Run Tomcat with the Java SecurityManager (-security startup option) and only grant the minimum permissions necessary to your webapp. See the Security Manager HOWTO in the Tomcat docs.
Glenn Anderson, M. Paul wrote:
I am preparing to launch my first web site utilizing an Apache/Tomcat configuration. The server will host a single web site, at least for now that uses servlets and jsp with a database backend. I have set up the Apache and Tomcat as discussed in the documentation with much help from people on this list. Now my question concerns whether or not I need to do anything in Apache or Tomcat to protect my site beyond what Apache and Tomcat are already set up to do. How secure can I truly expect my site to be using Apache and Tomcat as is? -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
