This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Performance and Security in Tomcat's Debug Mode in production Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Performance and Security in Tomcat Watch "Performance and Security in Tomcat New topic
Author

Performance and Security in Tomcat's Debug Mode in production

Alex O. Sul
Greenhorn

Joined: Nov 06, 2009
Posts: 3

Hello!

Recently i was looking for a tool to make easily the deploy of bug fixes in production, and i have found the ClassGhost utility (http://classghost.sourceforge.net/). This tool injects classes in the production JVM. It looks pretty good, and does the work very well.

But, to do this job, the ClassGhost needs some parameters in the JVM. These parameters, in Tomcat, are related with the Debug mode (as you can see in this http://classghost.sourceforge.net/how.html and this http://wiki.apache.org/tomcat/FAQ/Developing links).

My question is: what do you think about enable debug mode of Tomcat in production? Did you do something like this? Please, i want to listen your considerations.

Thanks!


SCJP 5
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15964
    
  19

Be careful. The JVM debugger cannot be switched on and off on the fly, which means that it's available at all times, and it's not protected by any sort of security system. If an intruder can gain debug access, they can browse and even alter sensitive memory, gain insight into possible application logic flaws, and generally wreak havoc.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
jQuery in Action, 2nd edition
 
subject: Performance and Security in Tomcat's Debug Mode in production
 
Similar Threads
how to include a trap door in my system
debugging with ANT
URLyBird: what are the searching criteria
How to deploy a JSP file in WL Managed Server
Running Tomcat server in Debug mode?