0

When I customize my JAVA_OPTS and CATALINA_OPTS in Tomcat setenv.sh, the contents of those variables are available in linux with a 'ps -ef' command because they are passed to tomcat on the command line.

Guilty excerpt from Tomcat 10 start script (catalina.sh)

eval exec "\"$_RUNJDB\"" "\"$CATALINA_LOGGING_CONFIG\"" $LOGGING_MANAGER "$JAVA_OPTS" "$CATALINA_OPTS" \

I have legacy applications that get secret information, such as passwords, in their java properties this way. But OH NO this exposes passwords to anyone on the machine with a ps -ef!

Is there some way to pass in a properties file to the Tomcat classloader so that the passwords can be passed in as java properties to legacy apps, but not exposed on the command line as they would be in JAVA_OPTS or CATALINA_OPTS? I see such a configuration in Tomcat 3 in the server.xml, but that is ancient.

MeowCode
  • 1,053
  • 2
  • 12
  • 29
  • 1
    Maybe [Hide arguments of commands in ps](https://unix.stackexchange.com/questions/298178/hide-arguments-of-commands-in-ps) helps. – samabcde Aug 25 '21 at 13:38

1 Answers1

2

At a very early startup stage Tomcat reads the $CATALINA_BASE/conf/catalina.properties file, so for most system properties there is no need to provide them on the command line (JAVA_OPTS or CATALINA_OPTS). For your purpose this should be good enough.

The only system properties that must be provided on the command line are:

  • catalina.base and catalina.home (obviously),
  • the configuration for Tomcat logging,
  • the configuration for JMX and other tools that start before user code.
Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • This is working for some of our applications, but not others. With some further research, I will probably accept this an answer. But keeping it open until I can work with the colleague where this is not working for them. – MeowCode Aug 25 '21 at 15:26