Folks:
I'm seeing a warning in my logs when I use request.secret for the AJP
connector when I load the APR native libraries. The warning is:
WARNING: [SetAllPropertiesRule]{Server/Service/Connector}
Setting property 'request.secret' to 'somesillypassword' did not find a
matching property.
I'm running a three node Tomcat cluster for testing with the following
configuraiton:
OS: Fedora 15 32 bit
JVM: java version "1.6.0_31"
Java(TM) SE Runtime Environment (build 1.6.0_31-b04)
Java HotSpot(TM) Client VM (build 20.6-b01, mixed mode, sharing)
Tomcat: 6.0.35
Native: 1.1.22
APR: apr-util-devel-1.3.12-1.fc15.i686 (Fedora RPM)
SSL: openssl-devel-1.0.0g-1.fc15.i686 (Fedora RPM)
If I load the native libraries with the following setenv.sh
(CATALINA_BASE and CATALINA_HOME are set in a parent script):
#!/bin/bash
JMX_PORT=9004
CATALINA_OPTS="-Djava.library.path=$CATALINA_HOME/bin/libs \
-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.port=$JMX_PORT \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="-Dlog4j.home=$CATALINA_BASE/logs"
export CATALINA_OPTS JAVA_OPTS
I get the WARNING message above.
If I comment out the native libraries and run the following setenv.sh
script:
#!/bin/bash
JMX_PORT=9004
# CATALINA_OPTS="-Djava.library.path=$CATALINA_HOME/bin/libs \
CATALINA_OPTS="-Dcom.sun.management.jmxremote \
-Dcom.sun.management.jmxremote.port=$JMX_PORT \
-Dcom.sun.management.jmxremote.ssl=false \
-Dcom.sun.management.jmxremote.authenticate=false"
JAVA_OPTS="-Dlog4j.home=$CATALINA_BASE/logs"
export CATALINA_OPTS JAVA_OPTS
I get a warning about not loading the native libraries, but no warning
about the connector.
Here's the snippet from my server.xml.
<!-- Define an AJP 1.3 Connector on port 8019 -->
<Connector port="8019" protocol="AJP/1.3" redirectPort="8453"
request.secret="somesillypassword"
connectionTimeout="600000"
URIEncoding="UTF-8"/>
I'll post the entire server.xml if people think it's appropriate, but
since it has clustering and farm deployment in it, it's a bit long.
Here's the relevant portion of my workers.properties file:
worker.template.type=ajp13
worker.template.host=192.168.0.254
worker.template.socket_connect_timeout=5000
worker.template.socket_keepalive=true
worker.template.ping_mode=A
worker.template.ping_timeout=10000
worker.template.connection_pool_minsize=0
worker.template.connection_pool_timeout=600
worker.template.reply_timeout=300000
worker.template.recovery_options=3
worker.deimos.reference=worker.template
worker.deimos.port=8019
worker.lb.type=lb
worker.lb.error_escalation_time=0
worker.lb.max_reply_timeouts=10
worker.lb.balance_workers=deimos,mars,phobos
# work around a security issue
worker.lb.secret=somesillypassword
Snippets from httpd.conf:
# uses default DocumentRoot
<VirtualHost *:80>
ServerName phoenix.mdeggers.org
ServerAlias phoenix
ServerAlias localhost.localdomain
ServerAlias localhost
JkMountFile /etc/httpd/conf.d/uriworkermap.properties
</VirtualHost>
And snippets from uriworkermap.properties
#
# RPets - a random pet generator / matcher / test application
#
/RPets=lb
/RPets/*=lb
Here's the really odd thing. Even with the native libraries loaded and
the warning message in catalina.out, the cluster works. I start up the
cluster and then go to http://localhost/RPets, and the
application works as expected.
If the warning is real and the attribute is discarded, I would expect
the application to be unavailable when the native libraries are loaded.
Is this just a spurious warning? I suspect that it is, because
otherwise the Apache HTTPD - Tomcat AJP (via mod_jk 1.2.32) shouldn't
work.
And yes I know, with Tomcat 6.0.35 the attribute is no longer
necessary.
I also tried this with Tomcat 6.0.29 and got the same results (and
there the attribute IS necessary to avoid a security issue).
Puzzled . . . .
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
