tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <>
Subject RE: Tomcat 5 and 6 Security advise
Date Thu, 26 Jul 2007 13:22:05 GMT
> From: Peter Stavrinides [] 
> Subject: Re: Tomcat 5 and 6 Security advise
> and nothing is mentioned about the benefits of 
> running Apache with Tomcat for securing Tomcat
> in a purely Java environment

Adding layers generally doesn't improve security - it just provides
additional targets.

Some things to do:

1) Browse through the server.xml and web.xml settings in Tomcat's conf
directory, and disable anything you don't need, especially connectors.

2) Remove any uneeded webapps that come with Tomcat, such as the
examples, docs, and webdav.

3) Use a proper authentication Realm, not the toy default one that keeps
credentials in the tomcat-users.xml file.

4) Restrict access to Tomcat's file structure to a specific userid, and
run Tomcat with that userid.

I'm not aware of any security vulnerabilities in current Tomcat levels
other than the rather minor cross-scripting ones inherent in some of the

 - Chuck

MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message