The changes look right to me as well, if the policy file we're trying to
use is in the work/ directory. The init.d script should not set
-Djava.security.manager nor -Djava.security.policy because those are
indeed set by catalina.sh whenever catalina.sh is invoked with
-security. Thanks guys!
--
Tom:
That is in fact the behaviour I meant to configure authbind to allow --
I wanted to allow the Tomcat JVM to bind to privileged ports on any
address on any NIC of the machine on which Tomcat runs. So, a network
prefix of 0 is what it should use, instead of 32. Thanks for spotting
that!
--
Gabriel: It's certainly alright to still discuss this. It's a
complex issue, with (I think) only very rough solutions.
I agree that the JVM authors are saying that if you cannot know
in advance very much about how the Java program is going to be
using the JVM, and if you cannot know about the
Ahh, yes. That's true. I now remember that I made sure to enable that switch
whenever
authbind is enabled. But, also, I seem to remember some past issues that were
fixed by
setting -Djava.net.preferIPv4Stack=true by default.. though I can't find any of
those in the
ASF Tomcat bugzilla at the
Thierry:
There is part of this patch's change that may cause authbind to fail:
-# You may pass JVM startup parameters to Java here.
-#JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true -Xmx128m
+# You may pass JVM startup parameters to Java here. If unset, the default
+# options
My short opinion is: Yes, it does make sense to use the CMS GC for
Tomcat by default.
Aaron: Thanks very much for the link to Sun's Hotspot memory management
white paper, and for the suggestion to use CMS by default. I have seen
quite a few production Tomcat environment config files over the
The man page that comes with version 1.2.0build2 still claims:
Ports from 512 to 1023 inclusive cannot be used with authbind because
that would create a security hole, in conjection with rshd.
.. even though authbind has been patched to allow using those ports.
--
authbind unreasonably fails
