Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat security

 
Dean Reedy
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Are there any web sites that discuss and describe tomcat security issues or how jsp/html/servlets should be written with security in mind?
What I want to avoid is someone, typing ie
http://<my sever>/<some directory/ , which gives them a directory listing, and then they can just download and veiw the source code of the jsp files.
I have noticed my web server it being hit hard, by hacker trying to break into it. My firewall reports went from 5-6 people trying to connect to my computer to more than 50-60 daily since my webserver went up.
 
Dean Reedy
Ranch Hand
Posts: 89
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok, I found below that the directory listings can be turned off by:
Go into web.xml in the tomcat/conf directory.
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Change:
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
to
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>

However I still wonder is there a good website discussing tomcat security, what to do and not the do?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic