Differences between revisions 4 and 5
Revision 4 as of 2008-08-12 17:01:56
Size: 4625
Editor: c-98-235-21-236
Comment: Server header
Revision 5 as of 2009-09-20 23:57:02
Size: 4663
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
This FAQ section provides help with some security-related issues. If you hear of a vulnerability or its exploitation, please let us know on the [mailto:security@tomcat.apache.org security@tomcat.apache.org] mailing list. This FAQ section provides help with some security-related issues. If you hear of a vulnerability or its exploitation, please let us know on the [[mailto:security@tomcat.apache.org|security@tomcat.apache.org]] mailing list.
Line 11: Line 11:
 1. [#Q1 How do I use OpenSSL to set up my own Certificate Authority (CA)?]
 1.
[#Q2 OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!]
 1.
[#Q3 What about Tomcat running as root?]
 1.
[#Q4 How to I force all my pages to run under HTTPS?]
 1.
[#Q5 What is the default login for the manager and admin app?]
 1.
[#Q6 How do I restrict access by ip address or remote host?]
 1.
[#Q7 How do I use jsvc/procrun to run Tomcat on port 80 securely?]
 1.
[#Q8 Has Tomcat's security been independently analyzed or audited?]
 1.
[#Q9 How do I change the Server header in the response?]
 1. [[#Q1|How do I use OpenSSL to set up my own Certificate Authority (CA)?]]
 1. [
[#Q2|OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!]]
 1. [
[#Q3|What about Tomcat running as root?]]
 1. [
[#Q4|How to I force all my pages to run under HTTPS?]]
 1. [
[#Q5|What is the default login for the manager and admin app?]]
 1. [
[#Q6|How do I restrict access by ip address or remote host?]]
 1. [
[#Q7|How do I use jsvc/procrun to run Tomcat on port 80 securely?]]
 1. [
[#Q8|Has Tomcat's security been independently analyzed or audited?]]
 1. [
[#Q9|How do I change the Server header in the response?]]
Line 23: Line 23:
[[Anchor(Q1)]]'''How do I use OpenSSL to set up my own Certificate Authority (CA)?''' <<Anchor(Q1)>>'''How do I use OpenSSL to set up my own Certificate Authority (CA)?'''
Line 25: Line 25:
[http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2 Using OpenSSL to set up your own CA]. [[http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2|Using OpenSSL to set up your own CA]].
Line 27: Line 27:
[[Anchor(Q2)]]'''OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!''' <<Anchor(Q2)>>'''OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!'''
Line 31: Line 31:
    * [http://marc.theaimsgroup.com/?t=104396653200003&r=1&w=2 Possible to switch off tcp/ip server shutdown?]
    * [http://marc.theaimsgroup.com/?t=103126643200005&r=1&w=2 Tomcat shutdown & security]
    * [[http://marc.theaimsgroup.com/?t=104396653200003&r=1&w=2|Possible to switch off tcp/ip server shutdown?]]
    * [[http://marc.theaimsgroup.com/?t=103126643200005&r=1&w=2|Tomcat shutdown & security]]
Line 34: Line 34:
[[Anchor(Q3)]]'''What about Tomcat running as root?''' <<Anchor(Q3)>>'''What about Tomcat running as root?'''
Line 38: Line 38:
    * [http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2 Tomcat as root and security issues]     * [[http://marc.theaimsgroup.com/?t=104516038700003&r=1&w=2|Tomcat as root and security issues]]
Line 40: Line 40:
[[Anchor(Q4)]]'''How to I force all my pages to run under HTTPS?''' <<Anchor(Q4)>>'''How to I force all my pages to run under HTTPS?'''
Line 42: Line 42:
[http://marc.theaimsgroup.com/?l=tomcat-user&m=104951559722619&w=2 Use security-constraint in web.xml]. [[http://marc.theaimsgroup.com/?l=tomcat-user&m=104951559722619&w=2|Use security-constraint in web.xml]].
Line 44: Line 44:
[[Anchor(Q5)]]'''What is the default login for the manager and admin app?''' <<Anchor(Q5)>>'''What is the default login for the manager and admin app?'''
Line 46: Line 46:
The admin and manager application do not provide a default login. Doing so is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install. [http://tomcat.apache.org/tomcat-4.1-doc/manager-howto.html#Configuring%20Manager%20Application%20Access Configuring Manager Application Access] The admin and manager application do not provide a default login. Doing so is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install. [[http://tomcat.apache.org/tomcat-4.1-doc/manager-howto.html#Configuring%20Manager%20Application%20Access|Configuring Manager Application Access]]
Line 48: Line 48:
[[Anchor(Q6)]]'''How do I restrict access by ip address or remote host?''' <<Anchor(Q6)>>'''How do I restrict access by ip address or remote host?'''
Line 50: Line 50:
By using the {{{RemoteHostValve}}} or {{{RemoteAddrValve}}}. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! [http://tomcat.apache.org/tomcat-4.1-doc/config/valve.html Valve Reference Link] By using the {{{RemoteHostValve}}} or {{{RemoteAddrValve}}}. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! [[http://tomcat.apache.org/tomcat-4.1-doc/config/valve.html|Valve Reference Link]]
Line 52: Line 52:
[[Anchor(Q7)]]'''How do I use jsvc/procrun to run Tomcat on port 80 securely?''' <<Anchor(Q7)>>'''How do I use jsvc/procrun to run Tomcat on port 80 securely?'''
Line 54: Line 54:
Fairly easily ;) See the Setup page in the docs for your tomcat release, and read [http://marc.theaimsgroup.com/?l=tomcat-user&m=108566020231438&w=2 this mailing list post] for a complete setup example with permissions etc. Fairly easily ;) See the Setup page in the docs for your tomcat release, and read [[http://marc.theaimsgroup.com/?l=tomcat-user&m=108566020231438&w=2|this mailing list post]] for a complete setup example with permissions etc.
Line 56: Line 56:
[[Anchor(Q8)]]'''Has Tomcat's security been independently analyzed or audited?''' <<Anchor(Q8)>>'''Has Tomcat's security been independently analyzed or audited?'''
Line 58: Line 58:
Yes, by numerous organizations and individuals, many times. Try [http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=is+tomcat+secure this Google search] and you'll see many references, guides, and analyses. Yes, by numerous organizations and individuals, many times. Try [[http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=is+tomcat+secure|this Google search]] and you'll see many references, guides, and analyses.
Line 60: Line 60:
[[Anchor(Q9)]]'''How do I change the Server header in the response?''' <<Anchor(Q9)>>'''How do I change the Server header in the response?'''

Preface

This FAQ section provides help with some security-related issues. If you hear of a vulnerability or its exploitation, please let us know on the security@tomcat.apache.org mailing list.

The Record

There have been no public cases of damage done to a company, organization, or individual due to a Tomcat security issue. There have been no documented cases of data loss or application crashes caused by an intruder. While there have been numerous analyses conducted on Tomcat, partially because this is easy to do with Tomcat's source code openly available, there have been only theoretical vulnerabilities found. All of those were addressed even though there were no documented cases of actual exploitation of these vulnerabilities.

Role of Customization

We believe, and the evidence suggests, that Tomcat is more than secure enough for most use-cases. However, like all other components of Tomcat, you can customize any and all of the relevant parts of the server to achieve even higher security. For example, the session manager implementation is pluggable, and even the default implementation has support for pluggable random number generators. If you have a special need that you feel is not met by Tomcat out of the box, consider these customization options. At the same time, please bring up your requirements on the user mailing list, where we'll be glad to discuss it and assist in your approach/design/implementation as needed.

Questions

  1. How do I use OpenSSL to set up my own Certificate Authority (CA)?

  2. OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!

  3. What about Tomcat running as root?

  4. How to I force all my pages to run under HTTPS?

  5. What is the default login for the manager and admin app?

  6. How do I restrict access by ip address or remote host?

  7. How do I use jsvc/procrun to run Tomcat on port 80 securely?

  8. Has Tomcat's security been independently analyzed or audited?

  9. How do I change the Server header in the response?

Answers

How do I use OpenSSL to set up my own Certificate Authority (CA)?

Using OpenSSL to set up your own CA.

OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!

See these 2 discussions.

What about Tomcat running as root?

See these threads:

How to I force all my pages to run under HTTPS?

Use security-constraint in web.xml.

What is the default login for the manager and admin app?

The admin and manager application do not provide a default login. Doing so is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install. Configuring Manager Application Access

How do I restrict access by ip address or remote host?

By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! Valve Reference Link

How do I use jsvc/procrun to run Tomcat on port 80 securely?

Fairly easily ;) See the Setup page in the docs for your tomcat release, and read this mailing list post for a complete setup example with permissions etc.

Has Tomcat's security been independently analyzed or audited?

Yes, by numerous organizations and individuals, many times. Try this Google search and you'll see many references, guides, and analyses.

How do I change the Server header in the response?

In server.xml - add a "server" attribute to the Connector element. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

FAQ/Security (last edited 2015-03-06 09:18:59 by markt)