Oh Tomcat of the multiple conflicting ports!

Ever tried running multiple Tomcat on the same machine and have that fail because of the port conflict. And not because of the HTTP listen port conflict - because you did know about that one and changed it. But, rather, because of the other ports that are open out of the box as well that even Tomcat’s documentation does not mention.

So, turns out that Tomcat 5, has 3 ports open and what interesting ports they are:

  1. 8080 - that’s the one they tell you about and it is where all the normal HTTP traffic goes to
  2. 8009 - that’s an AJP connector that you need if you are behind a webserver like apache that will pass the requests to you. Why is it on by default, I don’t know. You have to configure the webserver side anyway, how difficult would it be to uncomment it at the same time. And if - for whatever reason - you are running Tomcat on its own, you now have another obscure port to worry about as a management hassle or even a possible attack vector.
  3. 8005 - This one is interesting. It is binded to the localhost only and it is how you shutdown the tomcat when you run the shutdown script. And to shut it down, all you need to do is telnet to the port and say the magic word, which for tomcat 5.0 is hardcoded at SHUTDOWN and for 5.5 is helpfully kept in the open in the server.xml . You don’t even need to be the same account to do this, just a user on the same system. This small issue has been acknowledged by the Tomcat’s team.

So, to make this also a fishing lesson rather than a handout of seafood, here is a generic way to check those ports without having to page down the 19K of semi-commented-out XML.

The command should be all in one line:

The command line above means: for each element that has an attribute port or a child with such an attribute, print the element with offset based on it nesting depth; if this particular element does have the port attribute, print the port value as well.

The result for the default Tomcat’s setup is:

BlogicBlogger Over and Out