What steps should I take to secure Tomcat 6.x?

Posted by PAS on Server Fault See other posts from Server Fault or by PAS
Published on 2009-07-21T20:41:22Z Indexed on 2010/12/29 7:55 UTC
Read the original article Hit count: 197

I am in the process of setting up an new Tomcat deployment, and want it to be as secure as possible.

I have created a 'jakarta' user and have jsvc running Tomcat as a daemon. Any tips on directory permissions and such to limit access to Tomcat's files?

I know I will need to remove the default webapps - docs, examples, etc... are there any best practices I should be using here? What about all the config XML files? Any tips there?

Is it worth enabling the Security manager so that webapps run in a sandbox? Has anyone had experience setting this up?

I have seen examples of people running two instances of Tomcat behind Apache. It seems this can be done using mod_jk or with mod_proxy... any pros/cons of either? Is it worth the trouble?

In case it matters, the OS is Debian lenny. I am not using apt-get because lenny only offers tomcat 5.5 and we require 6.x.

Thanks!

© Server Fault or respective owner

Related posts about linux

Related posts about security