What steps should I take to secure Tomcat 6.x?
Posted
by
PAS
on Server Fault
See other posts from Server Fault
or by PAS
Published on 2009-07-21T20:41:22Z
Indexed on
2010/12/29
7:55 UTC
Read the original article
Hit count: 197
I am in the process of setting up an new Tomcat deployment, and want it to be as secure as possible.
I have created a 'jakarta' user and have jsvc running Tomcat as a daemon. Any tips on directory permissions and such to limit access to Tomcat's files?
I know I will need to remove the default webapps - docs, examples, etc... are there any best practices I should be using here? What about all the config XML files? Any tips there?
Is it worth enabling the Security manager so that webapps run in a sandbox? Has anyone had experience setting this up?
I have seen examples of people running two instances of Tomcat behind Apache. It seems this can be done using mod_jk or with mod_proxy... any pros/cons of either? Is it worth the trouble?
In case it matters, the OS is Debian lenny. I am not using apt-get because lenny only offers tomcat 5.5 and we require 6.x.
Thanks!
© Server Fault or respective owner