tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <>
Subject [Tomcat Wiki] Update of "FAQ/Security" by GianlucaVarisco
Date Wed, 28 Nov 2007 18:02:33 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The following page has been changed by GianlucaVarisco:

New page:
== Preface ==
This FAQ section provides help with some security-related issues. If you hear of a vulnerability
or its exploitation, please let us know on the []
mailing list.
=== The Record ===

Tomcat's security record is impeccable. There have been no public cases of damage done to
a company, organization, or individual due to a Tomcat security issue. There have been no
documented cases of data loss or application crashes caused by an intruder. While there have
been numerous analyses conducted on Tomcat, partially because this is easy to do with Tomcat's
source code openly available, there have been only a few '''theoretical''' vulnerabilities
found. All of those were addressed rapidly even though there were no documented cases of actual
exploitation of these vulnerabilities.
=== Role of Customization ===

We believe, and the evidence suggests, that Tomcat is more than secure enough for most use-cases.
However, like all other components of Tomcat, you can customize any and all of the relevant
parts of the server to achieve even higher security. For example, the session manager implementation
is pluggable, and even the default implementation has support for pluggable random number
generators. If you have a special need that you feel is not met by Tomcat out of the box,
consider these customization options. At the same time, please bring up your requirements
on the user mailing list, where we'll be glad to discuss it and assist in your approach/design/implementation
as needed.

== Questions ==

'''How do I use OpenSSL to set up my own Certificate Authority (CA)?'''

[ Using OpenSSL to
set up your own CA].

'''OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!'''

See these 2 discussions.

    * [ Possible to switch
off tcp/ip server shutdown?]
    * [ Tomcat shutdown &

'''What about Tomcat running as root?'''

See these threads:

    * [ Tomcat as root and
security issues]

''' How to I force all my pages to run under HTTPS?'''

[ Use security-constraint
in web.xml].

''' What is the default login for the manager and admin app?'''

The admin and manager application do not provide a default login. Doing so is a security flaw.
You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install.
Configuring Manager Application Access]

''' How do I restrict access by ip address or remote host?'''

By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming
ip addresses or hostnames. So they can fall victim to spoofing! [
Valve Reference Link]

'''How do I use jsvc/procrun to run Tomcat on port 80 securely?'''

Fairly easily ;) See the Setup page in the docs for your tomcat release, and read [
this mailing list post] for a complete setup example with permissions etc.

''' Has Tomcat's security been independently analyzed or audited?'''

Yes, by numerous organizations and individuals, many times. Try [
this Google search] and you'll see many references, guides, and analyses. 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message