tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darren <darrensli...@googlemail.com>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 18:09:48 GMT
> Things like:
>
> Change files in CATALINA_HOME/conf to be readonly (400)
> ...
> Rename CATALINA_HOME/conf/server.xml to ...
>
> won't work for dummies (due to missing rights) if they'll follow the
> guide step by step.

You're right, the ordering is perhaps a little confusing.  The  
article is not aimed specifically at people who are new to sysadmin  
work, rather those who are new to (or just in doubt of how to secure)  
tomcat.  I'd hope these people would realise they have to make a file  
writable before they try to edit it.

> Anyway: AFAIR (can't reach owasp.org atm) the Article mentions  
> putting httpd
> in front of Tomcat as one means among others to work around the  
> fact that on
> Unix-like systems Tomcat alone can't bind to port 80 if running  
> under a
> restricted account.

I think the 'running on port 80' section needs some rewording as I'm  
not advocating that putting IIS or apache infront of your tomcat  
installation will make it any more secure.  As a sysadmin you may be  
asked to serve tomcat based pages on port 80 so it is presenting the  
options without bias towards any of them.  Perhaps I need to add some  
bias, from a security perspective, to prevent misunderstanding ...


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message