Apache Tomcat is a robust application server that includes many features available right out of the box. However, just because these features and settings are available right away doesn’t mean that your Tomcat server is ready for production. Before you go to production, you need to perform thorough tuning and security hardening to ensure your Tomcat server is secure.
There are many ways to improve Apache Tomcat security, and this blog is no replacement for a thorough dive into the possible ways in which you can do so. However, the tips below are a good starting point for people interested in hardening their Tomcat server deployment. Let's get started with an easy one.
First and foremost, you do not want to be running tomcat as the root user. Creating a user with minimum OS permissions and running the Tomcat server as that user should be the first thing you do.
Tomcat also comes with some default samples and test applications. These samples are known to contain some vulnerabilities of their own and should be removed from your environment.
Tomcat itself should be set to only have the necessary permissions, should your server ever be hijacked.
Disabling support for TRACE requests prevents browsers from being exposed to a cross-site scripting attack. To prevent information about your tomcat server from being broadcast, you will want to disable the X-Powered-By HTTP header. This header broadcasts information such as what version of Tomcat you’re running and other sensitive information. This can be disabled in the server.xml file.
POODLE was a well-publicized attack that targeted the SSLv3 protocols, so you’ll need to be sure to disable that in Tomcat before you get it up and running. Maintaining detailed logs is also key to ensuring your Tomcat server and environment security. This applies to user access, application traffic, Tomcat internals, the OS/firewall, etc.
To enable logging of network traffic in Tomcat, use the AccessLogValve component. This can be configured on a host, engine, or context basis and will create a standard web server log file for traffic to any resources associated with it. The Access Log Valve supports a variety of attributes to control the output of the valve.
The Tomcat Manager app is a built in webapp used to manage Tomcat instances, application deployment and other various settings. For security purposes this console is disabled by default, so if you enable it, be sure you treat it appropriately.
Realms are another method of controlling access to resources in Tomcat. Realms are components that access databases of users that should have access to a given application or group of apps and the roles and privileges they have within the application once logged in. The most secure of the realms is the LockOut realm which places a limit on the number of times a user can attempt to authenticate themselves.
While these are some of the many ways you can secure Tomcat, there are still plenty of other things out there that can be done which go beyond the scope of just a blog article. We encourage all our Tomcat users to take a deep dive approach to security and Tomcat, utilizing all the resources out there.
OpenLogic provides 24/7/365 support for Tomcat and many other Apache products. Talk to an expert today to see how we can support your project, or see our available support and service offerings for Tomcat via the links below.
TALK TO AN EXPERT See Tomcat Support and Services
Associate Enterprise Architect, OpenLogic by Perforce
Andrew's areas of specialization include networking, Linux, network security including OpenSSL, and operational troubleshooting. He has been working in the industry for over seven years and is acquiring new skills every day.