One idea: I know nothing about the AJP12 protocol but isn't it possible to generate some random seed (or whatever) while starting up tomcat, saving it to disk and then when the shutdown request arrives, it can be matched against both the ip address and the random seed (acting as a password)? The running instance has it in memory and the shutdown script gets the saved copy. With correct permissions this should prevent others from shutting down Tomcat. Regards, Gummi Haf ------------------------------------------ Gudmundur Hafsteinsson - [EMAIL PROTECTED] Dimon Software - www.dimonsoftware.com "... 'cause that's what tiggers do the best!" - Tigger ------------------------------------------ "Paulo Gaspar" <[EMAIL PROTECTED]> 06.01.2001 03:05 Please respond to tomcat-dev To: <[EMAIL PROTECTED]> cc: Subject: RE: Tomcat can be shutdown by ANYONE. AFAIK from answers to similar postings, a Tomcat server accepts as valid any shutdown request coming from the same machine where it is running. Remember that the shutdown request is just another request sent trough sockets. All the server can check is the address it came from. I think (you should check) that this request is sent to the AJP port (8007). So, if you use Tomcat standalone, maybe you can just disable this port by commenting out the AJP12 connector tags in tomcat/conf/server.xml But then, even if this works, you will not be able to gracefully terminate Tomcat anymore - you will always have to kill it (or "break it"). Have fun, Paulo Gaspar > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Saturday, January 06, 2001 00:48 > To: [EMAIL PROTECTED] > Subject: Tomcat can be shutdown by ANYONE. > > > I have tried to run Tomcat 3.2.1 as nobody then on another shell login as > my id ( eg barrow ), and run TOMCAT_HOME/bin/shutdown.sh. I can > successfully bring tomcat. > > I also tried to run Tomcat 3.2.1 as root and I can also shutdown Tomcat > 3.2.1 as my id ( eg. barrow ). > > Unless I did my configuration wrong; otherwise, anyone who have access to > my Linux box will be above to shutdown Tomcat without any notice.. > > PS: my id - bhkwan, doesn't have super user privilege. It is just > a regular > user account. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, email: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Tomcat can be shutdown by ANYONE.
Dimon - Gudmundur Hafsteinsson Sat, 06 Jan 2001 03:16:00 -0800
- Tomcat can be shutdown by ANYONE. bhkwan
- RE: Tomcat can be shutdown by ANYONE. Paulo Gaspar
- Re: Tomcat can be shutdown by ANYONE. Nick Bauman
- Re: Tomcat can be shutdown by ANYO... Jon Stevens
- Re: Tomcat can be shutdown by ... Nick Bauman
- RE: Tomcat can be shutdown by ANYONE. Dimon - Gudmundur Hafsteinsson
- RE: Tomcat can be shutdown by ANYO... cmanolache
- Re: Tomcat can be shutdown by ... Jon Stevens
- Re: Tomcat can be shutdown... cmanolache