Home > Software design >  Apache coyote vulnerability fixes are causing wrong port usage
Apache coyote vulnerability fixes are causing wrong port usage

Time:09-12

I'm using an embedded tomcat server in one of my java project. the creation of server looks like

Tomcat _tomcat = new Tomcat();

i have configured the Tomcat server to use port numbers from 9001 everything was working fine.

Problem statement

To address the Apache coyote vulnerability which was addressed in a nessus scan i have modified the tomcat server creation to

Tomcat _tomcat = new Tomcat();
_tomcat.getConnector().setXpoweredBy(false);
_tomcat.getConnector().setProperty("server", "");

after doing this change tomcat server is binding to port number 8080, which i have not configured anywhere, this is causing issue when i try to run two instances at once. gives the below error. Tomcat server unable to bind error

Question

How to avoid tomcat server from using port 8080 with apache coyote vulnerability fixes?

CodePudding user response:

Here when you do _tomcat.getConnector() a connector instance is called which is not yet initialized, and it uses default values and listens at port 8080 which is default port for a tomcat Connector instance.

instead of performing setXpoweredBy(false) and setProperty("server", "") on defualt instance of connector, move this part to where you are creating tomcat Connector instance. something like

Connector connector = new Connector();
connector.setPort(port); 
connector.setXpoweredBy(false);
connector.setProperty("server", "");

and then set this connector to tomcat server

_tomcat.setConnector(connector);
  • Related