Thanks Peter.
On Thu, 24 Feb 2005 07:59:59 +1100, Peter Johnson <[EMAIL PROTECTED]> wrote: > I haven't really come across hardening documents for Tomcat or any Java > container for that matter. That is probably because Java by design is > relatively secure as it runs within a virtual machine so it isn't > possible to escape code etc and breakout into the OS kernel space. > > So basically run Tomcat as a specific user and tune the filesystem > parameters to only allow access to the resources it needs (standard > approach for every app Java or not). Now focus all your attention on the > application code (not Tomcat but the webapp) make sure all database > interactions are escaped properly etc etc etc > > One thing to look out for would be the use of JNI i.e. native calls. I'm > not sure if there is a way of preventing someone from packaging a .so in > a WAR and then loading it in to the app via code to bypass the lack of > LD_LIBRARY_PATH (on *nix). > > The authentication / authorisation stuff (e.g. realms) is all to do with > access to webapps. > > If you come across anything else I would be interested to know about it, > especially if it is to do with securing Java in general. > > PJ > > Patrick Lacson wrote: > > >Specifically authoritative articles on how to do this.. would be > >greatly appreciated. > > > > > > > >On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson <[EMAIL PROTECTED]> wrote: > > > > > >>Does anybody have any links/documents on how to harden tomcat? > >> > >>thanks, > >>-- > >>Patrick > >> > >> > >> > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Patrick --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
