在Tomcat 9中,是否可以通过编程方式关闭AutoDeploy?

huangapple
go评论55阅读模式
英文:

In Tomcat 9, can AutoDeploy be turned off programatically

问题

我们使用Tomcat 9与Spring/Hibernate。显然,这是一个生产代码,Tomcat管理器不存在。为了加固Tomcat,我们尝试通过代码动态地关闭"autoDeploy"。我们可以在server.xml中这样做:

<Host appBase="webapps" autoDeploy="false" name="localhost" unpackWARs="true">

是否可以这样做?是否有一种以程序方式实现这个的方法?

编辑:尝试的代码:

package test.servlet;

import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;

import javax.management.MBeanServer;
import javax.management.ObjectName;
import javax.servlet.ServletException;
import javax.servlet.annotation.MultipartConfig;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.tomcat.util.modeler.Registry;

public class TestServlet extends HttpServlet {
    ObjectName oname = null;
    MBeanServer mBeanServer = null;

    public void service(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

        String name = request.getParameter("app");

        PrintWriter writer = response.getWriter();

        try {
            oname = new ObjectName("Catalina:type=Deployer,host=localhost");
            mBeanServer = Registry.getRegistry(null, null).getMBeanServer();
            if (!isDeployed(name) && !isServiced(name)) {
                writer.println("deploying application -> " + name);
                addServiced(name);
                try {
                    // Perform new deployment
                    check(name);
                } finally {
                    removeServiced(name);
                }
            }

        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }

    }

    protected void check(String name) throws Exception {
        String[] params = { name };
        String[] signature = { "java.lang.String" };
        mBeanServer.invoke(oname, "check", params, signature);
    }

    protected void addServiced(String name) throws Exception {
        String[] params = { name };
        String[] signature = { "java.lang.String" };
        mBeanServer.invoke(oname, "addServiced", params, signature);
    }

    protected boolean isDeployed(String name) throws Exception {
        String[] params = { name };
        String[] signature = { "java.lang.String" };
        Boolean result = (Boolean) mBeanServer.invoke(oname, "isDeployed", params, signature);
        return result.booleanValue();
    }

    protected boolean isServiced(String name) throws Exception {
        String[] params = { name };
        String[] signature = { "java.lang.String" };
        Boolean result = (Boolean) mBeanServer.invoke(oname, "isServiced", params, signature);
        return result.booleanValue();
    }

    protected void removeServiced(String name) throws Exception {
        String[] params = { name };
        String[] signature = { "java.lang.String" };
        mBeanServer.invoke(oname, "removeServiced", params, signature);
    }
}
英文:

We use tomcat 9 with spring/hibernate. Obviously its a production code and the tomcat manager is not there. For the tomcat hardening we are trying to turn off the "autoDeploy" via code dynamically. We can do that in server.xml as :

&lt;Host appBase=&quot;webapps&quot; autoDeploy=&quot;false&quot; name=&quot;localhost&quot; unpackWARs=&quot;true&quot;&gt;

Can that be done? Is there a way to do this programatically?

EDIT: Code attempted:

package test.servlet;
import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;
import javax.management.MBeanServer;
import javax.management.ObjectName;
import javax.servlet.ServletException;
import javax.servlet.annotation.MultipartConfig;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.tomcat.util.modeler.Registry;
public class TestServlet extends HttpServlet {
ObjectName oname = null;
MBeanServer mBeanServer = null;
public void service(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
String name = request.getParameter(&quot;app&quot;);
PrintWriter writer = response.getWriter();
try {
oname = new ObjectName(&quot;Catalina:type=Deployer,host=localhost&quot;);
mBeanServer = Registry.getRegistry(null, null).getMBeanServer();
if (!isDeployed(name) &amp;&amp; !isServiced(name)) {
writer.println(&quot;deploying application -&gt; &quot; + name);
addServiced(name);
try {
// Perform new deployment
check(name);
} finally {
removeServiced(name);
}
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
protected void check(String name) throws Exception {
String[] params = { name };
String[] signature = { &quot;java.lang.String&quot; };
mBeanServer.invoke(oname, &quot;check&quot;, params, signature);
}
protected void addServiced(String name) throws Exception {
String[] params = { name };
String[] signature = { &quot;java.lang.String&quot; };
mBeanServer.invoke(oname, &quot;addServiced&quot;, params, signature);
}
protected boolean isDeployed(String name) throws Exception {
String[] params = { name };
String[] signature = { &quot;java.lang.String&quot; };
Boolean result = (Boolean) mBeanServer.invoke(oname, &quot;isDeployed&quot;, params, signature);
return result.booleanValue();
}
protected boolean isServiced(String name) throws Exception {
String[] params = { name };
String[] signature = { &quot;java.lang.String&quot; };
Boolean result = (Boolean) mBeanServer.invoke(oname, &quot;isServiced&quot;, params, signature);
return result.booleanValue();
}
protected void removeServiced(String name) throws Exception {
String[] params = { name };
String[] signature = { &quot;java.lang.String&quot; };
mBeanServer.invoke(oname, &quot;removeServiced&quot;, params, signature);
}
}

答案1

得分: 1

I guess you would have to disable deployOnStartup and autoDeploy both.

Reference from the Tomcat 9 docs for host :

>autoDeploy :
> 此标志值指示Tomcat在运行时是否定期检查新的或更新的Web应用程序。如果为true,Tomcat定期检查appBase和xmlBase目录,并部署找到的任何新Web应用程序或上下文XML描述符。更新的Web应用程序或上下文XML描述符将触发Web应用程序的重新加载。该标志的值默认为true。

> deployOnStartup:此标志值指示是否在Tomcat启动时自动部署此主机的Web应用程序。该标志的值默认为true。

如果禁用deployOnStartup和autoDeploy,则需要通过server.xml中的Context元素显式配置管理器应用程序,然后使用它来部署其他WAR文件/目录。

注意:您可以通过在您的server.xml文件中设置autodeploy="false"来禁用自动部署。

阅读更多信息:Apache Tomcat 9配置参考

英文:

I guess you would have to disable deployOnStartup and autoDeploy both.

Reference from the Tomcat 9 docs for host :

>autoDeploy :
> This flag value indicates if Tomcat should check periodically for new
> or updated web applications while Tomcat is running. If true, Tomcat
> periodically checks the appBase and xmlBase directories and deploys
> any new web applications or context XML descriptors found. Updated web
> applications or context XML descriptors will trigger a reload of the
> web application. The flag's value defaults to true.

> deployOnStartup : This flag value indicates if web
> applications from this host should be automatically deployed when
> Tomcat starts. The flag's value defaults to true.

If you disable deployOnStartup and autoDeploy, then you would need to explicitly configure the manager app via a Context element in server.xml and then use it to deploy additional WAR files/directories.

Note : You can disable auto deploy via setting - autodeploy=&quot;false&quot; in your server.xml file.

Read more at : Apache Tomcat 9 Configuration Reference

答案2

得分: 0

不,这是不可能的,因为你无法从Java代码中设置autoDeploy="false"

唯一的配置方式是在server.xml中进行。

英文:

No, it cannot be, as you cannot set autoDeploy=&quot;false&quot; from Java code.

The only way to configure this, is to do it in the server.xml.

huangapple
  • 本文由 发表于 2020年7月30日 21:24:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/63174182.html
  • hardening
  • java
  • tomcat
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定