Menu
I am trying to think of a reason why Tomcat would have a shutdown port but I can't think of any. As I understand it this port only works if messaged locally as it's attached to the loopback device, hence what's the point of having this? Couldn't this be done via internal command in a way that couldn't be spoofed by someone from outside your network?
Thank you!
271
In the Tomcat installation folder, open the Conf directory. Create a backup of the server. xml file. Modify the value of the port parameter to the desired value.
Set to -1 to disable the shutdown port.
By default the tomcat binding ports are 8005, 8080 and 8009. If you have another tomcat instance running on same server or other application like JBoss Application Server, these ports are likely already used. In this case you should change the default ports.
1) The default port number of Tomcat is 8080. On a server, if another application occupies port 8080, Tomcat will fail to be started normally, in which case you have to configure a new port for Tomcat. 2) If a number of Tomcats run on a server, then you have to configure a separate port for each Tomcat.
The shutdown port provides an OS neutral, scriptable way to shutdown a Tomcat instance. Once you remove the shutdown port you are almost certainly into the realms of OS specific code (or at least different code for Windows vs Unix plus derivatives). By default, Tomcat aims for common configuration and behaviour across all platforms.
The security profile of Tomcat installations vary wildly from single developer machines to thousands of instances in the cloud. It is impossible for the default configuration to be perfect for all likely installation environments. Tomcat aims for reasonably secure defaults that admins are expected to adjust to suit their environment.
In this case, the security risks come if untrusted users a) have access to the shutdown port and b) know the shutdown command. This should be a fairly rare scenario, hence why the shutdown port remains enabled for localhost by default. I certainly wouldn't want to run a service where I cared about its security on a machine where I had untrusted users. That said it does happen and, for those use cases, the shutdown port can be disabled.
Once the shutdown port is disabled, the Unix + derivatives solution is to set TOMCAT_PID at which point the scripts will continue to work as expected. On Windows, you are proably going to need to run as a service.
136
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
