Oh Tomcat of the multiple conflicting ports!

Ever tried running multiple Tomcat on the same machine and have that fail because of the port conflict. And not because of the HTTP listen port conflict – because you did know about that one and changed it. But, rather, because of the other ports that are open out of the box as well that even Tomcat’s documentation does not mention.

So, turns out that Tomcat 5, has 3 ports open and what interesting ports they are:

  1. 8080 – that’s the one they tell you about and it is where all the normal HTTP traffic goes to
  2. 8009 – that’s an AJP connector that you need if you are behind a webserver like apache that will pass the requests to you. Why is it on by default, I don’t know. You have to configure the webserver side anyway, how difficult would it be to uncomment it at the same time. And if – for whatever reason – you are running Tomcat on its own, you now have another obscure port to worry about as a management hassle or even a possible attack vector.
  3. 8005 – This one is interesting. It is binded to the localhost only and it is how you shutdown the tomcat when you run the shutdown script. And to shut it down, all you need to do is telnet to the port and say the magic word, which for tomcat 5.0 is hardcoded at SHUTDOWN and for 5.5 is helpfully kept in the open in the server.xml . You don’t even need to be the same account to do this, just a user on the same system. This small issue has been acknowledged by the Tomcat’s team.

So, to make this also a fishing lesson rather than a handout of seafood, here is a generic way to check those ports without having to page down the 19K of semi-commented-out XML.

The command should be all in one line:

...xmlstarlet-1.0.1xml  sel -T -t
-m //*[.//@port]
-m ancestor::* -o -+ -b
-v local-name()
-i @port -o : -v @port -b
-n
server.xml

The command line above means: for each element that has an attribute port or a child with such an attribute, print the element with offset based on it nesting depth; if this particular element does have the port attribute, print the port value as well.

The result for the default Tomcat’s setup is:

Server:8005
-+Service
-+-+Connector:8080
-+-+Connector:8009

BlogicBlogger Over and Out

4 thoughts on “Oh Tomcat of the multiple conflicting ports!”

  1. Why not create a virtual network interface, and virtual ip address to bind each tomcat instance to?

    seems more scalable, more fault tolerant, and also means you won’t run into these kinda problems…

  2. Two issues with this suggestion:
    1) You need to know that you have a problem with multiple ports before considering solutions such as virtual interfaces and such. The blog post was exactly because I did not know there were multiple ports
    2) Even if you have virtual IP addresses, 8005 still binds to localhost, so you would have the issue there anyway

  3. How does Tomcat handle requests from 100 different client hosts? Initially, the client host will create a TCP/IP connection to default port 8080. I believe Tomcat will create a thread to service this request and open another TCP/IP endpoint on Tomcat host to service the request from client 1….100. May i know your findings on this point?

  4. CuriousBlogger,

    I am afraid, I am not going to be much help here.

    The blog article is two years old. Since then Tomcat has changed its IO implementation a couple of times (to NIO I think). I haven’t worked with Tomcat for about a year, so not sure what the latest test is.

    However, you should be able to test what is going on, by running netstat -a on Windows, lsof on Unix/Linux or Wireshark anywhere. That will show you ports used by the running process.

Comments are closed.