-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ken,
On 3/8/18 11:31 AM, Kenneth Taylor wrote:
> To clarify: We were making changes to our webapp and re-deploying
> and the changes were not showing up. We think this was happening
> because of the shutdown problem I stated earlier. There was more
> than one Tomcat running. Also, there were some configuration
> issues that could have contributed to the problem, maybe, and it is
> also possible that our build system picked up an old config file
> that had the unpackWars flag set to false. My use of the "caching"
> was simply a way of describing this problem.
Definitely make sure Tomcat is stopped. You can use the "jps" program
on most platforms to see what JVMs are running. The Tomcat processes
show with the name "Bootstrap" if you are using a traditional
(non-embedded) Tomcat.
> Also that JVM flag is supposed to disable connecting via a
> debugger, or any other application that uses the JVM Attach
> mechanism. If that flag is not set then anyone who has network
> access can connect to any webapp in Tomcat, say with a debugger,
> and access sensitive information.
You have to have "host" access, not just network access. The Attach
API does not bind to any ports. Also, you either have to be the owner
of the process or have administrative access. For example, on a shared
server, I can't run "jstack -F [other users pid]" and get a thread
dump from their Java process. I can do it if I use "sudo", though.
Perhaps you are thinking of JMX? That requires a special
configuration, and *can* allow network access (though it's a real pain
IMO).
> If you run any JVM directly, with that flag set, you will not be
> able to connect to it, even if a debugger is configured. So if its
> not working with Tomcat then it is a potential security problem.
It does work. I just fired-up a Tomcat instance with that flag set on
the JVM:
$ $CATALINA_HOME/bin/catalina.sh start
$ jps
14491 Bootstrap
$ jstack 14491
14491: The VM does not support the attach mechanism
The -F option can be used when the target process is not responding
$ jstack -F 14491
Attaching to process ID 14491, please wait...
Error attaching to process:
sun.jvm.hotspot.debugger.DebuggerException: Can't attach symbolicator
to the process
sun.jvm.hotspot.debugger.DebuggerException:
sun.jvm.hotspot.debugger.DebuggerException: Can't attach symbolicator
to the process
at
sun.jvm.hotspot.debugger.bsd.BsdDebuggerLocal$BsdDebuggerLocalWorkerThre
ad.execute(BsdDebuggerLocal.java:169)
at
sun.jvm.hotspot.debugger.bsd.BsdDebuggerLocal.attach(BsdDebuggerLocal.ja
va:287)
at sun.jvm.hotspot.HotSpotAgent.attachDebugger(HotSpotAgent.java:671)
at
sun.jvm.hotspot.HotSpotAgent.setupDebuggerDarwin(HotSpotAgent.java:659)
at sun.jvm.hotspot.HotSpotAgent.setupDebugger(HotSpotAgent.java:341)
at sun.jvm.hotspot.HotSpotAgent.go(HotSpotAgent.java:304)
at sun.jvm.hotspot.HotSpotAgent.attach(HotSpotAgent.java:140)
at sun.jvm.hotspot.tools.Tool.start(Tool.java:185)
at sun.jvm.hotspot.tools.Tool.execute(Tool.java:118)
at sun.jvm.hotspot.tools.JStack.main(JStack.java:92)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.tools.jstack.JStack.runJStackTool(JStack.java:140)
at sun.tools.jstack.JStack.main(JStack.java:106)
Caused by: sun.jvm.hotspot.debugger.DebuggerException: Can't attach
symbolicator to the process
at sun.jvm.hotspot.debugger.bsd.BsdDebuggerLocal.attach0(Native Method)
at
sun.jvm.hotspot.debugger.bsd.BsdDebuggerLocal.access$100(BsdDebuggerLoca
l.java:65)
at
sun.jvm.hotspot.debugger.bsd.BsdDebuggerLocal$1AttachTask.doit(BsdDebugg
erLocal.java:278)
at
sun.jvm.hotspot.debugger.bsd.BsdDebuggerLocal$BsdDebuggerLocalWorkerThre
ad.run(BsdDebuggerLocal.java:144)
> Re-producing it is easy. Simply set the flag and then run Tomcat
> and then connect with a debugger.
How are you setting that flag?
> Of course to use a debugger you also have to configure it in the
> properties you start Tomcat with, but some JVM Attach apps may
> work without requiring that.
So... you are specifically configuring your JVM to allow debugging,
and you are upset that you can attach a debugger?
Are you sure the "attach" API is being used, here?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqhaaYdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjb1A/5Ad7eIPM1uLWjWt9O
naBVW0PJ2Y7wC3VDxmBbOB4Ya1/7wLwmcti5ltIWQ5ZvRmUMPVzwlewRo7P4hcZV
AqWKftcNQQW9OnVR9M+0Bgt/2te2vYyirFHIxRffW4w7uLkM5nOn0pryktm2zHpx
SnNJGFTj2svl3kOilQjMiczCciN8DvnN3q5aafj6Ft/hzisBWFzwlIE/MqcPDbQV
pzVBbBR3XpHSdsDXMk+FTmrV7ct5lWresHRtKVw3aQvt57Usg0OJNJZ9hlmCFRSQ
G7NjXJDQ/YcKon8juhZXZr0tFcugCdDO2xP1L+PAIYJ5ILp5+FzaN3CT1l92baJC
SWwMvUui7FYJpfBkyE++wuP5uhzGaTCkj9vgNHhLFVqNU10mOaCysyV724pvtutt
7NOfRunG3SyqX5qU4AT1qyRo25pDTqI9CONlkEtCBFaRXY+ilRYTyuiV+czCmwRo
juifWE9JvLYh29TMxtVNW/YnIQzVCLib7OkDK6Z4dgJMGX5sSD2MBxk2bxMXJ3Ah
yl3LL2ekSKPe/9gQazORPYMcQehEv/3G4SSdsPt7Sl/UmDke67g4Y2A0JAiz6xXP
R8YlIshMl4wxcFTtBvjF8PoCChPDlc/JRDs1/808b8CulV+TgwDWIDVFQZoV9fjc
nDJTJzh4ojCjyRD6inD+qZFMZG4=
=Y0KS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
