为什么Tomcat中有关闭端口? [英] Why have a shutdown port in Tomcat?
问题描述
我正在想一个原因,为什么 Tomcat 会有一个关闭端口,但我想不出任何原因.据我所知,这个端口只有在本地发送消息时才有效,因为它连接到环回设备,因此拥有这个有什么意义?这难道不能通过内部命令以一种不会被网络外部人员欺骗的方式完成吗?
I am trying to think of a reason why Tomcat would have a shutdown port but I can't think of any. As I understand it this port only works if messaged locally as it's attached to the loopback device, hence what's the point of having this? Couldn't this be done via internal command in a way that couldn't be spoofed by someone from outside your network?
谢谢!
推荐答案
关闭端口提供了一种与操作系统无关的、可编写脚本的方式来关闭 Tomcat 实例.一旦您删除关闭端口,您几乎肯定会进入操作系统特定代码的领域(或者至少是 Windows 与 Unix 以及衍生产品的不同代码).默认情况下,Tomcat 旨在实现跨所有平台的通用配置和行为.
The shutdown port provides an OS neutral, scriptable way to shutdown a Tomcat instance. Once you remove the shutdown port you are almost certainly into the realms of OS specific code (or at least different code for Windows vs Unix plus derivatives). By default, Tomcat aims for common configuration and behaviour across all platforms.
Tomcat 安装的安全配置文件千差万别,从单个开发人员机器到云中的数千个实例.对于所有可能的安装环境,默认配置不可能完美无缺.Tomcat 旨在提供合理安全的默认设置,管理员应根据其环境进行调整.
The security profile of Tomcat installations vary wildly from single developer machines to thousands of instances in the cloud. It is impossible for the default configuration to be perfect for all likely installation environments. Tomcat aims for reasonably secure defaults that admins are expected to adjust to suit their environment.
在这种情况下,如果不受信任的用户 a) 可以访问关闭端口并且 b) 知道关闭命令,则会带来安全风险.这应该是一种相当罕见的情况,因此为什么默认情况下为 localhost 保持启用关闭端口.我当然不想在我有不受信任的用户的机器上运行我关心其安全性的服务.也就是说它确实发生了,对于这些用例,可以禁用关闭端口.
In this case, the security risks come if untrusted users a) have access to the shutdown port and b) know the shutdown command. This should be a fairly rare scenario, hence why the shutdown port remains enabled for localhost by default. I certainly wouldn't want to run a service where I cared about its security on a machine where I had untrusted users. That said it does happen and, for those use cases, the shutdown port can be disabled.
一旦关闭端口被禁用,Unix + 衍生解决方案是设置 TOMCAT_PID,此时脚本将继续按预期工作.在 Windows 上,您可能需要作为服务运行.
Once the shutdown port is disabled, the Unix + derivatives solution is to set TOMCAT_PID at which point the scripts will continue to work as expected. On Windows, you are proably going to need to run as a service.
这篇关于为什么Tomcat中有关闭端口?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
