> From: Peter Stavrinides [mailto:[EMAIL PROTECTED] > Subject: Re: Tomcat 5 and 6 Security advise > > and nothing is mentioned about the benefits of > running Apache with Tomcat for securing Tomcat > in a purely Java environment
Adding layers generally doesn't improve security - it just provides additional targets. Some things to do: 1) Browse through the server.xml and web.xml settings in Tomcat's conf directory, and disable anything you don't need, especially connectors. 2) Remove any uneeded webapps that come with Tomcat, such as the examples, docs, and webdav. 3) Use a proper authentication Realm, not the toy default one that keeps credentials in the tomcat-users.xml file. 4) Restrict access to Tomcat's file structure to a specific userid, and run Tomcat with that userid. I'm not aware of any security vulnerabilities in current Tomcat levels other than the rather minor cross-scripting ones inherent in some of the examples. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
