When I customize my JAVA_OPTS and CATALINA_OPTS in Tomcat setenv.sh, the contents of those variables are available in linux with a 'ps -ef' command because they are passed to tomcat on the command line.

Guilty excerpt from Tomcat 10 start script (catalina.sh)

eval exec "\"$_RUNJDB\"" "\"$CATALINA_LOGGING_CONFIG\"" $LOGGING_MANAGER "$JAVA_OPTS" "$CATALINA_OPTS" \

I have legacy applications that get secret information, such as passwords, in their java properties this way. But OH NO this exposes passwords to anyone on the machine with a ps -ef!

Is there some way to pass in a properties file to the Tomcat classloader so that the passwords can be passed in as java properties to legacy apps, but not exposed on the command line as they would be in JAVA_OPTS or CATALINA_OPTS? I see such a configuration in Tomcat 3 in the server.xml, but that is ancient.

CodePudding user response：

At a very early startup stage Tomcat reads the $CATALINA_BASE/conf/catalina.properties file, so for most system properties there is no need to provide them on the command line (JAVA_OPTS or CATALINA_OPTS). For your purpose this should be good enough.

The only system properties that must be provided on the command line are:

• catalina.base and catalina.home (obviously),
• the configuration for Tomcat logging,
• the configuration for JMX and other tools that start before user code.