How do I prevent people from shutting down my Tomcat?
Author: Deron Eriksson
Description: This tutorial describes how to prevent people from shutting down your running Tomcat by executing a SHUTDOWN on port 8005.
Tutorial created using:
Windows XP || JDK 1.5.0_09 || Tomcat 5.5.20
(Continued from page 1) So, how can we prevent people from shutting down Tomat? One way is to change the message that must be sent for the shutdown to execute. We can also change the port. We can do this by modifying the Server element in Tomcat's server.xml file. Let's change: Server element in server.xml<Server port="8005" shutdown="SHUTDOWN"> to Server element in server.xml<Server port="8008" shutdown="PLEASESHUTDOWN"> Next, I'll start up TomcatSW again via startup.bat. I'll try telnetting to localhost port 8005. The connection fails since we've changed the port number from 8005 to 8008. I'll telnet to port 8008 of localhost. I type SHUTDOWN followed by the enter key into telnet. Tomcat responds in the console window with: "WARNING: StandardServer.await: Invalid command 'SHUTDOWN' received". The SHUTDOWN command doesn't work since we changed it to PLEASESHUTDOWN. If I telnet to localhost port 8008 and type PLEASESHUTDOWN followed by enter, this shuts down Tomcat. This technique that we have seen can be a useful way of preventing unauthorized people from shutting down your Tomcat server. |