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Dec 18 10:27:51 2019 +0000

    Deprecate the JmxRemoteLifecycleListener
---
 .../mbeans/JmxRemoteLifecycleListener.java         | 15 ++++-
 .../apache/catalina/mbeans/LocalStrings.properties |  1 +
 webapps/docs/changelog.xml                         |  6 ++
 webapps/docs/config/listeners.xml                  | 18 ++++++
 webapps/docs/monitoring.xml                        | 73 +++++++++++++---------
 5 files changed, 82 insertions(+), 31 deletions(-)

diff --git a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
index c81c4a9..12270ec 100644
--- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
+++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
@@ -61,7 +61,13 @@ import org.apache.tomcat.util.res.StringManager;
  * instance that is running behind a firewall. Only the ports are configured via
  * the listener. The remainder of the configuration is via the standard system
  * properties for configuring JMX.
+ *
+ * @deprecated The features provided by this listener are now available in the
+ *             remote JMX capability included with the JRE.
+ *             This listener will be removed in Tomcat 10 and may be removed
+ *             from Tomcat 7.0.x some time after 2020-12-31.
  */
+@Deprecated
 public class JmxRemoteLifecycleListener implements LifecycleListener {
 
     private static final Log log = LogFactory.getLog(JmxRemoteLifecycleListener.class);
@@ -203,9 +209,12 @@ public class JmxRemoteLifecycleListener implements LifecycleListener {
 
     @Override
     public void lifecycleEvent(LifecycleEvent event) {
-        // When the server starts, configure JMX/RMI
-        if (Lifecycle.START_EVENT.equals(event.getType())) {
-            // Configure using standard jmx system properties
+        if (Lifecycle.BEFORE_INIT_EVENT.equals(event.getType())) {
+            log.warn(sm.getString("jmxRemoteLifecycleListener.deprecated"));
+        } else  if (Lifecycle.START_EVENT.equals(event.getType())) {
+            // When the server starts, configure JMX/RMI
+
+            // Configure using standard JMX system properties
             init();
 
             // Prevent an attacker guessing the RMI object ID
diff --git a/java/org/apache/catalina/mbeans/LocalStrings.properties b/java/org/apache/catalina/mbeans/LocalStrings.properties
index b77cfec..e5d381f 100644
--- a/java/org/apache/catalina/mbeans/LocalStrings.properties
+++ b/java/org/apache/catalina/mbeans/LocalStrings.properties
@@ -15,6 +15,7 @@
 
 jmxRemoteLifecycleListener.createRegistryFailed=Unable to create the RMI registry for the [{0}] server using port [{1}]
 jmxRemoteLifecycleListener.createServerFailed=The JMX connector server could not be created or failed to start for the [{0}] server
+jmxRemoteLifecycleListener.deprecated=The JmxRemoteLifecycleListener is deprecated as as the features it provides are now available in the remote JMX capability included with the JRE. This listener will be removed in Tomcat 10 and may be removed from Tomcat 7 some time after 2020-12-31.
 jmxRemoteLifecycleListener.destroyServerFailed=The JMX connector server could not be stopped for the [{0}] server
 jmxRemoteLifecycleListener.invalidRmiBindAddress=Invalid RMI bind address [{0}]
 jmxRemoteLifecycleListener.invalidURL=The JMX Service URL requested for the [{0}] server, [{1}], was invalid
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 6a0d3fd..2a36496 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -77,6 +77,12 @@
         <bug>64008</bug>: Clarify/expand the Javadoc for the
         <code>Tomcat#addWebapp()</code> and related methods. (markt)
       </fix>
+      <scode>
+        Deprecate the <code>JmxRemoteLifecycleListener</code> as the features it
+        provides are now available in the remote JMX capability included with
+        the JRE. This listener will be removed in Tomcat 10 and may be removed
+        from Tomcat 7.0.x some time after 2020-12-31. (markt)
+      </scode>
     </changelog>
   </subsection>
 </section>
diff --git a/webapps/docs/config/listeners.xml b/webapps/docs/config/listeners.xml
index a62041e..6cf00dc 100644
--- a/webapps/docs/config/listeners.xml
+++ b/webapps/docs/config/listeners.xml
@@ -511,8 +511,26 @@
 
 <section name="Additional Implementations">
 
+  <subsection name="System property replacement - org.apache.catalina.util.SystemPropertyReplacerListener">
+
+    <p>This listener performs system property replacement using the property
+     source configured on the digester. When <code>${parameter}</code>
+     denoted parameters are found in the values of system properties,
+     the property source will be invoked to attempt to replace it.</p>
+
+  </subsection>
+
+</section>
+
+<section name="Deprecated Implementations">
+
   <subsection name="JMX Remote Lifecycle Listener - org.apache.catalina.mbeans.JmxRemoteLifecycleListener">
 
+    <p><strong>This listener is now deprecated as the features it provides are
+    now available in the remote JMX capability included with the JRE. This
+    listener will be removed in Tomcat 10 and may be removed from Tomcat 7 some
+    time after 2020-12-31.</strong></p>
+
     <p>This listener requires <code>catalina-jmx-remote.jar</code> to be placed
     in <code>$CATALINA_HOME/lib</code>. This jar may be found in the extras
     directory of the binary download area.</p>
diff --git a/webapps/docs/monitoring.xml b/webapps/docs/monitoring.xml
index 6f311f4..52de54e 100644
--- a/webapps/docs/monitoring.xml
+++ b/webapps/docs/monitoring.xml
@@ -47,59 +47,76 @@
     to monitor it locally, using the same user that Tomcat runs with.</p>
 
     <p>The Oracle website includes the list of options and how to configure
-    JMX Remote on Java 6:
-        <a href="http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html">
+    JMX Remote on Java 8:
+        <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html">
         http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.html</a>.
     </p>
-    <p>The following is a quick configuration guide for Java 6:</p>
+    <p>The following is a quick configuration guide for Java 8:</p>
     <p>Add the following parameters to <code>setenv.bat</code> script of your
     Tomcat (see <a href="RUNNING.txt">RUNNING.txt</a> for details).<br/>
     <em>Note:</em> This syntax is for Microsoft Windows. The command has
     to be on the same line. It is wrapped to be more readable. If Tomcat is
     running as a Windows service, use its configuration dialog to set
     java options for the service.
-    For un*xes remove <code>"set "</code> from beginning of the line.
+    For Linux, MacOS, etc, remove <code>"set "</code> from beginning of the
+    line.
     </p>
-<source>
-set CATALINA_OPTS=-Dcom.sun.management.jmxremote
-  -Dcom.sun.management.jmxremote.port=%my.jmx.port%
+<source><![CDATA[set CATALINA_OPTS=-Dcom.sun.management.jmxremote.port=%my.jmx.port%
+  -Dcom.sun.management.jmxremote.rmi.port=%my.rmi.port%
   -Dcom.sun.management.jmxremote.ssl=false
-  -Dcom.sun.management.jmxremote.authenticate=false
-</source>
+  -Dcom.sun.management.jmxremote.authenticate=false]]></source>
+<p>If you don't set <code>com.sun.management.jmxremote.rmi.port</code> then the
+JSR 160 JMX-Adaptor will select a port at random which will may it difficult to
+configure a firewall to allow access.</p>
 
+<p>If you require TLS:</p>
     <ol>
-    <li>If you require authorization, add and change this:
-<source>
-  -Dcom.sun.management.jmxremote.authenticate=true
+    <li>change and add this:
+<source><![CDATA[  -Dcom.sun.management.jmxremote.ssl=true
+  -Dcom.sun.management.jmxremote.registry.ssl=true
+]]></source></li>
+    <li>to configure the protocols and/or cipher suites use:
+<source><![CDATA[  -Dcom.sun.management.jmxremote.ssl.enabled.protocols=%my.jmx.ssl.protocols%
+  -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=%my.jmx.cipher.suites%
+]]></source></li>
+    <li>to client certificate authentication use:
+<source><![CDATA[  -Dcom.sun.management.jmxremote.ssl.need.client.auth=%my.jmx.ssl.clientauth%]]></source></li>
+    </ol>
+<p>If you require authorization (it is strongly recommended that TLS is always
+used with authentication):</p>
+    <ol>
+    <li>change and add this:
+<source><![CDATA[  -Dcom.sun.management.jmxremote.authenticate=true
   -Dcom.sun.management.jmxremote.password.file=../conf/jmxremote.password
-  -Dcom.sun.management.jmxremote.access.file=../conf/jmxremote.access
-</source>
+  -Dcom.sun.management.jmxremote.access.file=../conf/jmxremote.access]]></source>
     </li>
     <li>edit the access authorization file <em>$CATALINA_BASE/conf/jmxremote.access</em>:
-<source>
-monitorRole readonly
-controlRole readwrite
-</source>
+<source><![CDATA[monitorRole readonly
+controlRole readwrite]]></source>
     </li>
     <li>edit the password file <em>$CATALINA_BASE/conf/jmxremote.password</em>:
-<source>
-monitorRole tomcat
-controlRole tomcat
-</source>
+<source><![CDATA[monitorRole tomcat
+controlRole tomcat]]></source>
     <b>Tip</b>: The password file should be read-only and only accessible by the
     operating system user Tomcat is running as.
     </li>
+    <li>Alterantively, you can configure a JAAS login module with:
+<source><![CDATA[  -Dcom.sun.management.jmxremote.login.config=%login.module.name%]]></source></li>
     </ol>
-    <p><strong>Note:</strong> The JSR 160 JMX-Adaptor opens a second data channel
-    on a random port. That is a problem when you have a local firewall installed.
-    To fix it, configure a <code>JmxRemoteLifecycleListener</code>, as described
-    in <a href="config/listeners.html">listeners</a> documentation.
-    </p>
+
+<p>If you need to specify a host name to be used in the RMI stubs sent to the
+client (e.g. because the public host name that must be used to connect is not
+the same as the local host name) then you can set:</p>
+<source><![CDATA[set CATALINA_OPTS=-Djava.rmi.server.hostname]]></source>
+
+<p>If you need to specify a specific interface for the JMX service to bind to
+then you can set:</p>
+<source><![CDATA[set CATALINA_OPTS=-Dcom.sun.management.jmxremote.host]]></source>
 
   </section>
 
   <section name="Manage Tomcat with JMX remote Ant Tasks">
-   <p>To simplify JMX usage with Ant 1.6.x, a set of tasks is provided that may
+   <p>To simplify JMX usage with Ant, a set of tasks is provided that may
    be used with antlib.</p>
    <p><b>antlib</b>: Copy your catalina-ant.jar from $CATALINA_HOME/lib to $ANT_HOME/lib.</p>
    <p>The following example shows the JMX Accessor usage:<br/>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org