Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

Re: Tomcat 5 and 6 Security advise

Peter Stavrinides

2007-07-26

Replies:

Thanks Chuck,

I have done most of these, I already run Tomcat as a daemon using a
non-privileged account, and use a JDBC realm to authenticate users. I
will check for any loose ends like connectors in the config files.

Peter

Caldarale, Charles R wrote:
>> From: Peter Stavrinides [mailto:p.stavrinides@(protected)]
>> Subject: Re: Tomcat 5 and 6 Security advise
>>
>> and nothing is mentioned about the benefits of
>> running Apache with Tomcat for securing Tomcat
>> in a purely Java environment
>>  
>
> Adding layers generally doesn't improve security - it just provides
> additional targets.
>
> Some things to do:
>
> 1) Browse through the server.xml and web.xml settings in Tomcat's conf
> directory, and disable anything you don't need, especially connectors.
>
> 2) Remove any uneeded webapps that come with Tomcat, such as the
> examples, docs, and webdav.
>
> 3) Use a proper authentication Realm, not the toy default one that keeps
> credentials in the tomcat-users.xml file.
>
> 4) Restrict access to Tomcat's file structure to a specific userid, and
> run Tomcat with that userid.
>
> I'm not aware of any security vulnerabilities in current Tomcat levels
> other than the rather minor cross-scripting ones inherent in some of the
> examples.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@(protected)
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>  

--
Peter Stavrinides
Albourne Partners (Cyprus) Ltd
Tel: +357 22 750652

If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail.



---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.