- Introduction
- Attributes
- Nested Components
- Standard Implementations
- APR Lifecycle Listener - org.apache.catalina.core.AprLifecycleListener
- Global Resources Lifecycle Listener - org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
- JNI Library Loading Listener - org.apache.catalina.core.JniLifecycleListener
- JRE Memory Leak Prevention Listener - org.apache.catalina.core.JreMemoryLeakPreventionListener
- Security Lifecycle Listener - org.apache.catalina.security.SecurityListener
- StoreConfig Lifecycle Listener - org.apache.catalina.storeconfig.StoreConfigLifecycleListener
- ThreadLocal Leak Prevention Listener - org.apache.catalina.core.ThreadLocalLeakPreventionListener
- UserConfig - org.apache.catalina.startup.UserConfig
- Version Logging Lifecycle Listener - org.apache.catalina.startup.VersionLoggerListener
- HTTPD mod_heartmonitor Listener - org.apache.catalina.ha.backend.HeartbeatListener
- Deprecated Implementations
The LifeCycle Listener Component
Table of Contents
Introduction
A Listener element defines a component that performs actions when specific events occur, usually Tomcat starting or Tomcat stopping.
Listeners may be nested inside a Server, Engine, Host or Context. Some Listeners are only intended to be nested inside specific elements. These constraints are noted in the documentation below.
Attributes
Common Attributes
All implementations of Listener support the following attributes:
Attribute | Description |
---|---|
className |
Java class name of the implementation to use. This class must
implement the |
Nested Components
No element may be nested inside a Listener.
Standard Implementations
Unlike most Catalina components, there are several standard
Listener implementations available. As a result,
the className
attribute MUST be used to select the
implementation you wish to use.
APR Lifecycle Listener - org.apache.catalina.core.AprLifecycleListener
The APR Lifecycle Listener checks for the presence of the APR/native library and loads the library if it is present. For more information see the APR/native guide.
This listener must only be nested within Server elements.
The following additional attributes are supported by the APR Lifecycle Listener:
Attribute | Description |
---|---|
SSLEngine |
Name of the SSLEngine to use. The default value is on. This initializes the
native SSL engine, which must be enabled in the APR/native connector by
the use of the See the Official OpenSSL website for more details on supported SSL hardware engines and manufacturers. |
SSLRandomSeed |
Entropy source used to seed the SSLEngine's PRNG. The default value
is |
FIPSMode |
Set to FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. If this attribute is set to any of the above values, the SSLEngine must be enabled as well. The default value is |
useAprConnector |
This attribute controls the auto-selection of the connector
implementation. When the protocol is specified as
|
useOpenSSL |
This attribute controls the auto-selection of the OpenSSL JSSE
implementation. The default is |
Global Resources Lifecycle Listener - org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
The Global Resources Lifecycle Listener initializes the Global JNDI resources defined in server.xml as part of the Global Resources element. Without this listener, none of the Global Resources will be available.
This listener must only be nested within Server elements.
No additional attributes are supported by the Global Resources Lifecycle Listener.
JNI Library Loading Listener - org.apache.catalina.core.JniLifecycleListener
The JNI Library Loading Listener makes it possible for multiple Webapps to use a native library, by loading the native library using a shared class loader (typically the Common class loader but may vary in some configurations)
The listener supports two mutually exclusive attributes, so one of them must be used, but you can not use both together:
Attribute | Description |
---|---|
libraryName |
The name of the native library, as defined in
|
libraryPath |
The absolute path of the native library, as defined in
|
JRE Memory Leak Prevention Listener - org.apache.catalina.core.JreMemoryLeakPreventionListener
The JRE Memory Leak Prevention Listener provides work-arounds for known places where the Java Runtime environment uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The work-around is to initialise these singletons when this listener starts as Tomcat's common class loader is the context class loader at that time. It also provides work-arounds for known issues that can result in locked JAR files.
This listener must only be nested within Server elements.
The following additional attributes are supported by the JRE Memory Leak Prevention Listener:
Attribute | Description |
---|---|
appContextProtection |
Enables protection so that calls to
|
AWTThreadProtection |
Enables protection so that calls to
|
classesToInitialize |
List of comma-separated fully qualified class names to load and initialize
during the startup of this Listener. This allows to pre-load classes that are
known to provoke classloader leaks if they are loaded during a request
processing. Non-JRE classes may be referenced, like
|
driverManagerProtection |
The first use of |
forkJoinCommonPoolProtection |
Enables protection so the threads created for
|
gcDaemonProtection |
Enables protection so that calls to
|
ldapPoolProtection |
Enables protection so that the PoolCleaner thread started by
|
tokenPollerProtection |
Enables protection so that any token poller thread initialized by
|
urlCacheProtection |
Enables protection so that reading resources from JAR files using
|
xmlParsingProtection |
Enables protection so that parsing XML files within a web application
does not result in a memory leak. Note that memory profilers may not
display the GC root associated with this leak making it particularly
hard to diagnose. Defaults to |
JreMemoryLeakPreventionListener Examples
The following is an example of how to configure the
classesToInitialize
attribute of this listener.
If this listener was configured in server.xml as:
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"
classesToInitialize="oracle.jdbc.driver.OracleTimeoutThreadPerVM" />
then the OracleTimeoutThreadPerVM
class would be loaded
and initialized during listener startup instead of during request
processing.
Security Lifecycle Listener - org.apache.catalina.security.SecurityListener
The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail. The listener is not enabled by default. To enabled it uncomment the listener in $CATALINA_BASE/conf/server.xml. For Tomcat versions before 9.0.7, if the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented. For Tomcat 9.0.7 and later, the umask is automatically passed-into Tomcat.
This listener must only be nested within Server elements.
The following additional attributes are supported by the Security Lifecycle Listener:
Attribute | Description |
---|---|
checkedOsUsers |
A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used. To disable this check, set the attribute to the empty string. Usernames are checked in a case-insensitive manner. |
minimumUmask |
The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used. To disable this check, set the attribute to the empty string. The check is not performed on Windows platforms. |
StoreConfig Lifecycle Listener - org.apache.catalina.storeconfig.StoreConfigLifecycleListener
The StoreConfig Lifecycle Listener configures a StoreConfig MBean that may be used to save the current server configuration in server.xml or the current configuration for a web application in a context.xml file.
This listener must only be nested within Server elements.
The following additional attributes are supported by the StoreConfig Lifecycle Listener:
Attribute | Description |
---|---|
storeConfigClass |
The name of the |
storeRegistry |
The URL of the configuration file that configures how the
|
ThreadLocal Leak Prevention Listener - org.apache.catalina.core.ThreadLocalLeakPreventionListener
The ThreadLocal Leak Prevention Listener triggers the
renewal of threads in Executor pools when a
Context is being stopped to avoid thread-local
related memory leaks. Active threads will be renewed one by one when they
come back to the pool after executing their task. The renewal happens
only for contexts that have their renewThreadsWhenStoppingContext
attribute set to true
.
This listener must only be nested within Server elements.
No additional attributes are supported by the ThreadLocal Leak Prevention Listener.
UserConfig - org.apache.catalina.startup.UserConfig
The UserConfig provides feature of User Web Applications. User Web Applications map a request URI starting with a tilde character ("~") and a username to a directory (commonly named public_html) in that user's home directory on the server.
See the User Web Applications special feature on the Host element for more information.
The following additional attributes are supported by the UserConfig:
Attribute | Description |
---|---|
directoryName |
The directory name to be searched for within each user home directory.
The default is |
userClass |
The class name of the user database class.
There are currently two user database, the
|
homeBase |
The base directory containing user home directories. This is effective
only when |
allow |
A regular expression defining user who deployment is allowed. If this attribute is specified, the user to deploy must match for this pattern. If this attribute is not specified, all users will be deployed unless the user matches a deny pattern. |
deny |
A regular expression defining user who deployment is denied. If this attribute is specified, the user to deploy must not match for this pattern. If this attribute is not specified, deployment of user will be governed by a allow attribute. |
Version Logging Lifecycle Listener - org.apache.catalina.startup.VersionLoggerListener
The Version Logging Lifecycle Listener logs Tomcat, Java and operating system information when Tomcat starts.
This listener must only be nested within Server elements and should be the first listener defined.
The following additional attributes are supported by the Version Logging Lifecycle Listener:
Attribute | Description |
---|---|
logArgs |
If |
logEnv |
If |
logProps |
If |
HTTPD mod_heartmonitor Listener - org.apache.catalina.ha.backend.HeartbeatListener
The HTTPD mod_heartmonitor Listener allows tomcat to send heart beat message to the Apache HTTPD mod_heartmonitor module.
The following additional attributes are supported by the HTTPD mod_heartmonitor Listener:
Attribute | Description |
---|---|
Port |
Port the connector that will received proxied traffic from HTTPD, default the first connector will be used |
Host |
Host it is the IP corresponding the address of the connector that will received proxied traffic, default empty the Port will be used |
proxyURL |
proxyURL is the URL corresponding to the Location in httpd configuration of the heartbeat Handler, default /HeartbeatListener |
ProxyList |
ProxyList is the list of proxies from which tomcat is going to receive requests, formatted like "address:port,address:port" once filled the multicast logic is disable and the multi parameters are ignored |
Group |
Group is the Multicast IP to boardcast messages to HTTPD, default 224.0.1.105 |
Multiport |
Multiport is the Multicast port to boardcast messages to HTTPD, default 23364 |
Ttl |
Ttl is the TTL for the boardcast messages, default 16 |
Deprecated Implementations
JMX Remote Lifecycle Listener - org.apache.catalina.mbeans.JmxRemoteLifecycleListener
This listener is now deprecated as the features it provides are now available in the remote JMX capability included with the JRE. This listener will be removed in Tomcat 10 and may be removed from Tomcat 9 some time after 2020-12-31.
The JMX Remote Lifecycle Listener fixes the ports used by the JMX/RMI Server making things much simpler if you need to connect visualvm or a similar tool to a remote Tomcat instance that is running behind a firewall.
The remainder of the configuration can be done via the standard system properties for configuring JMX. For further information on configuring JMX see Monitoring and Management Using JMX included with the Java SDK documentation.
This listener must only be nested within a Server element.
The following additional attributes are supported by the JMX Remote Lifecycle Listener, in addition to the SSL related attributes noted below in the "SSL Configurations" section:
Attribute | Description |
---|---|
accessFile |
Defines the access file used. The attribute will be set to the
value of the |
authenticate |
Defines if authentication is used. Defaults to
|
loginModuleName |
Defines the login module used. The attribute will be set to the
value of the |
passwordFile |
Defines the password file used. The attribute will be set to the
value of the |
rmiBindAddress |
The address of the interface to be used by JMX/RMI server. |
rmiRegistryPortPlatform |
The port to be used by the JMX/RMI registry for the Platform MBeans.
This replaces the use of the
|
rmiRegistrySSL |
Defines if the RMI registry will use SSL. Defaults to
|
rmiServerPortPlatform |
The port to be used by the Platform JMX/RMI server. |
rmiServerSSL |
Defines if the JMX remote server will use SSL. Defaults to
|
useLocalPorts |
Should any clients using these ports be forced to use local ports to
connect to the JMX/RMI server. This is useful when tunnelling
connections over SSH or similar. Defaults to |
Using file-based Authentication and Authorisation
If this listener was configured in server.xml as:
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />
with the following system properties set (e.g. in setenv.sh):
-Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
-Dcom.sun.management.jmxremote.ssl=false
$CATALINA_BASE/conf/jmxremote.password containing:
admin letmein
$CATALINA_BASE/conf/jmxremote.access containing:
admin readwrite
then opening ports 10001 (RMI Registry) and 10002 (JMX/RMI Server) in your firewall would enable jconsole to connect to a Tomcat instance running behind a firewall using a connection string of the form:
service:jmx:rmi://<hostname>:10002/jndi/rmi://<hostname>:10001/jmxrmi
with a user name of admin
and a password of
letmein
.
SSL Configurations
Note: SSL configuration can be done with attributes identical to those of SSLHostConfig and the properties of the default certificate as defined for SSLHostConfigCertificate. This will create a JSSE SSLContext which will be given to the JMX/RMI registry when creating the server socket. OpenSSL specific attributes cannot be used in the configuration as JMX remote can only use a regular SSLContext.
A certificate can be defined for the server using a keystore:
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002"
certificateKeystoreFile="${catalina.home}/conf/mykeystore.jks" />
Using JAAS
If we use the following system properties instead:
-Dcom.sun.management.jmxremote.login.config=Tomcat
-Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config
-Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
-Dcom.sun.management.jmxremote.ssl=false
$CATALINA_BASE/conf/login.config containing your choice of JAAS LoginModule implementation, for example:
Tomcat { /* should match to the com.sun.management.jmxremote.login.config property */
/* for illustration purposes only */
com.sun.security.auth.module.LdapLoginModule REQUIRED
userProvider="ldap://ldap-svr/ou=people,dc=example,dc=com"
userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"
authzIdentity="admin"
debug=true;
};
$CATALINA_BASE/conf/jmxremote.access containing:
admin readwrite
then we would need to provide LDAP credentials instead.
Note that the examples above do not use SSL. JMX access should be considered equivalent to administrative access and secured accordingly.