Neil Jones <castellan2004-email@yahoo.com> said:
>I am new to Tomcat Java App server. Is there any checklist for Tomcat
>to ensure that it is configured securely?
Haven't come across one -- but then, haven't been looking for one.
>Any help appreciated.
I think the first would be: don't run Tomcat as root. So, whatever happens,
initially the intruder would only have access rights of the account that
is used to run Tomcat. However, if you must have Tomcat at port 80, then
you'll need to do some extra work to accomplish that (either, allow
non-root binding of port 80, or create an iptables forward from port 80
to your real Tomcat port - and perhaps prohibit external connections
to your real Tomcat port).
Then, if you have proper control on what you run with Tomcat, and really
undrstand your application code, you could start setting up the Java
security policy for your application; for more info, see:
http://tomcat.apache.org/tomcat-5.5-...ger-howto.html
.... so, f.ex. you could prohibit a certain codebase from performing any
file operations.
However, the crux of the issue really is that the applications you run
on top of Tomcat are secure.
Unless you're already familiar with the OWASP initiative, take a look
at their web pages at
http://www.owasp.org/ - especially their "Top Ten"
list at
http://www.owasp.org/index.php/OWASP_Top_Ten_Project .
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
Tomcat secure configuration 
Linear Mode
