The LifeCycle Listener Component

Table of Contents

Introduction

A Listener element defines a component that performs actions when specific events occur, usually Tomcat starting or Tomcat stopping.

Listeners may be nested inside a Server, Engine, Host or Context. Some Listeners are only intended to be nested inside specific elements. These constraints are noted in the documentation below.

Attributes

Common Attributes

All implementations of Listener support the following attributes:

Attribute Description
className

Java class name of the implementation to use. This class must implement the org.apache.catalina.LifecycleListener interface.

Nested Components

No element may be nested inside a Listener.

Standard Implementations

Unlike most Catalina components, there are several standard Listener implementations available. As a result, the className attribute MUST be used to select the implementation you wish to use.

APR Lifecycle Listener - org.apache.catalina.core.AprLifecycleListener

The APR Lifecycle Listener checks for the presence of the APR/native library and loads the library if it is present. For more information see the APR/native guide.

This listener must only be nested within Server elements.

The following additional attributes are supported by the APR Lifecycle Listener:

Attribute Description
SSLEngine

Name of the SSLEngine to use. off: do not use SSL, on: use SSL but no specific ENGINE.

The default value is on. This initializes the native SSL engine, which must be enabled in the APR/native connector by the use of the SSLEnabled attribute.

See the Official OpenSSL website for more details on supported SSL hardware engines and manufacturers.

SSLRandomSeed

Entropy source used to seed the SSLEngine's PRNG. The default value is builtin. On development systems, you may want to set this to /dev/urandom to allow quicker start times.

FIPSMode

Set to on to request that OpenSSL be in FIPS mode (if OpenSSL is already in FIPS mode, it will remain in FIPS mode). Set to enter to force OpenSSL to enter FIPS mode (an error will occur if OpenSSL is already in FIPS mode). Set to require to require that OpenSSL already be in FIPS mode (an error will occur if OpenSSL is not already in FIPS mode).

FIPS mode requires you to have a FIPS-capable OpenSSL library which you must build yourself. If this attribute is set to any of the above values, the SSLEngine must be enabled as well.

The default value is off.

useAprConnector

This attribute controls the auto-selection of the connector implementation. When the protocol is specified as HTTP/1.1 or AJP/1.3 then if this attribute is true the APR/native connector will be used but if this attribute is false the NIO connector will be used.

useOpenSSL

This attribute controls the auto-selection of the OpenSSL JSSE implementation. The default is true which will use OpenSSL if the native library is available and a NIO or NIO2 connector is used.

Global Resources Lifecycle Listener - org.apache.catalina.mbeans.GlobalResourcesLifecycleListener

The Global Resources Lifecycle Listener initializes the Global JNDI resources defined in server.xml as part of the Global Resources element. Without this listener, none of the Global Resources will be available.

This listener must only be nested within Server elements.

No additional attributes are supported by the Global Resources Lifecycle Listener.

JNI Library Loading Listener - org.apache.catalina.core.JniLifecycleListener

The JNI Library Loading Listener makes it possible for multiple Webapps to use a native library, by loading the native library using a shared class loader (typically the Common class loader but may vary in some configurations)

The listener supports two mutually exclusive attributes, so one of them must be used, but you can not use both together:

Attribute Description
libraryName

The name of the native library, as defined in java.lang.System.loadLibrary()

libraryPath

The absolute path of the native library, as defined in java.lang.System.load()

JRE Memory Leak Prevention Listener - org.apache.catalina.core.JreMemoryLeakPreventionListener

The JRE Memory Leak Prevention Listener provides work-arounds for known places where the Java Runtime environment uses the context class loader to load a singleton as this will cause a memory leak if a web application class loader happens to be the context class loader at the time. The work-around is to initialise these singletons when this listener starts as Tomcat's common class loader is the context class loader at that time. It also provides work-arounds for known issues that can result in locked JAR files.

This listener must only be nested within Server elements.

The following additional attributes are supported by the JRE Memory Leak Prevention Listener:

The Version Logging Lifecycle Listener logs Tomcat, Java and operating system information when Tomcat starts.

This listener must only be nested within Server elements and should be the first listener defined.

The following additional attributes are supported by the Version Logging Lifecycle Listener:

Attribute Description
logArgs

If true, the command line arguments passed to Java when Tomcat started will be logged. If not specified, the default value of true will be used.

logEnv

If true, the current environment variables when Tomcat starts will be logged. If not specified, the default value of false will be used.

logProps

If true, the current Java system properties will be logged. If not specified, the default value of false will be used.

Additional Implementations

JMX Remote Lifecycle Listener - org.apache.catalina.mbeans.JmxRemoteLifecycleListener

This listener requires catalina-jmx-remote.jar to be placed in $CATALINA_HOME/lib. This jar may be found in the extras directory of the binary download area.

The JMX Remote Lifecycle Listener fixes the ports used by the JMX/RMI Server making things much simpler if you need to connect jconsole or a similar tool to a remote Tomcat instance that is running behind a firewall. Only these ports are configured via the listener. The remainder of the configuration is via the standard system properties for configuring JMX. For further information on configuring JMX see Monitoring and Management Using JMX included with the Java SDK documentation.

This listener must only be nested within a Server element.

The following additional attributes are supported by the JMX Remote Lifecycle Listener:

Attribute Description
rmiRegistryPortPlatform

The port to be used by the JMX/RMI registry for the Platform MBeans. This replaces the use of the com.sun.management.jmxremote.port system property that should not be set when using this listener.

rmiServerPortPlatform

The port to be used by the Platform JMX/RMI server.

rmiBindAddress

The address of the interface to be used by JMX/RMI server.

useLocalPorts

Should any clients using these ports be forced to use local ports to connect to the JMX/RMI server. This is useful when tunnelling connections over SSH or similar. Defaults to false.

Using file-based Authentication and Authorisation

If this listener was configured in server.xml as:

  <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
          rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />

with the following system properties set (e.g. in setenv.sh):

  -Dcom.sun.management.jmxremote.password.file=$CATALINA_BASE/conf/jmxremote.password
  -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
  -Dcom.sun.management.jmxremote.ssl=false

$CATALINA_BASE/conf/jmxremote.password containing:

admin letmein

$CATALINA_BASE/conf/jmxremote.access containing:

admin readwrite

then opening ports 10001 (RMI Registry) and 10002 (JMX/RMI Server) in your firewall would enable jconsole to connect to a Tomcat instance running behind a firewall using a connection string of the form:

service:jmx:rmi://<hostname>:10002/jndi/rmi://<hostname>:10001/jmxrmi

with a user name of admin and a password of letmein.

Using JAAS

If we use the following system properties instead:

  -Dcom.sun.management.jmxremote.login.config=Tomcat
  -Djava.security.auth.login.config=$CATALINA_BASE/conf/login.config
  -Dcom.sun.management.jmxremote.access.file=$CATALINA_BASE/conf/jmxremote.access
  -Dcom.sun.management.jmxremote.ssl=false

$CATALINA_BASE/conf/login.config containing your choice of JAAS LoginModule implementation, for example:

  Tomcat { /* should match to the com.sun.management.jmxremote.login.config property */

    /* for illustration purposes only */
    com.sun.security.auth.module.LdapLoginModule REQUIRED
      userProvider="ldap://ldap-svr/ou=people,dc=example,dc=com"
      userFilter="(&(uid={USERNAME})(objectClass=inetOrgPerson))"
      authzIdentity="admin"
      debug=true;
  };

$CATALINA_BASE/conf/jmxremote.access containing:

admin readwrite

then we would need to provide LDAP credentials instead.

Note that the examples above do not use SSL. JMX access should be considered equivalent to administrative access and secured accordingly.

System property replacement - org.apache.catalina.util.SystemPropertyReplacerListener

This listener performs system property replacement using the property source configured on the digester. When ${parameter} denoted parameters are found in the values of system properties, the property source will be invoked to attempt to replace it.

Comments

Notice: This comments section collects your suggestions on improving documentation for Apache Tomcat.

If you have trouble and need help, read Find Help page and ask your question on the tomcat-users mailing list. Do not ask such questions here. This is not a Q&A section.

The Apache Comments System is explained here. Comments may be removed by our moderators if they are either implemented or considered invalid/off-topic.