Thanks Chuck,

I have done most of these, I already run Tomcat as a daemon using a non-privileged account, and use a JDBC realm to authenticate users. I will check for any loose ends like connectors in the config files.

Peter

Caldarale, Charles R wrote:
From: Peter Stavrinides [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5 and 6 Security advise

and nothing is mentioned about the benefits of running Apache with Tomcat for securing Tomcat
in a purely Java environment

Adding layers generally doesn't improve security - it just provides
additional targets.

Some things to do:

1) Browse through the server.xml and web.xml settings in Tomcat's conf
directory, and disable anything you don't need, especially connectors.

2) Remove any uneeded webapps that come with Tomcat, such as the
examples, docs, and webdav.

3) Use a proper authentication Realm, not the toy default one that keeps
credentials in the tomcat-users.xml file.

4) Restrict access to Tomcat's file structure to a specific userid, and
run Tomcat with that userid.

I'm not aware of any security vulnerabilities in current Tomcat levels
other than the rather minor cross-scripting ones inherent in some of the
examples.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


--
Peter Stavrinides
Albourne Partners (Cyprus) Ltd
Tel: +357 22 750652 If you are not an intended recipient of this e-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute it. Please visit http://www.albourne.com/email.html for important additional terms relating to this e-mail.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to