-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fu-Tung,
Fu-Tung Cheng wrote: > I have different instances of tomcat running on different ports of > the same machine. The processes are running as different users. In > this case could a user different than the one who launched the > process connect to the tomcat shutdown port and cause the other > instance to shutdown? Yes, users other than the one who started the process could shut down Tomcat. > How do I restrict this to only the user who launched the tomcat > process? As Andre points out, there is no way to restrict TCP/IP ports to certain users. You do, however, have other options: 1. Change the "shutdown" attribute of the <Server> element ion server.xml to something other than "SHUTDOWN". For instance, if you set it to "mySUPERsecretPASSWORD", then the user trying to shut down your Tomcat would have to know that particular command string in order to successfully shut down Tomcat. Making server.xml readable only by the user should prevent anyone from discovering the shutdown command string. See http://tomcat.apache.org/tomcat-6.0-doc/config/server.html for details. 2. I have heard that by using jsvc, you can shut down Tomcat without having to use the shutdown port /at all/. You can disable the shutdown port entirely and simply use jsvc to start/stop your server. I'm not sure of the specifics, but I would bet that jsvc has tighter controls over who can send SHUTDOWN requests to a running Tomcat instance. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkit2QUACgkQ9CaO5/Lv0PAjSACgjbfMvUkuo5DeBvG9pMzvf/ZU GmQAnR9ep1ZziXJqkfAAyK9yrKVN+i47 =hzBt -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
