Perhaps no topic in the computing industry receives more emphasis than security, and for good reason. As network computing enters the twenty-first century, it is clearer than ever that the Internet is not a safe place. Attacks can be simple pranks (such as defacing a Web site), or take much more serious forms, such as industrial espionage, sabotage, or the theft of consumer information. System administrators must take many steps to secure network-exposed systems and services (such as Tomcat) against such aggressions.
This chapter covers topics relating directly to the security of your Tomcat server and applications running on it, including:
Verifying initial download integrity
Securing Tomcat against common attacks
Running Tomcat with an unprivileged user account
Locking down the file system
Limiting access to Web applications with authentication Realms
DefaultServlet directory listing capability
Guarding against default
web.xml configuration vulnerability
Encrypting communications between Tomcat and application clients with SSL
The discussion of security issues surrounding the Tomcat server and applications is not entirely platform-agnostic. However, this chapter does not attempt to provide platform-specific instructions for all operating systems. Where appropriate, specific instructions are provided for Windows 2003/XP and Linux operating systems. Despite some pockets of platform-specificity, the principles shared in this chapter are applicable to ...