starting tomcat on port 80 on CentOS release 5.5 (Final)

Question

I want to start Tomcat 6.0.29 on port 80. My OS is CentOS release 5.5 (Final) I changed following line in $TOMCAT_HOME/conf/server.xml

<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>

to

<Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1" redirectPort="8443"/>

Then I run command:

sudo /etc/init.d/tomcat6 start

In file $TOMCAT_HOME/logs/catalina.log I found such exceptions:

java.net.BindException: Permission denied <null>:80
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:549)
    at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:565)
    at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
    at org.apache.catalina.connector.Connector.start(Connector.java:1087)
    at org.apache.catalina.core.StandardService.start(StandardService.java:534)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
Caused by: java.net.BindException: Permission denied
    at java.net.PlainSocketImpl.socketBind(Native Method)
    at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:365)
    at java.net.ServerSocket.bind(ServerSocket.java:319)
    at java.net.ServerSocket.<init>(ServerSocket.java:185)
    at java.net.ServerSocket.<init>(ServerSocket.java:141)
    at org.apache.tomcat.util.net.DefaultServerSocketFactory.createSocket(DefaultServerSocketFactory.java:50)
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538)
    ... 12 more
0:11:56 org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: `java.net.BindException: Permission denied <null>:80
    at org.apache.catalina.connector.Connector.start(Connector.java:1094)
    at org.apache.catalina.core.StandardService.start(StandardService.java:534)
    at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:581)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414)
0:11:56 org.apache.catalina.startup.Catalina start`

Thanks in advance

Do you get the same behaviour if you do this as root, and not only uses sudo? — JenEriC, Apr 05 '11 at 07:46
From the stack trace it is clear this happens in native code, so the security manager shouldn't be involved. The only reason I manage to think of is a non-root user trying to bind a privileged port. Can you run with strace to see what, precisely, it actually chokes on? — JenEriC, Apr 05 '11 at 08:10

score 20 · Accepted Answer · answered Apr 04 '11 at 21:57

20

The ports in the range 1-1023 are privileged. Only root is allowed to bind to them.

There is at least two ways to solve this:

Run as root. You need to weight the extra security risks this infers, of course; both security holes in Tomcat itself (which I believe to be few) and those your web applications contains (which can for example lead to letting people read /etc/shadow as an example), against this being simple and straight-forward.
Run as service with jsvc. See http://tomcat.apache.org/tomcat-5.5-doc/setup.html for details on jsvc. It is some extra hassle to setup, but root will only be involved in setting up the ports, Tomcat will then run as a user without special rights. I recommend this for any serious setup.

Regardless on what way you choose, the actual starting of Tomcat will need root privilegies.

///BR, JenEriC

answered Apr 04 '11 at 21:57

JenEriC

758
7
10

Hm, I missed the sudo part of the start command. That should work. I'm at a loss to why it doesn't; sorry. – JenEriC Apr 05 '11 at 05:55
3

I always prefer starting tomcat on port 8080 and letting iptables to do the job of forwarding all requests from port 80. – mindas Apr 05 '11 at 08:46
1

@mindas: That would of course work, but it doesn't explain the problem at hand :-/ – JenEriC Apr 05 '11 at 10:17
1

absolutely - this is why I only posted a comment to your post, and not answered the question myself. In general, I think your answer actually addresses the problem (hence the upvote). – mindas Apr 05 '11 at 10:23
You are right. In script /etc/init.d/tomcat6 runned /usr/sbin/tomcat6 with user - tomcat. When i runned: sudo /usr/sbin/tomcat6 start - everything works fine. Thanks very much. – evgeniy44 Apr 05 '11 at 18:35

Garreth McDaid · Answer 2 · 2013-06-07T15:13:19.307

10

Run Apache in front of Tomcat and connect all requests on Port 80 (Apache) to Tomcat on the AJP port (8009) using mod_rewrite.

yum install httpd
chkconfig httpd on
vi /etc/httpd/conf.d/proxy.conf

RewriteEngine On
RewriteRule ^/(.*)$ ajp://localhost:8009/$1 [P,QSA,L]

service httpd start

You're done.

edited Jun 07 '13 at 15:13

answered Jun 07 '13 at 15:05

Garreth McDaid

2,427
22
34

score 6 · Answer 3 · edited Aug 14 '17 at 09:03

6

You can change AUTHBIND property of "/etc/default/tomcat6" to "yes" as follows

AUTHBIND=yes

Restart your tomcat and that will enable you to use available privileged port (1-1023).

edited Aug 14 '17 at 09:03

Andrey Regentov

3,687
4
34
40

answered Jan 20 '13 at 09:30

Avikar

339
3
4

score 6 · Answer 4 · edited Nov 25 '20 at 20:33

6

Another option is to use authbind.

From Wikipedia:

The authbind software allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user.

edited Nov 25 '20 at 20:33

Jean-François Fabre

137,073
23
153
219

answered Aug 10 '11 at 18:23

Lajos

61
1
1

score 1 · Answer 5 · answered Jan 30 '15 at 12:38

i use nginx 2 bind 80 to 8080 which is the port that tomcat bind to.

my nginx configure is like this:

{ server

listen 80;
   #which you can edit in /etc/hosts file.It can bind mydomain.com to 127.0.0.1
server_name mydomain.com; 
location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://127.0.0.1:8080;
}
access_log logs/xxx456.tk_access.log;

}

score 0 · Answer 6 · answered Aug 23 '23 at 04:10

0

I have also faced an issue in Linux Mint. When I want to start Tomcat port 80. Permission denied error.

I fixed it with run the tomcat with root permission.

Example:- sudo ./startup.sh

answered Aug 23 '23 at 04:10

Ravinder Singh

1
1

user5611628 · Answer 7 · 2015-11-27T09:52:34.040

-1

go to address: /tomcat7/server.xml, edit file: use attribute porxyPort="80"

<Connector port="8080" ... proxyPort="80"/>

which will cause servlets inside this web application to think that all proxied requests were directed to www.mycompany.com on port 80.

edited Nov 27 '15 at 09:52

answered Nov 27 '15 at 09:45

user5611628

1
1

on centos this does not work as ports below 1024 are reserved. the best is to run on port 8080 and change iptables to route requests from 80 to be forwarded to 8080 – Krishna Vedula Jun 30 '16 at 16:49

starting tomcat on port 80 on CentOS release 5.5 (Final)

7 Answers7

Linked