Hi, My beginners guide is here (for tomcat on linux), it covers
Running not as root. Restricting the permissions of the tomcat directories. http://www.mythic-beasts.com/support/topic_vds_java.html I'd also recommend removing all the management utilities from the webbased front end and a completely facist host firewall that denies everything but port 80 / 22. Pete Stevens On Thu, 24 Feb 2005, Patrick Lacson wrote: > Thanks Peter. > > > > > On Thu, 24 Feb 2005 07:59:59 +1100, Peter Johnson <[EMAIL PROTECTED]> wrote: > > I haven't really come across hardening documents for Tomcat or any Java > > container for that matter. That is probably because Java by design is > > relatively secure as it runs within a virtual machine so it isn't > > possible to escape code etc and breakout into the OS kernel space. > > > > So basically run Tomcat as a specific user and tune the filesystem > > parameters to only allow access to the resources it needs (standard > > approach for every app Java or not). Now focus all your attention on the > > application code (not Tomcat but the webapp) make sure all database > > interactions are escaped properly etc etc etc > > > > One thing to look out for would be the use of JNI i.e. native calls. I'm > > not sure if there is a way of preventing someone from packaging a .so in > > a WAR and then loading it in to the app via code to bypass the lack of > > LD_LIBRARY_PATH (on *nix). > > > > The authentication / authorisation stuff (e.g. realms) is all to do with > > access to webapps. > > > > If you come across anything else I would be interested to know about it, > > especially if it is to do with securing Java in general. > > > > PJ > > > > Patrick Lacson wrote: > > > > >Specifically authoritative articles on how to do this.. would be > > >greatly appreciated. > > > > > > > > > > > >On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson <[EMAIL PROTECTED]> > > >wrote: > > > > > > > > >>Does anybody have any links/documents on how to harden tomcat? > > >> > > >>thanks, > > >>-- > > >>Patrick > > >> > > >> > > >> > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > Patrick > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Pete Stevens [EMAIL PROTECTED] http://www.ex-parrot.com/~pete/ Always buy a lottery ticket on a Friday or Saturday, otherwise you're more likely to be run over than claim the prize. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]