Tomcat Security Primer
Posted by Bladimir Fernandez on 22 March 2017 09:38 AM
Apache Tomcat Security Primer
Tomcat is one of the most widely used Java application server. More than 1 in 200 web sites are powered by Tomcat, and when considering the most active web sites on the Internet the percentage is even higher. This is because Tomcat is designed for high performance and security.
According to the official Apache Tomcat Wiki Pages: “The Apache Tomcat Security Team rates the impact of each security flaw that affects Tomcat. We've chosen a rating scale quite similar to those used by other major vendors in order to be consistent. Basically the goal of the rating system is to answer the question "How worried should I be about this vulnerability?".
Since Tomcat is built as part of a community process that involves both user and developer, most vulnerabilities (categorized as Critical, Important, Moderate and Low) are discovered by the Tomcat community itself or security researchers, and quickly patched.
The default configuration of Tomcat is secure but there are some additional steps you can take to harden the service.
This primer provides some guidance on how to implement practical restrictions and hardening to prevent unwanted access, in the following 4 areas:
Securing Apache Tomcat
chown -R tomcat:tomcat /opt/tomcat
chmod -R g+r /opt/tomcat/conf
chmod -R g+w /opt/tomcat/logs
chmod -R g+w /opt/tomcat/temp
chmod -R g+w /opt/tomcat/webapps
chmod -R g+w /opt/tomcat/work
chmod -R g+s /opt/tomcat/conf
chmod -R g+s /opt/tomcat/logs
chmod -R g+s /opt/tomcat/temp
chmod -R g+s /opt/tomcat/webapps
chmod -R g+s /opt/tomcat/work
usermod -a -G tomcat USER
If you are using a Tomcat package provided by eApps, these permissions are already set.
If you have a custom setup, make sure your tomcat is run as “tomcat” user and not “root” as it is a security risk.
If you would like to know more about each deployment configuration, then check the official documentation
In most of the scenarios, developers will use the auto-deployment feature. According to the official documentation you can use any of the deployment options above, however enabling auto deployment on a production environment is highly discouraged, Enabling this feature makes it a lot easier for an attacker to gain access to the server. Setting it to “false” will disable this feature.
If you are not sure how this is being configured, please contact eApps Support - email@example.com
If you’re deploying your applications using the Tomcat Manager, please check the next section
<Server port="8005" shutdown="SHUTDOWN">
You may set the port to a non standard number like “-1”. With this configuration tomcat can only be shutdown from the Terminal by the root or tomcat user via a "kill" command. It is always recommended to use the sysctl or init scripts for tomcat shutdown or restarts.
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address=”IP_ADDRESS”/>
This might be a little complicated if you have several applications running on the same server, but it will improve the security of the app.
SecurityManager on Tomcat can protect your server from trojan servlets, JSPs, JSP beans, and tag libraries. Sometimes it can cause permission problem with your code. If you want to run sandboxed applets we recommend reviewing the official Tomcat Security Manager documentation. If you need assistance working with Security Manager please contact firstname.lastname@example.org.
In many production environments it is very useful to have the capability to manage your web applications without having to shutdown and restart Tomcat. However, for security reasons, Manager is disabled by default. Our User Guide for Tomcat includes a section for enabling the Tomcat Manager. Enabling tomcat manager is not recommended unless you strictly follow the below.
You can learn more about the Web Tomcat Manager here
Secure your OS
Securing your base OS should be the first place you start. Keep the OS updated with all the latest patches and updates.
Secure your applications
Your application security has an equal or greater role in securing the overall service. Hackers scan for known vulnerabilities on applications to gain access to the servers. Most of the DDOS attacks on tomcat applications are being performed on the following:
How to prevent these attacks?
Apache Tomcat Security Updates:
Apache Tomcat 7 Documentation
Apache Tomcat 8 Documentation
Apache Tomcat 9 Documentation
Improving Apache Tomcat Security - A Step By Step Guide
eApps Release Notes: