Tomat:通过 JMX 启动/停止/重新加载应用程序?如何通过程序管理应用程序的启动/停止/重启? [英] Tomat: start/stop/reload application by JMX? How to manage application's start/stop/restart by program?

问题描述

背景:
我有一个任务，通过部署在 tomcat、jboss、weblogic 或 websphere 中的 JMXstart/stop/reload 应用程序.(大家可能知道上面提到的 Web 应用服务器已经有管理器页面来实现它，我们只是想通过 JMX 到一页).

tomcat 的问题:
我有一个名为 JMXWebExample1-0.1 的示例应用程序.我可以通过将 tomcat/tomcat(username/password) 输入到提示登录页面来访问管理器页面，我通过单击应用程序名称旁边的停止按钮看到以下链接.

http://localhost:8080/manager/html/stop;jsessionid=49CDCBA3DDB3081BA3D6C5BCD9E4C8A3?path=/JMXWebExample1-0.1&org.apache.catalina.filters.CSRF_NONCE=59E974DDDE34750

链接有jsessionid=49CDCBA3DDB3081BA3D6C5BCD9E4C8A3，以及CSRF token org.apache.catalina.filters.CSRF_NONCE=59E98C1BA757DD3E7D9FDEA4504D3423

因此，当我调用 http://localhost:8080/manager/html/stop?path=/JMXWebExample1-0.1 时，它总是给我 403 状态代码(拒绝访问).问题是如何停止类似于tomcat管理器页面的应用程序JMXWebExample1-0.1?

启动tomcat前的一些步骤
我在tomcat启动前有以下步骤:
1) 通过添加 %CATALINA_OPTS%,


启用 JMX

CATALINA_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9000 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.认证=假"

2) tomcat-users.xml:我把以下配置:

<user username="tomcat" password="tomcat" roles="manager-gui"/>

3) E:\apache-tomcat-9.0.12\webapps\manager\META-INF\context.xml 下的context.xml，我注释以下行:

--><Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>

更新:
E:\apache-tomcat-9.0.12\conf\tomcat-users.xml，登录时使用tomcat.

<role rolename="role1"/><role rolename="admin-script"/><role rolename="manager-gui"/><role rolename="manager-status"/><role rolename="manager-script"/><role rolename="manager-jmx"/><role rolename="admin-gui"/><role rolename="admin-jmx"/><user username="tomcat" password="tomcat" roles="manager-gui，manager-jmx"/><user username="both" password="both" roles="tomcat,role1"/><user username="role1" password="role1" roles="role1"/><user username="all" password="all" roles="tomcat,role1,manager-script,manager-jmx"/>

在E:\apache-tomcat-9.0.12\webapps\manager\META-INF\context.xml中:

--><Valve className="org.apache.catalina.valves.RemoteAddrValve"允许=.*"/><Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>

调用命令:http://localhost:8080/manager/html/stop?path=/JMXWebExample1-0.1

解决方案

首先，tomcat 提供了必须以不同方式访问的 HTML 和 JMX 接口.
您正在尝试使用 html，为此您应该向

发送 POST 请求<块引用>

最后，如文档所示，我认为您应该更改验证模式或完全删除 allow 属性.注释掉阀门可能会禁用该功能.

此外，JMX 访问的角色是 manager-jmx.

注意这里的安全问题！

Background:
I have a task to start/stop/reload an application by JMX deployed in tomcat, jboss, weblogic or websphere. (One probably knows the mentioned web application servers already have manager page to implement it, we just want to concentrate all these four major web server admins' start/stop/reload feature by JMX into one page).

Question with tomcat:
I have an example application named JMXWebExample1-0.1. I could visit manager page by input of tomcat/tomcat(username/password) to the prompted login page, and I see the following link by clicking stop button beside the application name.

http://localhost:8080/manager/html/stop;jsessionid=49CDCBA3DDB3081BA3D6C5BCD9E4C8A3?path=/JMXWebExample1-0.1&org.apache.catalina.filters.CSRF_NONCE=59E98C1BA757DD3E7D9FDEA4504D3423

The link has jsessionid=49CDCBA3DDB3081BA3D6C5BCD9E4C8A3, and CSRF token org.apache.catalina.filters.CSRF_NONCE=59E98C1BA757DD3E7D9FDEA4504D3423.

So when I invoke, http://localhost:8080/manager/html/stop?path=/JMXWebExample1-0.1, it always give me 403 status code (Access Denied). The question is how I could stop application JMXWebExample1-0.1 similar to tomcat manager page?

Some steps before starting tomcat
I have following steps before the start of tomcat:
1) Enable JMX by adding %CATALINA_OPTS%,

CATALINA_OPTS="-Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9000 -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"

2) tomcat-users.xml: I put following configuration:

<role rolename="manager-gui"/>
  <user username="tomcat" password="tomcat" roles="manager-gui"/>

3) context.xml which is under E:\apache-tomcat-9.0.12\webapps\manager\META-INF\context.xml, I comment following line:

<Context antiResourceLocking="false" privileged="true" >

 <!--  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|\d+\.\d+\.\d+\.\d+" />  -->
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

Updated:
E:\apache-tomcat-9.0.12\conf\tomcat-users.xml, when login, I use tomcat.

<role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="admin-script" />
  <role rolename="manager-gui"/>
  <role rolename="manager-status"/>
  <role rolename="manager-script"/>
  <role rolename="manager-jmx"/>
  <role rolename="admin-gui"/>
  <role rolename="admin-jmx" />
  <user username="tomcat" password="tomcat" roles="manager-gui，manager-jmx"/>
  <user username="both" password="both" roles="tomcat,role1"/>
  <user username="role1" password="role1" roles="role1"/>
  <user username="all" password="all" roles="tomcat,role1,manager-script,manager-jmx" />

In E:\apache-tomcat-9.0.12\webapps\manager\META-INF\context.xml:

<Context antiResourceLocking="false" privileged="true" >

 <!--  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|\d+\.\d+\.\d+\.\d+" />  -->
  <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*" />
  <Manager sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>

Command to invoke: http://localhost:8080/manager/html/stop?path=/JMXWebExample1-0.1

解决方案

First of all, tomcat offers HTML and JMXinterfaces that must be accessed in a different way.
you are trying to use the html one, for that you should send a POST request to

http://localhost:8080/manager/html/stop?path=/sample&org.apache.catalina.filters.CSRF_NONCE=A2D857324A2C4F5F3EAE0DE2934502BA

The /manager page is protected against CSRF with the org.apache.catalina.filters.CSRF_NONCE parameter. If removed, an error 403 is received along with an explanation:

The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:

Users with the manager-gui role should not be granted either the manager-script or manager-jmx roles.

So, if you want to stop an application, send a POST request with a valid CSRF token.

Stop an app through JMX
First, you disabled authentication with -Dcom.sun.management.jmxremote.authenticate=false, you may want to change that. jconsole can be used to control tomcat through JMX by connecting to a remote app at <ip address>:9000 address.
Then, to stop an app use Catalina -> WebModule MBean, you will see several operation available, find stop() and use it:

Finally, as shown on the docs, I think you should change the validation pattern or remove the allow attribute at all. Commenting the valve out probably disables the feature.

<Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow=".*"/>

Also, the role for JMX access is manager-jmx.

Be aware of the security stuff here!

这篇关于Tomat:通过 JMX 启动/停止/重新加载应用程序?如何通过程序管理应用程序的启动/停止/重启?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！