The Apache Tomcat ® software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. The Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket specifications are developed under the Java Community Process. The Apache Tomcat software is developed in an open and participatory environment. Tomcat floor scrubber and floor sweeper products are built by the R.P.S. Corporation based in Wisconsin since 1986. Tomcat is a world-leading manufacturer of floor scrubber, floor sweeper, floor scrubber-sweeper, as well as orbital scrubber machines for the commercial sector.
Apache Tomcat 7 is a popular server for running Java applications – but say you have a unique instance where you want to run both PHP and Java applications on Tomcat but don't want to run two separate servers (i.e. Apache HTTPD + Tomcat) to achieve it?
PLEASE NOTE THAT THIS METHOD DOES NOT WORK ON TOMCAT 8 AS OF THE DATE OF WRITING.
For this we're going to use the PHP – Java Bridge for Tomcat, which is a handy little package that will sort out PHP execution on top of Tomcat.
The first step is to download the Javabridge template from this link at SourceForge. This will give you a WAR file that you can directly drop in to your Tomcat server's webapps folder.
For Windows users, the next step is to download PHP and extract it somewhere:
For Linux users, just install php5 using apt-get, yum, or your preferred package management tool.
Next step is to add PHP to the PATH variable. Append the path to your PHP folder to the end of your respective PATH variable.
Next, drop the JavaBridgeTemplate61.war file in to your Tomcat server's webapps folder and start Tomcat.
When you navigate to your server's Java Bridge folder (this is http://localhost:8080/JavaBridgeTemplate61/ by default), you'll be able to see the Java Bridge's index page:
If you go to javabridge/test.php, you'll be able to see the output from the phpinfo() function:
If you open up test.php in the JavaBridgeTemplate folder in your Tomcat's webapp folder, you can edit some of the code:
Now you can deploy any PHP application within the JavaBridgeTemplate folder and rename the folder to whatever you want. You can add many folders like this for different PHP applications.
Note that the JavaBridge runs PHP as CGI. If you want to enable/disable specific PHP extensions you can simply enable them as you would do normally on your php.ini file.
Tomcat is an open source Java Servlet container developed by the Apache Software Foundation. For more information about basic configuration, see:Tomcat and Apache
Installation
Install one of tomcat7, tomcat8, or tomcat9.
If deploying Tomcat onto a production environment, consider installing tomcat-native. The native library for Tomcat configures the server to use the Apache Portable Runtime (APR) library's network connection (socket) and RNG implementations. It uses native 32- or 64-bit code to enhance performance and is sometimes used in production environments where speed is crucial. No configuration is necessary for default Tomcat installations. More information is available in the official Tomcat docs. To install Tomcat in version 9 witch is needed for servlet specification 4.0 is at the moment missing and will come soon as possible. To install tomcat in version 9 follow the instructions in the official Tomcat 9 docs.
Using tomcat-native will remove the following warning in catalina.err
:
Filesystem hierarchy
Replace the *
with your installed version (7 or 8).
Pathname | Use |
---|---|
/etc/tomcat* | Configuration files. Among some: tomcat-users.xml (defines users allowed to use administration tools and their roles), server.xml (Main Tomcat configuration file), catalina.policy (security policies configuration file) |
/usr/share/tomcat* | Main Tomcat folder containing scripts and links to other directories |
/usr/share/java/tomcat* | Tomcat Java libraries (jars) |
/var/log/tomcat* | Log files not handled by systemd (see #Logging) |
/var/lib/tomcat*/webapps | Where Tomcat deploys your web applications |
/var/tmp/tomcat* | Where Tomcat store your webapps' data |
Initial configuration
In order to be able to use the manager webapp and the admin webapp you need to edit the following file:/etc/tomcat7/tomcat-users.xml
Uncomment the 'role and user' XML declaration and modify it to enable roles tomcat
, admin-gui
, admin-script
and/or manager-gui
, manager-script
, manager-jmx
, manager-status
depending on your needs (see Configuring Manager Application Access).To keep it short, tomcat
is the mandatory role used to run, manager-*
are roles able to administer web applications and admin-*
are full right administrator roles on the Tomcat server.
Here is a bare configuration file that declares some of these roles along with usernames and passwords (Be sure to change the following [CHANGE_ME] passwords to something secure):
Keep in mind that Tomcat must be restarted each time a modification is made to this file.
This blog post gives a good description of these roles.
To have read permissions on the configuration files and work well with some IDEs, you must add your user to the `tomcat7` (respectively `tomcat8`) group:
Start/stop Tomcat
Apache Php
Start the tomcat7
service.
Once Tomcat is started, you can visit this page to see the result: http://localhost:8080. If a nice Tomcat local home page is displayed this means your Servlet container is up and running and ready to host you web apps. If the startup script failed or you can only see a Java error displayed in you browser, have a look at startup logs using systemd's journalctl. Google is full of answers on recurrent issues found in Tomcat logs.
systemd
service runs this Apache binary with root privileges which itself starts Tomcat with an underprivileged user (tomcat7:tomcat7
in Arch Linux). This prevents malicious code that could be executed in a bad web application from causing too much damage. This also enables the use of ports under 1024 if needed. See man jsvc
for options available and pass them through the CATALINA_OPTS
environment variable declared in /etc/conf.d/tomcat7
.Alternate 'manual' way
Tomcat can also be controlled directly using upstream scripts:
This can be useful to debug applications or even debug Tomcat, but do not use it to start Tomcat for the first time as doing so can set some permissions wrongly and stop web apps from working. In order to be able to use these scripts, some further configuration may be needed. Be aware that using these scripts prevents the jsvc security advantage described above.
Deploy and handle web applications
Tomcat 7 is bundled with 5 already deployed web applications (change localhost with your server's FQDN if needed):
- The default home page: http://localhost:8080/
- Tomcat 7's local documentation: http://localhost:8080/docs/
- Examples of Servlets and JSP: http://localhost:8080/examples/
- The host-manager to handle virtual hosts: http://localhost:8080/host-manager/
- The manager to administer web applications: http://localhost:8080/manager/html/
The GUI way
Probably the easiest way is to use the manager webapp http://localhost:8080/manager/html. Use the username/password you defined as manager
in tomcat-users.xml
. Once logged in you can see five already deployed web applications. Add yours through the 'Deploy' area and then stop/start/undeploy it with the 'Applications' area.
The CLI way
One can also just copy the WAR file of the application to directory /usr/share/tomcat8/webapps
. For that later, be sure that the autoDeploy
option is still set for the right host as shown here:
Hosting files outside the webapps folder
If you want to keep your project outside the webapps folder this is possible by creating a Context
. Go to /etc/tomcat/Catalina/localhost/
and create your context. A context is a simple xml file which specifies where tomcat should look for the project. The basic format of the file is
A working example is as follows. This assumes that the project is hosted somewhere in the users /home-folder.
The files can now be hosted in /home/archie/code/jsp/myProject/
. To see the project in your webbrowser, go to http://localhost:8080/myProject.If tomcat is unable to load the files, it might be an issue with permissions. chmod o+x /home/archie/code/jsp/myProject
should fix the issue.
Logging
Tomcat when used with official Arch Linux packages uses systemd's journalctlfor startup log. This means that files /var/log/tomcat7/catalina.err
and /var/log/tomcat7/catalina.out
are not used. Other logs such as access logs and business logs defined in /etc/tomcat7/server.xml
as Valve
will still by default end up in /var/log/tomcat7/
.
To restore upstream style logging, copy systemd file /lib/systemd/system/tomcat7.service
to /etc/systemd/system/tomcat7.service
and change both SYSLOG
for the absolute paths of log files.
Further setup
Basic configuration can be made through the virtual host manager web application: http://localhost:8080/host-manager/html. Provide the username/password you set in tomcat-users.xml
. Other options are tweaked in configuration files in /etc/tomcat7
, the most important being server.xml
. Using these files is out of the scope of this 101 wiki page. Please have a look at the official Tomcat 7 documentation for more details.
Migrating from previous versions of Tomcat
As said in the introduction, Tomcat 8 does not deprecate Tomcat 7. They are all three, implementations of Servlet/JSP standards. Hence you must first determine which version of Tomcat you need depending on the versions of Servlet/JSP your application uses. If you need to migrate, the official website gives instructions on how to handle such a process.
Using Tomcat with a different JRE/JDK
Apart from installing the desired JRE/JDK, the only requirement is to set the TOMCAT_JAVA_HOME variable in Tomcat's systemd
service file.
The variable can be overridden by a custom configuration, as described in Systemd#Editing provided units:
- create the directory /etc/systemd/system/tomcat7.service.d
- in that directory, save a start.conf file with this content (for the Oracle JDK package jdkAUR, use instead /usr/lib/jvm/java-8-jdk):
Alternatively, copy the service file /usr/lib/systemd/system/tomcat7.service, to /etc/systemd/system/ and replace this line:
by (e.g. for Oracle JDK)
Security configuration
This page gives the bare minimum to get your first web application to run on Tomcat. It is not intended to be the definitive guide to administering Tomcat (it is a job of its own). The official Tomcat website will provide all necessary official matter. One could also refer to this O'Reilly page and this last one. Still, here are some security tips to get you started:
- Keep your Tomcat installation up to date to get the latest fixes to security issues
- Remove unwanted default applications such as
examples
,docs
, default home pageROOT
('_' in themanager
webapp). This prevents potential security holes to be exploited. Use themanager
for that.
For more security you could even remove the host-manager and manager web applications. Keep in mind that the later is useful to deploy web applications.
- Disable the WAR auto-deploy option. This would prevent someone who gained restricted access to the server to copy a WAR into the
/usr/share/java/webapps
directory to get it running. Editserver.xml
and set theautoDeploy
tofalse
:
- Anonymize Tomcat's default error page to prevent potential attackers to retrieve Tomcat's version. To see what Tomcat says by default, just visit an nonexistent page such as http://localhost:8080/I_dont_exist. You get a 404 error page with Tomcat's version at the bottom.
To anonymize this, edit/open the following JAR (Editors like vim
can edit zips directly)
And edit the following file
This blog post gives a good description of these roles.
To have read permissions on the configuration files and work well with some IDEs, you must add your user to the `tomcat7` (respectively `tomcat8`) group:
Start/stop Tomcat
Apache Php
Start the tomcat7
service.
Once Tomcat is started, you can visit this page to see the result: http://localhost:8080. If a nice Tomcat local home page is displayed this means your Servlet container is up and running and ready to host you web apps. If the startup script failed or you can only see a Java error displayed in you browser, have a look at startup logs using systemd's journalctl. Google is full of answers on recurrent issues found in Tomcat logs.
systemd
service runs this Apache binary with root privileges which itself starts Tomcat with an underprivileged user (tomcat7:tomcat7
in Arch Linux). This prevents malicious code that could be executed in a bad web application from causing too much damage. This also enables the use of ports under 1024 if needed. See man jsvc
for options available and pass them through the CATALINA_OPTS
environment variable declared in /etc/conf.d/tomcat7
.Alternate 'manual' way
Tomcat can also be controlled directly using upstream scripts:
This can be useful to debug applications or even debug Tomcat, but do not use it to start Tomcat for the first time as doing so can set some permissions wrongly and stop web apps from working. In order to be able to use these scripts, some further configuration may be needed. Be aware that using these scripts prevents the jsvc security advantage described above.
Deploy and handle web applications
Tomcat 7 is bundled with 5 already deployed web applications (change localhost with your server's FQDN if needed):
- The default home page: http://localhost:8080/
- Tomcat 7's local documentation: http://localhost:8080/docs/
- Examples of Servlets and JSP: http://localhost:8080/examples/
- The host-manager to handle virtual hosts: http://localhost:8080/host-manager/
- The manager to administer web applications: http://localhost:8080/manager/html/
The GUI way
Probably the easiest way is to use the manager webapp http://localhost:8080/manager/html. Use the username/password you defined as manager
in tomcat-users.xml
. Once logged in you can see five already deployed web applications. Add yours through the 'Deploy' area and then stop/start/undeploy it with the 'Applications' area.
The CLI way
One can also just copy the WAR file of the application to directory /usr/share/tomcat8/webapps
. For that later, be sure that the autoDeploy
option is still set for the right host as shown here:
Hosting files outside the webapps folder
If you want to keep your project outside the webapps folder this is possible by creating a Context
. Go to /etc/tomcat/Catalina/localhost/
and create your context. A context is a simple xml file which specifies where tomcat should look for the project. The basic format of the file is
A working example is as follows. This assumes that the project is hosted somewhere in the users /home-folder.
The files can now be hosted in /home/archie/code/jsp/myProject/
. To see the project in your webbrowser, go to http://localhost:8080/myProject.If tomcat is unable to load the files, it might be an issue with permissions. chmod o+x /home/archie/code/jsp/myProject
should fix the issue.
Logging
Tomcat when used with official Arch Linux packages uses systemd's journalctlfor startup log. This means that files /var/log/tomcat7/catalina.err
and /var/log/tomcat7/catalina.out
are not used. Other logs such as access logs and business logs defined in /etc/tomcat7/server.xml
as Valve
will still by default end up in /var/log/tomcat7/
.
To restore upstream style logging, copy systemd file /lib/systemd/system/tomcat7.service
to /etc/systemd/system/tomcat7.service
and change both SYSLOG
for the absolute paths of log files.
Further setup
Basic configuration can be made through the virtual host manager web application: http://localhost:8080/host-manager/html. Provide the username/password you set in tomcat-users.xml
. Other options are tweaked in configuration files in /etc/tomcat7
, the most important being server.xml
. Using these files is out of the scope of this 101 wiki page. Please have a look at the official Tomcat 7 documentation for more details.
Migrating from previous versions of Tomcat
As said in the introduction, Tomcat 8 does not deprecate Tomcat 7. They are all three, implementations of Servlet/JSP standards. Hence you must first determine which version of Tomcat you need depending on the versions of Servlet/JSP your application uses. If you need to migrate, the official website gives instructions on how to handle such a process.
Using Tomcat with a different JRE/JDK
Apart from installing the desired JRE/JDK, the only requirement is to set the TOMCAT_JAVA_HOME variable in Tomcat's systemd
service file.
The variable can be overridden by a custom configuration, as described in Systemd#Editing provided units:
- create the directory /etc/systemd/system/tomcat7.service.d
- in that directory, save a start.conf file with this content (for the Oracle JDK package jdkAUR, use instead /usr/lib/jvm/java-8-jdk):
Alternatively, copy the service file /usr/lib/systemd/system/tomcat7.service, to /etc/systemd/system/ and replace this line:
by (e.g. for Oracle JDK)
Security configuration
This page gives the bare minimum to get your first web application to run on Tomcat. It is not intended to be the definitive guide to administering Tomcat (it is a job of its own). The official Tomcat website will provide all necessary official matter. One could also refer to this O'Reilly page and this last one. Still, here are some security tips to get you started:
- Keep your Tomcat installation up to date to get the latest fixes to security issues
- Remove unwanted default applications such as
examples
,docs
, default home pageROOT
('_' in themanager
webapp). This prevents potential security holes to be exploited. Use themanager
for that.
For more security you could even remove the host-manager and manager web applications. Keep in mind that the later is useful to deploy web applications.
- Disable the WAR auto-deploy option. This would prevent someone who gained restricted access to the server to copy a WAR into the
/usr/share/java/webapps
directory to get it running. Editserver.xml
and set theautoDeploy
tofalse
:
- Anonymize Tomcat's default error page to prevent potential attackers to retrieve Tomcat's version. To see what Tomcat says by default, just visit an nonexistent page such as http://localhost:8080/I_dont_exist. You get a 404 error page with Tomcat's version at the bottom.
To anonymize this, edit/open the following JAR (Editors like vim
can edit zips directly)
And edit the following file
- Disable unused
connectors
inserver.xml
- Keep restricted access to
/etc/tomcat7/server.xml
. Onlytomcat
user and/orroot
should be able to read and write this. - Keep
jsvc
usage. Do not use upstream startup scripts unless particular reason as explained in the security note above. - Use strong different passwords for each user in
tomcat-users.xml
, give roles to users who really need them and even disable usernames/roles you do not use/need.
Tomcat Phpmyadmin Mysql
One can even crypt tomcat-users.xml
passwords using the following upstream script:
This will output something like:
Paste the hashed part in place of the clear password in tomcat-users.xml
and add the following to server.xml
:
Note that this may not be relevant because only root and/or tomcat is supposed to have read/write access to that file. If an intruder manages to gain root access then he would not need such passwords to mess with your applications/data anyway. Be sure to keep restricted RW access to that file!
- Always know what you are deploying
Troubleshooting
Tomcat service is started, but page is not loaded
First check /etc/tomcat7/tomcat-users.xml
for any syntax error. If everything is fine and tomcat7
is correctly running, run journalctl -r
as root to check the logs for any exception thrown (see Logging). If you read anything like java.lang.Exception: Socket bind failed: [98] Address already in use
, this is due to some other service listening on the same port. For instance, it is possible that Apache HTTP Server and Tomcat are listening on the same port (if for example you have Apache running on port 8080 with Nginx serving it as a proxy on port 80). If this is the case, edit the /etc/tomcat7/server.xml
file and change the Connector port to something else under :
Finally restarttomcat7
and httpd
services.
Php Tomcat Mysql
If you have no solution and you are in a VM, it can help to delete /dev/random and create it again (cf. Solution: FUTEX_WAIT hangs Java on Linux / Ubuntu in vmware or virtual box):
Or another solution to keep it even after a reboot, modify /usr/lib/jvm/java-8-openjdk/jre/lib/security/java.security
(for example) to point to /dev/urandom