Tomcat secure configuration - Security

This is a discussion on Tomcat secure configuration - Security ; I am new to Tomcat Java App server. Is there any checklist for Tomcat to ensure that it is configured securely? Any help appreciated. Thank you in advance. N J...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Tomcat secure configuration

  1. Tomcat secure configuration


    I am new to Tomcat Java App server. Is there any checklist for Tomcat
    to ensure that it is configured securely?

    Any help appreciated.

    Thank you in advance.

    N J



  2. Re: Tomcat secure configuration

    Neil Jones said:
    >I am new to Tomcat Java App server. Is there any checklist for Tomcat
    >to ensure that it is configured securely?


    Haven't come across one -- but then, haven't been looking for one.

    >Any help appreciated.


    I think the first would be: don't run Tomcat as root. So, whatever happens,
    initially the intruder would only have access rights of the account that
    is used to run Tomcat. However, if you must have Tomcat at port 80, then
    you'll need to do some extra work to accomplish that (either, allow
    non-root binding of port 80, or create an iptables forward from port 80
    to your real Tomcat port - and perhaps prohibit external connections
    to your real Tomcat port).

    Then, if you have proper control on what you run with Tomcat, and really
    undrstand your application code, you could start setting up the Java
    security policy for your application; for more info, see:
    http://tomcat.apache.org/tomcat-5.5-...ger-howto.html

    .... so, f.ex. you could prohibit a certain codebase from performing any
    file operations.

    However, the crux of the issue really is that the applications you run
    on top of Tomcat are secure.

    Unless you're already familiar with the OWASP initiative, take a look
    at their web pages at http://www.owasp.org/ - especially their "Top Ten"
    list at http://www.owasp.org/index.php/OWASP_Top_Ten_Project .
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)

+ Reply to Thread