• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

What are the security risks and fixes I should look for when hosting tomcat as a web server?

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I've looked around for this for a while, but I was only able to dig up information on linux based OSes. Unfortunately, I didn't set up Tomcat on my linux based laptop since I wanted to have it on a desktop. Anyways, I've been reading about security for having tomcat running and open to the public. I changed my port to redirect to from 80 to 8080 from router to my pc. I'm also going to strengthen password. I also read that it is best not to run Tomcat as root. Is there something similar in windows that I should look out for to restrict privileges like that comparable to Linux based OSes?

What else should I look for? I've never hosted a site before, and I just wanted to take precautions. The site I am hosting is very simple and just shows a sample work from school and hopefully more as I develop side projects. I am running this on windows 7 64 bit.

Thank you! Help is always appreciated
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Truth be told, Windows security infrastructure is actually more powerful than the traditional Unix/Linux, although less than selinux.

Yes, you should avoid running Tomcat as an Administrative user. That means that for best results, you should create a non-admin user named "tomcat" (or something) and - if you're planning on running as a Windows Service, set the service used to be "tomcat". Unlike the Apache httpd server, Tomcat can't "jail" itself, so it has to run non-admin start-to-finish.

The port 80 restriction comes from the fact that in many OS's (but not all), ports below 4096 can only be opened as listeners by admin/root users. And since it's dangerous to run Tomcat as an admin user, the next best thing is to run it on a higher port such as 8080 and proxy to it, like you're doing with your router.

For additional security, setup a Tomcat user group and constrain the tomcat user and tomcat group to the absolute bare minimum of resource access rights needed. Note that the CATALINA_HOST parts of Tomcat are essentially read-only as far as Tomcat is concerned, so you can make it harder to sabotage Tomcat's executable code by write-protecting it.
 
Andy Lin
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the reply!

I can make a new tomcat user, but I don't understand which role I should assign to the guest user I am making. Is there a default role that has no privileges to change anything and can only look at the webapps? Do I have to assign this myself in a xml file or is there a default like there is with "admin" and "manager"? How do I set this user to be the default user when tomcat starts for windows 7 system? Thanks!
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic