WebApp Sec mailing list archives
Re: Securing Tomcat
From: Stephen de Vries <stephen () corsaire com>
Date: Mon, 9 Jan 2006 14:47:25 +0700
On 7 Jan 2006, at 07:34, <oc.rynning.no () securityfocus com> wrote:
Four (obvious) points:* Run as a non-privileged user (You might want to use a pre-emptive kernel to ensure performance). * Limit access to manager and administrator to localhost, admin-ip/- net. (and choose a proper password). * Change error messages (if the service is down, don't advertise the stacktrace, give a generic apology). (This is security by obscurity but nonetheless it hides specifics that may give an attacker information about possible injections or DoS).* Use a web-tier:Firewall <-> (load balancer if its for a web cluster) <-> Web frontend (Apache) <-> Firewall <-> Tomcat Application Server (cluster)
You could also consider:- Running with the security manager enabled. The default policy file provided with Tomcat should suit most needs. Then if more privileges are required, they should be added by applying the principle of least privilege and being as specific as possible when defining the classes, e.g.: permission java.util.PropertyPermission "java.vm.specification.version", "read";
instead of:
permission java.util.PropertyPermission "java.vm.*", "read";
- Disabling support for compiling JSP's on the fly. Should there be
an application vulnerability that allows attackers to upload content,
they will not be able to upload JSPs.
-- Stephen de Vries Corsaire Ltd E-mail: stephen () corsaire com Fax: +44 1483 226068 Web: http://www.corsaire.com -------------------------------------------------------------------------------Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh -------------------------------------------------------------------------------
Current thread:
- Re: Securing Tomcat oc . rynning . no (Jan 06)
- Re: Securing Tomcat Stephen de Vries (Jan 09)