Apache Tomcat Security Best Practices
Apache Tomcat is a robust application server that includes many features available right out of the box. However, just because these features and settings are available right away doesn’t mean that your Tomcat server is ready for production. Before you go to production, you need to perform thorough tuning and security hardening to ensure your Tomcat server is secure.
In this blog, we look at eight ways to improve your Tomcat security hardening, ranging from basic best practices like not running your Tomcat as the root user, to more advanced tips like using realms to control resource access. At the end of the blog, we'll wrap up with some final thoughts and then link to some related resources you should check out. Let's dive in!
Eight Tomcat Security Hardening Tips
There are many ways to improve Apache Tomcat security, and this blog is no replacement for a thorough dive into the possible ways in which you can do so. However, the tips below are a good starting point for people interested in hardening their Tomcat server deployment. Let's get started with an easy one.
1. Don’t Run Tomcat as the Root User
First and foremost, you do not want to be running tomcat as the root user. Creating a user with minimum OS permissions and running the Tomcat server as that user should be the first thing you do.
2. Remove Default Samples and Test Applications
Tomcat also comes with some default samples and test applications. These samples are known to contain some vulnerabilities of their own and should be removed from your environment.
3. Set Your Tomcat Permissions Carefully
Tomcat itself should be set to only have the necessary permissions, should your server ever be hijacked.
4. Disable Support for TRACE Requests
Disabling support for TRACE requests prevents browsers from being exposed to a cross-site scripting attack. To prevent information about your tomcat server from being broadcast, you will want to disable the X-Powered-By HTTP header. This header broadcasts information such as what version of Tomcat you’re running and other sensitive information. This can be disabled in the server.xml file.
5. Disable SSLv3 Protocols
POODLE was a well-publicized attack that targeted the SSLv3 protocols, so you’ll need to be sure to disable that in Tomcat before you get it up and running. Maintaining detailed logs is also key to ensuring your Tomcat server and environment security. This applies to user access, application traffic, Tomcat internals, the OS/firewall, etc.
6. Log Your Network Traffic
To enable logging of network traffic in Tomcat, use the AccessLogValve component. This can be configured on a host, engine, or context basis and will create a standard web server log file for traffic to any resources associated with it. The Access Log Valve supports a variety of attributes to control the output of the valve.
7. Be Careful With the Tomcat Manager App
The Tomcat Manager app is a built in webapp used to manage Tomcat instances, application deployment and other various settings. For security purposes this console is disabled by default, so if you enable it, be sure you treat it appropriately.
8. Use Realms to Control Resource Access
Realms are another method of controlling access to resources in Tomcat. Realms are components that access databases of users that should have access to a given application or group of apps and the roles and privileges they have within the application once logged in. The most secure of the realms is the LockOut realm which places a limit on the number of times a user can attempt to authenticate themselves.
See More Enterprise Apache Tomcat Best Practices
From security and resilience to performance and clustering, our Enterprise Guide to Apache Tomcat is a great resource for teams working with or considering Tomcat for their enterprise applications. Download a complementary copy via the link below.
Final Thoughts
While these are some of the many ways you can secure Tomcat, there are still plenty of other things out there that can be done which go beyond the scope of just a blog article. We encourage all our Tomcat users to take a deep dive approach to security and Tomcat, utilizing all the resources out there.
Get Support for Your Apache Integrations
OpenLogic provides 24/7/365 support for Tomcat and many other Apache products. Talk to an expert today to see how we can support your project, or see our available support and service offerings for Tomcat via the links below.
Additional Resources
- Resource Collection - Tomcat Overview
- Blog - Preparing for Your Next Tomcat Upgrade
- Blog - Tomcat Patching Best Practices
- Blog - Beginner's Guide to Tomcat Memory Configuration
- Blog - Tomcat Configuration Tips and Tricks
- Blog - 5 Apache Tomcat Performance Best Practices
- Blog - Tomcat 9 Overview: Key Features and Considerations
- Blog - Tomcat Clustering Guide
- Blog - Apache Tomcat 10: Considerations for Enterprise Deployment
- Guide - What is Enterprise Application Security?
