aspose file tools*
The moose likes Tomcat and the fly likes Config Tomcat 7 on Linux Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Config Tomcat 7 on Linux" Watch "Config Tomcat 7 on Linux" New topic
Author

Config Tomcat 7 on Linux

scott ja
Greenhorn

Joined: Jul 12, 2012
Posts: 8
Installed Tomcat 7 on Linux.  Java ver 6.  IDE: IBM Rad (Eclipse)

Currently in the process to switch from IBM Websphere to Tomcat.  The web serverI am now using is IBM websphere app server 8.  It comes with a GUI admin console on which I can easily config the JNDI and JDBC data source.

Now, for Tomcat, how can I config the JNDI and the JDBC Data source etc?


Thanks

Scott
Jeanne Boyarsky
author & internet detective
Marshal

Joined: May 26, 2003
Posts: 31077
    
233

Scott,
Welcome to CodeRanch!

In Tomcat, you configure the datasource in XML. See how to set up a datasource.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

And just to remove any doubts, this is also the way to configure JNDI.

Customer surveys are for companies who didn't pay proper attention to begin with.
scott ja
Greenhorn

Joined: Jul 12, 2012
Posts: 8
Have a couple of further questions:


1) To use a Oracle JDBC driver: DriverManager.getConnection("jdbc: oracle:thin:@database","username","password");

This username and password, on the IBM Websphere, I used to specify it via JAAS property on the admin GUI. Now, for Tomcat, can I specify it in the XML file? (I do not like to code the usernamse/password in the Java program).


2) Concern the hacker attack. How easy is for the hacker to access the web server and get hold of the XML files such as server.xml and context.xml? Does the Tomcat have some way to protect it? Or it is purely up to my server hardware/software (such as server hardening) set up?


3) There is a GUI tool called Tcat to facilitate the use of Tomcat. But this tool can not be used to specify the XML files (via GUI). What is the tool generally used for?



Thanks

Eugene
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Commercial-grade webapps should not be using DriverManager.getConnection even under WebSphere. The proper way is to set up a connection pool, have the webapp do a JNDI lookup to get the DataSource, then use the DataSource getConnection method.

If you're using a container-supplied DataSource (connection pool), then the userID and password for the connection never exist within the application WAR at all. They are defined in the connection pool specification. Which is XML in Tomcat.

Tomcat has never had a reported bug that would allow an external attacker to gain access to any of Tomcat's configuration or binary files. If you tried REALLY hard, you could probably expose them, but only by overriding a lot of defaults and totally violating configuration standards. One of the best ways to protect Tomcat resources is to use the J2EE container security facilities. User-defined login/security systems are almost invariably horribly insecure. In fact, probably 80% or more of such systems can be dodged by non-technical people in under 10 minutes.

Also, don't run Tomcat as root, either out of laziness or because only root can listen in on ports 80 and 443. Run Tomcat as a non-privileged user and if you want response from ports 80/443, use the special wrapper or proxy it with something like Apache https server.

Tomcat actually does have an admin webapp, but it's not available out of the box and I can't remember if it can handle all the configuration options that XML can.

You should be aware that the J2EE spec actually designates 2 sources of webapp configuration data. The server-independent deployment descriptor, which is the WAR's WEB-INF/web.xml file, and the server-specific deployment descriptor, which in Tomcat is the Context element (context.xml). WebSphere's console allows you to define its deployment descriptor via the console, although I'm pretty sure that there's also a way to drop in a deployment descriptor file specific to WAS. Not that it matters for this particular case.


scott ja
Greenhorn

Joined: Jul 12, 2012
Posts: 8
Where can I get the J2EE container security facilities? Is there some guide to teach how to implement the security?


Thanks
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16305
    
  21

Container security is part of the J2EE and JEE standard specification. Even incomplete implementations of J2EE such as Tomcat provide it, so there's nothing to add.

Container security is handled in 3 parts:

1. The WEB-INF/web.xml file (application-independent deployment descriptor)

2. Application logic (via the HttpServletRequest methods)

3. A container security Realm definition. The Realm defines how Tomcat (or WebSphere) confirms user identity and roles. For Tomcat, there is documentation at the tomcat.apache.org site and sample Realm definitions in the server.xml file.

Sample information for item #1 can be found in most good books on J2EE. Followed, often, alas, by sample user-defined login code

It's a little harder to find samples for application logic. The primary defence provided by container security comes from the container checking incoming URLs against secured resource URL patterns, so the application logic is never invoked for unauthorized users, but it's often useful to provide additional refinements, which can be done by the isUserInRole() method. And, of course, but invoking the getRemoteUser() method to get the logged-in user's name (it will return null if the user isn't logged in).

The easiest Realm to use in Tomcat is the MemoryRealm and its descendents, because they allow you to define userids, passwords, and security roles in a file (default TOMCAT_HOME/conf/tomcat-users.xml). This is good for testing and other lightweight security needs. Production systems usually plug-replace the Realm with one of the database or LDAP/Active Directory Realms or something like that.
 
 
subject: Config Tomcat 7 on Linux