This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Tomcat and the fly likes Tomcat security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat security" Watch "Tomcat security" New topic
Author

Tomcat security

Dean Reedy
Ranch Hand

Joined: Sep 10, 2001
Posts: 89
Are there any web sites that discuss and describe tomcat security issues or how jsp/html/servlets should be written with security in mind?
What I want to avoid is someone, typing ie
http://<my sever>/<some directory/ , which gives them a directory listing, and then they can just download and veiw the source code of the jsp files.
I have noticed my web server it being hit hard, by hacker trying to break into it. My firewall reports went from 5-6 people trying to connect to my computer to more than 50-60 daily since my webserver went up.
Dean Reedy
Ranch Hand

Joined: Sep 10, 2001
Posts: 89
ok, I found below that the directory listings can be turned off by:
Go into web.xml in the tomcat/conf directory.
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Change:
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
to
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>

However I still wonder is there a good website discussing tomcat security, what to do and not the do?
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Tomcat security
 
Similar Threads
security constraint - not working
JSTL 1.1 and Tomcat 5 basic problem
JSTL uri problem
declarative authorization not working
Problem implementing Security-Constraint in tomcat 5.0.28