tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Stavrinides <>
Subject Re: Tomcat 5 and 6 Security advise
Date Thu, 26 Jul 2007 13:36:48 GMT
Thanks Chuck,

I have done most of these, I already run Tomcat as a daemon using a 
non-privileged account, and use a JDBC realm to authenticate users. I 
will check for any loose ends like connectors in the config files.


Caldarale, Charles R wrote:
>> From: Peter Stavrinides [] 
>> Subject: Re: Tomcat 5 and 6 Security advise
>> and nothing is mentioned about the benefits of 
>> running Apache with Tomcat for securing Tomcat
>> in a purely Java environment
> Adding layers generally doesn't improve security - it just provides
> additional targets.
> Some things to do:
> 1) Browse through the server.xml and web.xml settings in Tomcat's conf
> directory, and disable anything you don't need, especially connectors.
> 2) Remove any uneeded webapps that come with Tomcat, such as the
> examples, docs, and webdav.
> 3) Use a proper authentication Realm, not the toy default one that keeps
> credentials in the tomcat-users.xml file.
> 4) Restrict access to Tomcat's file structure to a specific userid, and
> run Tomcat with that userid.
> I'm not aware of any security vulnerabilities in current Tomcat levels
> other than the rather minor cross-scripting ones inherent in some of the
> examples.
>  - Chuck
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Peter Stavrinides
Albourne Partners (Cyprus) Ltd
Tel: +357 22 750652 

If you are not an intended recipient of this e-mail, please notify the sender, delete it and
do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit
for important additional terms relating to this e-mail. 

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message