tomcat xinetd
Hi all, I'm using Tomcat 4.1 with Axis on a RH9 to develop a simple web service, and I'm trying to improve securety starting Tomcat with xinetd supervision. I set up my xinetd.conf like this: # # Simple configuration file for xinetd # # Some defaults, and include /etc/xinetd.d/ defaults { instances = 15 log_type= FILE /var/log/servicelog 100K 200K log_on_success= HOST PID USERID DURATION EXIT log_on_failure= HOST USERID cps= 25 30 only_from= localhost per_source= 5 disabled= servers services xadmin } includedir /etc/xinetd.d but I'd still need a bit of information: how set up my tomcat service?. I've decided to not use the port redirection, and use only my local net to start. Moreover I have assigned $CATALINA_HOME directory to my personal account, so my tomcat file in xinet.d directory results: service tomcat { socket_type = stream protocol= tcp user= root wait= no port= 8080 server= /usr/local/jakarta-tomcat-4.1.30/bin/startup.sh disable= no access_time = 9:00-20:00 #only_from= my remote address only_from= 127.0.0.1 } There could be a problem because when I restart xinetd Tomcat doesn't start (It starts well by hand). Maybe the problem is in the server specification? I've searched the net for help about tomcat xinetd but I didn't find anything, so I wonder if u could just tell me something. Many thanks Gianni Pucciani - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat xinetd
On Thu, Apr 01, 2004 at 11:37:29PM +0200, Gianni Pucciani wrote: : I'm using Tomcat 4.1 with Axis on a RH9 to develop a simple web service, : and I'm trying to improve securety starting Tomcat with xinetd supervision. : [snip] : I've searched the net for help about tomcat xinetd but I didn't find : anything, so I wonder if u could just tell me something. xinetd works by listening on a given port, then firing up the specified service when a request comes in on that port. Are you sure this is what you want? Even if this were to work, you'd end up starting a new Tomcat server for each connection. =) What about using a firewall, and/or some of the access-control valves (I forget the exact names, but they let you limit access based on incoming IP, etc.) -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat xinetd
Not true. You also can use xinetd to redirect requests to one port to another port where tomcat is running: http://www-106.ibm.com/developerworks/linux/library/l-secjav.html -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 12:43 AM To: Tomcat Users List Subject: Re: tomcat xinetd xinetd works by listening on a given port, then firing up the specified service when a request comes in on that port. snip/ Even if this were to work, you'd end up starting a new Tomcat server for each connection. =) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat xinetd
QM wrote: On Thu, Apr 01, 2004 at 11:37:29PM +0200, Gianni Pucciani wrote: : I'm using Tomcat 4.1 with Axis on a RH9 to develop a simple web service, : and I'm trying to improve securety starting Tomcat with xinetd supervision. : [snip] : I've searched the net for help about tomcat xinetd but I didn't find : anything, so I wonder if u could just tell me something. xinetd works by listening on a given port, then firing up the specified service when a request comes in on that port. Are you sure this is what you want? Even if this were to work, you'd end up starting a new Tomcat server for each connection. =) In fact, this was one of my doubt, I dont't really want to start a new server for each request. I'm not perfectly aware of the ways Tomcat manage incoming requests, so I wonder how to setup the server declaration in xinet.d/tomcat service file. I was concerning about using xinetd supervision after read this article: http://www-106.ibm.com/developerworks/java/library/l-secjav.html What about using a firewall, and/or some of the access-control valves (I forget the exact names, but they let you limit access based on incoming IP, etc.) Yes, I'm behind a router and I'm going to set a specific filter rule based on incoming address for request to port 8080. -QM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat xinetd
Yes, I'v just read this article, but I thought using xinetd not to redirect requests (at least for now...) but to filter incoming requests. A filter rule on my router is just sufficient? There's no need to use xinetd? Thanks Ralph Einfeldt wrote: Not true. You also can use xinetd to redirect requests to one port to another port where tomcat is running: http://www-106.ibm.com/developerworks/linux/library/l-secjav.html -Original Message- From: QM [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 12:43 AM To: Tomcat Users List Subject: Re: tomcat xinetd xinetd works by listening on a given port, then firing up the specified service when a request comes in on that port. snip/ Even if this were to work, you'd end up starting a new Tomcat server for each connection. =) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat xinetd
That isn't easy to answer, that depends on your infrastructure and on your security requirements. xinetd isn't required. You can achive the same (in the context of your question) with iptables (Which is more efficient) or with commons-daemon: http://jakarta.apache.org/commons/daemon/ -Original Message- From: Gianni Pucciani [mailto:[EMAIL PROTECTED] Sent: Friday, April 02, 2004 9:46 AM To: Tomcat Users List Subject: Re: tomcat xinetd Yes, I'v just read this article, but I thought using xinetd not to redirect requests (at least for now...) but to filter incoming requests. A filter rule on my router is just sufficient? There's no need to use xinetd? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]