aspose file tools*
The moose likes Tomcat and the fly likes Tomcat security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat security" Watch "Tomcat security" New topic
Author

Tomcat security

Dean Reedy
Ranch Hand

Joined: Sep 10, 2001
Posts: 89
Are there any web sites that discuss and describe tomcat security issues or how jsp/html/servlets should be written with security in mind?
What I want to avoid is someone, typing ie
http://<my sever>/<some directory/ , which gives them a directory listing, and then they can just download and veiw the source code of the jsp files.
I have noticed my web server it being hit hard, by hacker trying to break into it. My firewall reports went from 5-6 people trying to connect to my computer to more than 50-60 daily since my webserver went up.
Dean Reedy
Ranch Hand

Joined: Sep 10, 2001
Posts: 89
ok, I found below that the directory listings can be turned off by:
Go into web.xml in the tomcat/conf directory.
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Change:
<init-param>
<param-name>listings</param-name>
<param-value>true</param-value>
</init-param>
to
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>

However I still wonder is there a good website discussing tomcat security, what to do and not the do?
 
 
subject: Tomcat security