Tomcat secure configuration

I am new to Tomcat Java App server. Is there any checklist for Tomcat
to ensure that it is configured securely?

Any help appreciated.

Thank you in advance.

N J

Re: Tomcat secure configuration

Neil Jones said:
>I am new to Tomcat Java App server. Is there any checklist for Tomcat
>to ensure that it is configured securely?

Haven't come across one -- but then, haven't been looking for one.

>Any help appreciated.

I think the first would be: don't run Tomcat as root. So, whatever happens,
initially the intruder would only have access rights of the account that
is used to run Tomcat. However, if you must have Tomcat at port 80, then
you'll need to do some extra work to accomplish that (either, allow
non-root binding of port 80, or create an iptables forward from port 80
to your real Tomcat port - and perhaps prohibit external connections
to your real Tomcat port).

Then, if you have proper control on what you run with Tomcat, and really
undrstand your application code, you could start setting up the Java
security policy for your application; for more info, see:
http://tomcat.apache.org/tomcat-5.5-doc/security-manager-how to.html

.... so, f.ex. you could prohibit a certain codebase from performing any
file operations.

However, the crux of the issue really is that the applications you run
on top of Tomcat are secure.

Unless you're already familiar with the OWASP initiative, take a look
at their web pages at http://www.owasp.org/ - especially their "Top Ten"
list at http://www.owasp.org/index.php/OWASP_Top_Ten_Project .
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)