tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Stavrinides <p.stavrini...@albourne.com>
Subject Re: Tomcat 5 and 6 Security advise
Date Thu, 26 Jul 2007 13:36:48 GMT
Thanks Chuck,

I have done most of these, I already run Tomcat as a daemon using a 
non-privileged account, and use a JDBC realm to authenticate users. I 
will check for any loose ends like connectors in the config files.

Peter

Caldarale, Charles R wrote:
>> From: Peter Stavrinides [mailto:p.stavrinides@albourne.com] 
>> Subject: Re: Tomcat 5 and 6 Security advise
>>
>> and nothing is mentioned about the benefits of 
>> running Apache with Tomcat for securing Tomcat
>> in a purely Java environment
>>     
>
> Adding layers generally doesn't improve security - it just provides
> additional targets.
>
> Some things to do:
>
> 1) Browse through the server.xml and web.xml settings in Tomcat's conf
> directory, and disable anything you don't need, especially connectors.
>
> 2) Remove any uneeded webapps that come with Tomcat, such as the
> examples, docs, and webdav.
>
> 3) Use a proper authentication Realm, not the toy default one that keeps
> credentials in the tomcat-users.xml file.
>
> 4) Restrict access to Tomcat's file structure to a specific userid, and
> run Tomcat with that userid.
>
> I'm not aware of any security vulnerabilities in current Tomcat levels
> other than the rather minor cross-scripting ones inherent in some of the
> examples.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>   

-- 
Peter Stavrinides
Albourne Partners (Cyprus) Ltd
Tel: +357 22 750652 

If you are not an intended recipient of this e-mail, please notify the sender, delete it and
do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html
for important additional terms relating to this e-mail. 



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message