search

robertdebock / ansible-role-tomcat

Install and configure tomcat on your system.
https://robertdebock.nl/
Apache License 2.0
46 stars 57 forks source link

Secret required in server.xml for AJP-connector #23

Closed OyvindLGjesdal closed 3 years ago

OyvindLGjesdal commented 4 years ago

Describe the bug

Tomcat systemd service refuses to start, due to mandatory secret missing from server.xml (template.)

This was introduced in; Tomcat 7.0.100, Tomcat 8.5.59, and tomcat 9.0.31, according to the logs, which is less than the default version for tomcat 7 and 9 values.

From the changelog:

Rename the requiredSecret attribute of the AJP/1.3 Connector to secret and add a new attribute secretRequired that defaults to true. When secretRequired is true the AJP/1.3 Connector will not start unless the secret attribute is configured to a non-null, non-zero length String. (markt)

I don't know what would be the best way to solve in the server.yml template. Having a instance.ajp_secret variable on the ajp Connector element, with a default secret generated, or should the default requiredSecret attribute be set to false?

I added a secret attribute manually on the box, and the service then started.

--

Playbook

---
...
 tasks:
  - import_role:
      name: "ansible-role-tomcat"
    vars:
      tomcat_instances:
      - name: "tomcat-version-9"
        version: 9
    become: true

Output

Play does not report error, but sudo systemctl status tomcat-version-9 shows:

Oct 19 19:36:11 example.org catalina.sh[34248]:                 at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at java.base/java.lang.reflect.Method.invoke(Method.java:566)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
Oct 19 19:36:11 example.org catalina.sh[34248]:         Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:270)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 at org.apache.catalina.connector.Connector.startInternal(Connector.java:1064)
Oct 19 19:36:11 example.org catalina.sh[34248]:                 ... 12 more

Environment

williampiv commented 3 years ago

I am also seeing this issue. It may make sense to make the AJP section in the template an optional section, so that when not using AJP, this error does not occur.

I can try and put together a PR for this.

robertdebock commented 3 years ago

Hi,

I'll try to reproduce the issue and write a fix. Back later!

Thanks for reporting and replying to the issue.

OyvindLGjesdal commented 3 years ago

Hi and thanks for the fix.

I added the same change as 22c72f in a fork of the repo, but was a bit unsure of PRing it, since it reintroduces the old default behaviour of tomcat. Could @williampiv's suggestion of having AJP be an optional block, and then requiring a secret by default if enabled be an option? I may also just be overthinking the problem.

robertdebock commented 3 years ago

I've made a suggestion in the last version (4.7.0).

Have a look, see if this works for you. I'll close this issue, but feel free to open it when changes are required.

Regards, Robert de Bock.