tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jwklomp <>
Subject Tomcat 6: what are the risks of not using Security Manager
Date Wed, 14 Dec 2011 09:05:24 GMT


I'm migrating existing applications to Tomcat and setting Tomcat up as
described in the 'Security Configuration Benchmark for Apache Tomcat
5.5/6.0' of the Center of Internet Security. 

The benchmark recommends enabling the Security Manager. However, I'm
experiencing that none of the apps run 'out of the box' with the Security
Manager enabled. I'm contemplating not activating it, but find it hard
estimate the risk.

Our Security department is worried that without the Security Manager
enabled, hackers can gain access to restricted packages, take control over
Tomcat and 'hop' to other applications and machines (so basically this would
imply activating the Security Manager for all applications). 

My question is: how secure is Tomcat without the Security Manager enabled
(assuming other points from the CIS benchmark have been implemented). Is the
Security Manager the guard against 'hopping' to other applications, or does
Tomcat without the Security Manager already prevent this?
Regards, Jan-Willem
View this message in context:
Sent from the Tomcat - User mailing list archive at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message