TomcatExpert

Security Lifecycle Listener

posted by mthomas on July 20, 2011 07:18 AM

Apache Tomcat 7 includes several security updates that further harden the application server that came directly from the Bugzilla queue. One new feature, the Security Lifecycle Listener, helps ensure that Tomcat is started in a reasonably secure way.

Preventing Tomcat Running as Root

One user cited that while all administrators worth their salt should know that it is irresponsible and incredibly insecure to run Tomcat as the root user to the system, Tomcat still allows the server to start under root. Although this problem is largely contained to Linux systems, the fix had to be applicable to all operating systems. Therefore, the fix that was implemented was to create a list of users that are not allowed to start Tomcat. Tomcat checks to see if it is running as one of those users, and if it is, it shuts itself down.

Securing Tomcat Files

A secondary check after the user is validated as a secure user, is to check that any files written by Tomcat (such the contents of an expanded WAR) are created securely. As a minimum, these files must not be world writeable. In some environments it may be desirable to restrict this even further such as read/write for owner, no access for anyone else. The permissions for created files are controlled by the current user's umask. If the umask is not restrictive enough on the running user, this too will prevent Tomcat from starting.

Configuring the Security Lifecycle Listener

The Security Lifecycle Listener is not enabled by default. To enable it, you must uncomment the listener in $CATALINA_BASE/conf/server.xml. To secure the files as well, Tomcat needs access to the umask. To do this, you'll need to uncomment the line for umask in $CATALINA_HOME/bin/catalina.sh.For more information on the Security Lifecycle Listener Component see the official documentation at http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html.

Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.

Comments

We are very happy to found

We are very happy to found this essay writer needed become is really interesting and awesome site to learn more tips and methods. All students are using this and visiting this useful site.

good

Always make sure you are backed up with what you have done till date. This will ensure you will not end up washed out from all your data if something might go wrong while doing these on your own at times.
:: catalina island hotels

GAME HACK

top eleven token Acknowledges for penmanship such a worthy column, I stumbled beside your blog besides predict a handful advise. I want your tone of manuscript... clash of clans pc gratuit telecharger

Every software must have a

Every software must have a set of security measures that will prevent data breaches. Based on these measures and main features, users choose what's best for them or their business. The competition is high, but the telecom billing software is among the most demanded, especially by those who want to eliminate paper and improve the business processes.

adffa

Thanks for showing this awesome post APP download and click and click and click and click and click

I blog frequently and I truly

I blog frequently and I truly thank you for your content. This great article has really peaked my interest. I will bookmark your site and keep checking for new details about once per week. I opted in for your RSS feed as well.
Mortgage Broker Calgary

good web site of exactly the

good web site of exactly the same. WeChat PC Download their android or smartphone which has 3G nice.

Spot on with this write-up, I

Spot on with this write-up, I really believe this amazing site needs much more attention. I’ll probably be back again to read through more, thanks for the information!
Edmonton Mortgage Broker
Life Insurance Vancouver
Life Insurance Calgary

good For that we must

good For that we must download those Mobdro Download favourite seasons, films and even more for your Computer. Mobdro APK nice.

good You're lacking, vShare

good You're lacking, vShare to obtain free applications that are paid for the Smartphone. Mobdro Online TV You can make your favorite set of channels, loading onto it. nice.

good She mentioned they don’t

good She mentioned they don’t have any grievances. eisha singh Raj Lakshmi was upset from Dhaani for covering concerning the relationship. great.

good so which will be the

good so which will be the greatest Kodi add-ons kodi addons 2016 while longing for the future SiliconDust HDHomeRun DVR, nice.

Secure

Making it secured for all of the stuff is way better than leaving it empty. Get free followers on instagram

Allo app for pc

For new latest updated features in single app,download allo application.
Allo app for PC

shareit for pc

If you wanna transfer files very fast then then download this application, its amazing
shareit for pc

blackmart apk

Nice playstore application for anroid mobiles and tablets.
blackmart apk

Post new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.