• Introduction
• Attributes
  1. Common Attributes
• Nested Components
• Standard Implementations
  1. APR Lifecycle Listener - org.apache.catalina.core.AprLifecycleListener
  2. Jasper Listener - org.apache.catalina.core.JasperListener
  3. Global Resources Lifecycle Listener - org.apache.catalina.mbeans.GlobalResourcesLifecycleListener
  4. JRE Memory Leak Prevention Listener - org.apache.catalina.core.JreMemoryLeakPreventionListener
  5. Security Lifecycle Listener - org.apache.catalina.security.SecurityListener
  6. ThreadLocal Leak Prevention Listener - org.apache.catalina.core.ThreadLocalLeakPreventionListener
  7. UserConfig - org.apache.catalina.startup.UserConfig
• Additional Implementations
  1. JMX Remote Lifecycle Listener - org.apache.catalina.mbeans.JmxRemoteLifecycleListener

A Listener element defines a component that performs actions when specific events occur, usually Tomcat starting or Tomcat stopping.

Listeners may be nested inside a Server, Engine, Host or Context. Some Listeners are only intended to be nested inside specific elements. These constraints are noted in the documentation below.

Common Attributes

All implementations of Listener support the following attributes: Attribute Description className Java class name of the implementation to use. This class must implement the org.apache.catalina.LifecycleListener interface.

No element may be nested inside a Listener.

Unlike most Catalina components, there are several standard Listener implementations available. As a result, the className attribute MUST be used to select the implementation you wish to use.

APR Lifecycle Listener - org.apache.catalina.core.AprLifecycleListener

The APR Lifecycle Listener checks for the presence of the APR/native library and loads the library if it is present. For more information see the APR/native guide. This listener must only be nested within Server elements. The following additional attributes are supported by the APR Lifecycle Listener: Attribute Description SSLEngine Name of the SSLEngine to use. off: do not use SSL, on: use SSL but no specific ENGINE. The default value is on. This initializes the native SSL engine, which must be enabled in the APR/native connector by the use of the SSLEnabled attribute. See the Official OpenSSL website for more details on supported SSL hardware engines and manufacturers. SSLRandomSeed Entropy source used to seed the SSLEngine's PRNG. The default value is builtin. On development systems, you may want to set this to /dev/urandom to allow quicker start times. FIPSMode Set to on to request that OpenSSL be in FIPS mode (if OpenSSL is already in FIPS mode, it will remain in FIPS mode). Set to enter to force OpenSSL to enter FIPS mode (an error will occur if OpenSSL is already in FIPS mode). Set to require to require that OpenSSL already be in FIPS mode (an error will occur if OpenSSL is not already in FIPS mode). FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. If this attribute is set to any of the above values, the SSLEngine must be enabled as well. The default value is off.

Jasper Listener - org.apache.catalina.core.JasperListener

The Jasper Listener initializes the Jasper 2 JSP engine before any web applications that may use it are loaded. For more information on the Jasper 2 JSP engine see the Jasper How To. This listener must only be nested within Server elements. No additional attributes are supported by the Jasper Listener .

Global Resources Lifecycle Listener - org.apache.catalina.mbeans.GlobalResourcesLifecycleListener

The Global Resources Lifecycle Listener initializes the Global JNDI resources defined in server.xml as part of the Global Resources element. Without this listener, none of the Global Resources will be available. This listener must only be nested within Server elements. No additional attributes are supported by the Global Resources Lifecycle Listener.

JRE Memory Leak Prevention Listener - org.apache.catalina.core.JreMemoryLeakPreventionListener

The JRE Memory Leak Prevention Listener provides work-arounds for known places where the Java Runtime environment uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The work-around is to initialise these singletons when this listener starts as Tomcat's common class loader is the context class loader at that time. It also provides work-arounds for known issues that can result in locked JAR files. This listener must only be nested within Server elements. The following additional attributes are supported by the JRE Memory Leak Prevention Listener: Attribute Description appContextProtection Enables protection so that calls to sun.awt.AppContext.getAppContext() triggered by a web application do not result in a memory leak. Note that a call to this method will be triggered as part of the web application stop process when running on Java 6 and earlier. It is therefore strongly recommended that this protection is enabled when running on Java 6 and earlier. The default is true for Java 6 and earlier versions. The default is false for Java 7 and later versions. AWTThreadProtection Enables protection so that calls to java.awt.Toolkit.getDefaultToolkit() triggered by a web application do not result in a memory leak. Defaults to false because an AWT thread is launched. classesToInitialize List of comma-separated fully qualified class names to load and initialize during the startup of this Listener. This allows to pre-load classes that are known to provoke classloader leaks if they are loaded during a request processing. Non-JRE classes may be referenced, like oracle.jdbc.driver.OracleTimeoutThreadPerVM. The default value is empty, but specific JRE classes are loaded by other leak protection features managed by other attributes of this Listener. driverManagerProtection The first use of java.sql.DriverManager will trigger the loading of JDBC Driver in the the current class loader. The web application level memory leak protection can take care of this in most cases but triggering the loading here has fewer side-effects. The default is true. gcDaemonProtection Enables protection so that calls to sun.misc.GC.requestLatency(long) triggered by a web application do not result in a memory leak. Use of RMI is likely to trigger a call to this method. A side effect of enabling this protection is the creation of a thread named "GC Daemon". The protection uses reflection to access internal Sun classes and may generate errors on startup on non-Sun JVMs. The default is true. java2DDisposerProtection Enables protection so that loading the sun.java2d.Disposer class by a web application does not result in a memory leak. Defaults to false because a thread is launched. ldapPoolProtection Enables protection so that the PoolCleaner thread started by com.sun.jndi.ldap.LdapPoolManager does not result in a memory leak. The thread is started the first time the LdapPoolManager class is used if the system property com.sun.jndi.ldap.connect.pool.timeout is set to a value greater than 0. Without this protection, if a web application uses this class the PoolCleaner thread will be configured with the thread's context class loader set to the web application class loader which in turn will trigger a memory leak on reload. Defaults to true. securityLoginConfigurationProtection Enables protection so that usage of the javax.security.auth.login.Configuration class by a web application does not provoke a memory leak. The first access of this class will trigger the initializer that will retain a static reference to the context class loader. The protection loads the class with the system class loader to ensure that the static initializer is not triggered by a web application. Defaults to true. securityPolicyProtection Enables protection so that usage of the deprecated javax.security.auth.Policy class by a web application does not result in a memory leak. The first access of this class will trigger the static initializer that will retain a static reference to the context class loader. The protection calls the getPolicy() method of this class to ensure that the static initializer is not triggered by a web application. Defaults to true. tokenPollerProtection Enables protection so that any token poller thread initialized by sun.security.pkcs11.SunPKCS11.initToken() does not result in a memory leak. The thread is started depending on various conditions as part of the initialization of the Java Cryptography Architecture. Without the protection this can happen during Webapp deployment when the MessageDigest for generating session IDs is initialized. As a result the thread has the Webapp class loader as its thread context class loader. Enabling the protection initializes JCA early during Tomcat startup. Defaults to true. urlCacheProtection Enables protection so that reading resources from JAR files using java.net.URLConnections does not result in the JAR file being locked. Note that enabling this protection disables caching by default for all resources obtained via java.net.URLConnections. Caching may be re-enabled on a case by case basis as required. Defaults to true. xmlParsingProtection Enables protection so that parsing XML files within a web application does not result in a memory leak. Note that memory profilers may not display the GC root associated with this leak making it particularly hard to diagnose. Defaults to true.

Security Lifecycle Listener - org.apache.catalina.security.SecurityListener

The Security Lifecycle Listener performs a number of security checks when Tomcat starts and prevents Tomcat from starting if they fail. The listener is not enabled by default. To enabled it uncomment the listener in $CATALINA_BASE/conf/server.xml. If the operating system supports umask then the line in $CATALINA_HOME/bin/catalina.sh that obtains the umask also needs to be uncommented. This listener must only be nested within Server elements. The following additional attributes are supported by the Security Lifecycle Listener: Attribute Description checkedOsUsers A comma separated list of OS users that must not be used to start Tomcat. If not specified, the default value of root is used. To disable this check, set the attribute to the empty string. Usernames are checked in a case-insensitive manner. minimumUmask The least restrictive umask that must be configured before Tomcat will start. If not specified, the default value of 0007 is used. To disable this check, set the attribute to the empty string. The check is not performed on Windows platforms.

ThreadLocal Leak Prevention Listener - org.apache.catalina.core.ThreadLocalLeakPreventionListener

The ThreadLocal Leak Prevention Listener triggers the renewal of threads in Executor pools when a Context is being stopped to avoid thread-local related memory leaks. Active threads will be renewed one by one when they come back to the pool after executing their task. The renewal happens only for contexts that have their renewThreadsWhenStoppingContext attribute set to true. This listener must only be nested within Server elements. No additional attributes are supported by the ThreadLocal Leak Prevention Listener.

UserConfig - org.apache.catalina.startup.UserConfig

The UserConfig provides feature of User Web Applications. User Web Applications map a request URI starting with a tilde character ("~") and a username to a directory (commonly named public_html) in that user's home directory on the server. See the User Web Applications special feature on the Host element for more information. The following additional attributes are supported by the UserConfig: Attribute Description directoryName The directory name to be searched for within each user home directory. The default is public_html. userClass The class name of the user database class. There are currently two user database, the org.apache.catalina.startup.PasswdUserDatabase is used on a Unix system that uses the /etc/passwd file to identify valid users. The org.apache.catalina.startup.HomesUserDatabase is used on a server where /etc/passwd is not in use. HomesUserDatabase deploy all directories found in a specified base directory. homeBase The base directory containing user home directories.This is effective only when org.apache.catalina.startup.HomesUserDatabase is used. allow A regular expression defining user who deployment is allowed. If this attribute is specified, the user to deploy must match for this pattern. If this attribute is not specified, all users will be deployed unless the user matches a deny pattern. deny A regular expression defining user who deployment is denied. If this attribute is specified, the user to deploy must not match for this pattern. If this attribute is not specified, deployment of user will be governed by a allow attribute.

JMX Remote Lifecycle Listener - org.apache.catalina.mbeans.JmxRemoteLifecycleListener

This listener requires catalina-jmx-remote.jar to be placed in $CATALINA_HOME/lib. This jar may be found in the extras directory of the binary download area. The JMX Remote Lifecycle Listener fixes the ports used by the JMX/RMI Server making things much simpler if you need to connect jconsole or a similar tool to a remote Tomcat instance that is running behind a firewall. Only these ports are configured via the listener. The remainder of the configuration is via the standard system properties for configuring JMX. For further information on configuring JMX see Monitoring and Management Using JMX included with the Java SDK documentation. This listener must only be nested within a Server element. The following additional attributes are supported by the JMX Remote Lifecycle Listener: Attribute Description rmiRegistryPortPlatform The port to be used by the JMX/RMI registry for the Platform MBeans. This replaces the use of the com.sun.management.jmxremote.port system property that should not be set when using this listener. rmiServerPortPlatform The port to be used by the Platform JMX/RMI server. rmiBindAddress The address of the interface to be used by JMX/RMI server. This option is incompatible with setting the system property com.sun.management.jmxremote.ssl to true. useLocalPorts Should any clients using these ports be forced to use local ports to connect to the the JMX/RMI server. This is useful when tunnelling connections over SSH or similar. Defaults to false. Using file-based Authentication and Authorisation If this listener was configured in server.xml as: <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" /> with the following system properties set (e.g. in setenv.sh): -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access -Dcom.sun.management.jmxremote.ssl=false $CATALINA_BASE/conf/jmxremote.password containing: admin letmein $CATALINA_BASE/conf/jmxremote.access containing: admin readwrite then opening ports 10001 (RMI Registry) and 10002 (JMX/RMI Server) in your firewall would enable jconsole to connect to a Tomcat instance running behind a firewall using a connection string of the form: service:jmx:rmi://<hostname>:10002/jndi/rmi://<hostname>:10001/jmxrmi with a user name of admin and a password of letmein. Using JAAS If we use the following system properties instead: -Dcom.sun.management.jmxremote.login.config=Tomcat -Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access -Dcom.sun.management.jmxremote.ssl=false $CATALINA_BASE/conf/login.config containing your choice of JAAS LoginModule implementation, for example: Tomcat { /* should match to the com.sun.management.jmxremote.login.config property */ /* for illustration purposes only */ com.sun.security.auth.module.LdapLoginModule REQUIRED userProvider="ldap://ldap-svr/ou=people,dc=example,dc=com" userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))" authzIdentity="admin" debug=true; }; $CATALINA_BASE/conf/jmxremote.access containing: admin readwrite then we would need to provide LDAP credentials instead. Note that the examples above do not use SSL. JMX access should be considered equivalent to administrative access and secured accordingly.