tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Lacson <plac...@gmail.com>
Subject Re: how to harden tomcat?
Date Thu, 24 Feb 2005 08:29:39 GMT
Thanks Peter.




On Thu, 24 Feb 2005 07:59:59 +1100, Peter Johnson <peter@wizardslair.net> wrote:
> I haven't really come across hardening documents for Tomcat or any Java
> container for that matter. That is probably because Java by design is
> relatively secure as it runs within a virtual machine so it isn't
> possible to escape code etc and breakout into the OS kernel space.
> 
> So basically run Tomcat as a specific user and tune the filesystem
> parameters to only allow access to the resources it needs (standard
> approach for every app Java or not). Now focus all your attention on the
> application code (not Tomcat but the webapp) make sure all database
> interactions are escaped properly etc etc etc
> 
> One thing to look out for would be the use of JNI i.e. native calls. I'm
> not sure if there is a way of preventing someone from packaging a .so in
> a WAR and then loading it in to the app via code to bypass the lack of
> LD_LIBRARY_PATH (on *nix).
> 
> The authentication / authorisation stuff (e.g. realms) is all to do with
> access to webapps.
> 
> If you come across anything else I would be interested to know about it,
> especially if it is to do with securing Java in general.
> 
> PJ
> 
> Patrick Lacson wrote:
> 
> >Specifically authoritative articles on how to do this.. would be
> >greatly appreciated.
> >
> >
> >
> >On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson <placson@gmail.com> wrote:
> >
> >
> >>Does anybody have any links/documents on how to harden tomcat?
> >>
> >>thanks,
> >>--
> >>Patrick
> >>
> >>
> >>
> >
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


-- 
Patrick

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message