Chapter 14. Tomcat Security

Perhaps no topic in the computing industry receives more emphasis than security, and for good reason. As network computing enters the twenty-first century, it is clearer than ever that the Internet is not a safe place. Attacks can be simple pranks (such as defacing a Web site), or take much more serious forms, such as industrial espionage, sabotage, or the theft of consumer information. System administrators must take many steps to secure network-exposed systems and services (such as Tomcat) against such aggressions.

This chapter covers topics relating directly to the security of your Tomcat server and applications running on it, including:

  • Verifying initial download integrity

  • Securing Tomcat against common attacks

  • Running Tomcat with an unprivileged user account

  • Locking down the file system

  • Limiting access to Web applications with authentication Realms

  • Turning off DefaultServlet directory listing capability

  • Guarding against default web.xml configuration vulnerability

  • Encrypting communications between Tomcat and application clients with SSL

The discussion of security issues surrounding the Tomcat server and applications is not entirely platform-agnostic. However, this chapter does not attempt to provide platform-specific instructions for all operating systems. Where appropriate, specific instructions are provided for Windows 2003/XP and Linux operating systems. Despite some pockets of platform-specificity, the principles shared in this chapter are applicable to ...

Get Professional Apache Tomcat 6 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial