tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Maurice Yarrow <>
Subject Re: Apache + Tomcat, Tomcat only handles JSP in localhost
Date Wed, 11 Jan 2006 06:44:13 GMT
Hello Oded

A conventional, simple, and accepted secure solution to the problem
of running tomcat as root is to

     daemon su -c /home/tomcat/ tomcat

from root which transfers tomcat to run under process ownership
of user tomcat.  Of course, you must create a user "tomcat", and
of course, this user could be given any arbitrary name.

An excellent article and cookbook method for setting this up
is provided at

("Securing Linux for Java Services", D. M. Sosnoski)
which is an extensive explanation of setting up iptables to route
port 80 correctly to tomcat, and which provides two small but very
effective shell scripts (the first of which is started by root and
which includes the important "daemon su..." line above):

Listing 3. Tomcat service definition
Listing 4. Sample

In addition, there is information included also about "chroot jail",
as the author says "for the truly paranoid".

Maurice Yarrow

Oded Arbel wrote:

> The most important reason that I use an Apache frontend for tomcat, 
> which is probably not relevant to the original poster, is that under 
> Unix only root processes can open port 80 (the default HTTP port), and 
> so if tomcat is configured to serve pages on port 80, it must run as 
> root. 
> This is a serious security concern. Apache knows how to open port 80 and 
> then change to a non-privileged user, something which AFAIK tomcat - 
> being based on Java which does not support the concept of operating 
> system privileges - cannot do.
> There for, some kind of frontend is required. While we are in the 
> process of providing a frontend, it might as well be Apache which 
> offers additional features: reverse-proxying and caching and support 
> for a huge number of scripting languages (python, perl or ruby 
> anyone ?) and other modules. 

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message