Best Practices for Securing Apache Tomcat 7

posted by mthomas on November 2, 2011 07:27 AM

Every effort is made to have each version of Apache Tomcat to ship with a system of reasonable defaults forsecurity purposes. This means that the standard defaults for the security settings are reasonably secure—it is not as secure as it could be, but not horribly insecure either. The default security level is essentially a compromise between security and usability. It is probably OK for simple use in production, but there are a number of things that all users should consider before deploying business applications on a standard installation of Apache Tomcat.

General precautions:

  • Tomcat security configuration should not be your only line of defense. Take a comprehensive look at security and ensure that your OS is secure,there are firewalls in place, and file permissions are set correctly as well.Remember, it won’t matter how secure your application is if your underlying platform is vulnerable. A simple rule of thumb (especially for those firewalls) is to ban everything and only explicitly allow what access you need to run your applications.
  • Delete all the stuff you don’t need. Tomcat will by default install a handful of default applications that you don’t need, and having them in production is just more applications to look after and to ensure are secure. Take a look at the documentation, examples, default root web application, Manager App and Host Manager App and if you are not using them, delete them and focus just on your production applications. While these applications are relatively low risk, eliminating risk is always a better strategy. Same would be true if applications are archived or no longer in use – move them off of the production site to eliminate any additional pathways for threats.
  • Consider running under a Security Manager. This is always a good idea if you are running applications that you do not trust (e.g. a hosting environment), or if you want an additional layer of protection. A Security Manager will essentially run each deployed web application in a separate sandbox to prevent malicious code from accessing your files or other applications on your network. While it is always a good idea to run under a security manager, it should be noted that this is best done during early stages of development as it can impact how an application behaves and thorough testing is always recommended. For later stage projects you’llneed to evaluate if the benefits of a security managerare worth the extra cost of development and testing to deploy it properly. The TCK tests that are used as part of every Tomcat release are always run under a Security Manager but few users run with a Security Manager in production. There is, therefore, a slightly increased risk that you will hit a Tomcat bug running with a Security Manager. However, it is usually possible to configure around such bugs if they occur.


The following all apply to server.xml:

  • Disable the shutdown port. Set the port on the server element to -1 to disable the shutdown port, which means that the only the user who started the instance or root user can shut down the Tomcat server (you can shut Tomcat down safely with a kill -3).
  • Compile the APR/native connector correctly. If you are going to be using the APR/native connector on Solaris, to ensure stability be sure to use the Sun Studio compilers. When compiled with gcc it is known to be unstable.
  • Use the Security Lifecyle Listener. If you are running Linux in general, take advantage of the new Security Lifecycle Listener developed as part of the Tomcat 7 release cycle to further harden your installation. This feature preventsTomcat from running as Root and provides secondary checks to ensure any files created are done so securely.
  • Specify the interface for your connectors. If you want to have your connectors only listening on a particular interface (such as intranet vs internet), use the address attribute of the connector element to specify the interface and it will then limit the amount of potential avenues for threats to come through.
  • Eliminate weak ciphers for using SSL on connectors. By default, Tomcat will use whatever ciphers are on the JVM by default, which usually include some ciphers that are considered weak and insecure. The valid list of ciphers varies according to the provider and JVM policy files that are applied, check your JVM documentation for the correct list and eliminate any additional ciphers.
  • Do not use legacy renegotiation on SSL. The vulnerability CVE-2009-3555 is one where renegotiation handshakes do not properly associate during an existing connection allowing man-in-the-middle attackers to potentially insert malicious data or requests. Updated versions of Tomcat and the JVM correctly avoid this renegotiation handshake problem. If you need to support clients that have not been updated then you may need to reconfigure your application so that the user is authenticated on first connection as that will remove the need for renegotiation. It is not recommended to re-enable legacy renegotiation.
  • Keep your Context with limited access. By default, the Context attributes crossContext and privileged attributes are set to false. crossContext allows a web application to dispatch requests to another application and privileged allows access to Tomcat's internals. Except for trusted applications that require these abilities, these should remain false.
  • Use aliases, not symlinks. Not enabled by default, the allowLinking attribute can allow Tomcat to follow symlinks from within an application to quickly add additional resources for an application to reuse. While the application is running this is ok, however when Tomcat later undeploys an application it will also remove the symlinks as well which another application may rely on and could create instability or possibly a vulnerability. To avoid this, use the new aliases attribute instead which effectively does the same thing as symlinks, but they do not get deleted when you undeploy the app.
  • Configure an AccessLogValve. Tomcat 7 has an AccessLogValve enabled by default, but if you do not have Tomcat 7, it is strongly recommended that you configure one. Oftentimes in the case of an attack this could be the only information you could have on how the attacker got in.
  • Add a RemoteAddrValve for administrative applications. Limit access to administrative applications or other limited access applications with a RemoteAddrValve to reduce access to a specific set of known hosts. This valve relies on IP addresses which are harder to fake, so it is recommended to limit client access by this RemoteAddrValve versus the RemoteHostValve.
  • Use a LockOutRealm. Now standard by default in Tomcat 7, this realm simply protects your application from brute force attacks by locking out the offending account after a number of unsuccessful attempts.


The following apply to system properties:

  • Do not recycle façade objects. Setting the org.apache.catalina.connector.RECYCLE_FACADES system property to true results in each request creating a new façade object instead of recycling an old one. By creating a new object each time you reduce the opportunity for a bug in one application to share data to a request in another. This is setting is often used to work-around vulnerabilities in applications where request and response objects are incorrectly cached between requests.
  • Do not enable non-standard parsing of the URI. Disabled by default, but still in the application for backwards compatibility reasons are two system properties, org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH, that allow non-standard parsing of the URI. These properties significantly improve your chancesof a directory traversal attack and are therefore strongly recommended to avoid using.

Of course, additional security considerations may apply. In general, if you change any system default, you should check with the official Apache Tomcat security documentation to ensure that your changes will not open up your applications to attack.


Mark Thomas is a Senior Software Engineer for the SpringSource Division of VMware, Inc. (NYSE: VMW). Mark has been using and developing Tomcat for over six years. He first got involved in the development of Tomcat when he needed better control over the SSL configuration than was available at the time. After fixing that first bug, he started working his way through the remaining Tomcat bugs and is still going. Along the way Mark has become a Tomcat committer and PMC member, volunteered to be the Tomcat 4 & 7 release manager, created the Tomcat security pages, become a member of the ASF and joined the Apache Security Committee. He also helps maintain the ASF's Bugzilla instances. Mark has a MEng in Electronic and Electrical Engineering from the University of Birmingham, United Kingdom.


how to check if tomcat is running with -security option


I tried to start tomcat in these 2 lines differently at command prompt and both started the tomcat services:

c:\tomcat\bin\tomcat7 start -security

then i stop the services and tried the below:
c:\tomcat\bin\tomcat7 start -securitttt

and services started also.

My question: how do i know if tomcat is started with the security option enabled?



This is the most amazing

This is the most amazing article that I've read on the internet in a long while. This truly is top notch work from you, mate. You've shown here once again why you are the best. Please, keep it going!! Printer Drum

This is a brilliant article!

This is a brilliant article! Without a doubt, one of the most interesting articles that I've read this year. You can check interesting article here as well. I want you to keep giving us stuff like this.

This is the most brilliant

This is the most brilliant article that I've read in a very long time. You've done a really good job here. I just wish you can continue to do more jobs like this. Cheers, mate! how to save power

This is a good article. I

This is a good article. I liked reading this very much. The information here is just phenomenal to read. And I just hope that you'll continue to give more stuff like this. Cheers! klik disini

This is one of the most

This is one of the most fascinating articles that I've read online in the past few months. I want to thank the writer for writing this. I hope he can do more stuff like this. débarras paris

Informative Post!

I apply your instruction and my problem its solve but I have one more problem my college teacher warning me for write essay you know best essay site for student in lowest rate and quick service.

Every attempt is made to have

Every attempt is made to have each form of Apache Tomcat to deliver with a system of affordable non-payments forsecurity reasons. This indicates that the common non-payments for the protection configurations are reasonably secure—it is not as protected as it could be on Yahoo, but not terribly vulnerable either. The standard protection stage is basically a bargain between protection and functionality. It is probably OK for easy use being made, but there are unique that all customers should consider before implementing business programs on an ordinary setting up Apache Tomcat.


shadow fight 2 mod Your texts on this subject are correct, see how I wrote this site is really very good. clas of clan

Because web web page serves

Because web web page serves are not in a position to observe or censor the On the internet, they cannot accept any liability for the consequences that may derive from potentially infringing, inaccurate, unpleasant, unsuitable, or otherwise illegal On the internet communications domain name.

pengobatan herbal alternatif tanpa operasi

obat herbal kanker payudara adalah obat kanker payudara yang di dalamnya terdapat anti-oksidan super yang bisa menumpas berbagai jenis kanker payudara.
obat herbal stroke dipercaya sudah banyak mengobati penderita storke yang mungkin telah bertahun-tahun dideritanya.
obat kanker rahim memiliki super antioksidan yang dapat menangkal radikal bebas, serta berperan sebagai anti-kanker.
Obat herbal Kista memiliki banyak sekali kegunaan antara lain memiliki zat antikanker serta antitumor yang meyebabkan terjadinya penyakit kista.

sdd download software mxf

sdd download software mxf converter, convert p2 mxf files from your camcorder. convert mxf files to avi mp4 mov dss

I just added this weblog to

I just added this weblog to my google reader, excellent stuff. Can not get enough!
Mortgage Broker Calgary

D&D 5e Monster Manual

Awesome post share I say thanks to share this impressive post.Keep it up! D&D 5e Monster Manual

Great place

This is something that most of you would not have even though off until date. But I have to say that it is very much effective and I did personally ensure that it did pass all my checklists. Trust me I am not easy to impress. ::: hotel catalina


There is a typical misconcpetion that ModSecurity must be utilized for negative approach requirement. This is not the situation. ModSecurity does not have any default security model "out-of-the-case." It is up to the client to execute suitable tenets to acheive the craved security model. Dissertation Help That being said, these are the security models which are frequently utilized:

oh thanak you it is really

oh thanak you it is really helpful i got this problem once and i had to bang my head to solve it and finally i could understand the problem regards cheesy pickup lines are the cheesy lines that will work

Thanks for valuable your

Thanks for valuable your explanation.

Java Training in chennai


I actually checked right up your website considering Concerning listened to a great deal of pertaining to a person's discussions. Grateful to talk about, a gossip very well; you will be okay around this. I require a strong to aid people for your permanent job We're perfecting. Possible never examine any blogs and forums hence I hope you may would suggest a person in the near future or only instantly to people. ed reverser reviews


Nowadays I've met typically the to move to the next instance I'm sure short of . A keep going blog page was basically such as an expose’ concerning all things works not to mention I recently came across it again especially instructive. Why not have penning, most people educate you on you and me such a lot of.


There is, therefore, a slightly increased risk that you will hit a Tomcat bug running with a Security Manager. However, it is usually possible to configure around such bugs if they occur.natrijum askorbat

this list of games are instructive

Very nice and good article, awsome wp theme too

During this website, you will

During this website, you will see this shape, i highly recommend you learn this review. specialists operate

On this subject internet

On this subject internet page, you'll see my best information, be sure to look over this level of detail.

In this particular article,

In this particular article, you will see a summary, satisfy browse this post. display cases

Very informative post ! There

Very informative post ! There is a lot of information here that can help any business get started with a successful social networking campaign ! galaxy s7 manual

I'm impressed, I must say.

I'm impressed, I must say. Very rarely do I come across a blog thats both informative and entertaining, and let me tell you, you ve hit the nail on the head. Your blog is important..

It is very good, but look at

It is very good, but look at the information at this address. Locksmith Richmond Indiana

It's really nice and meanful.

It's really nice and meanful. it's really cool blog. Linking is very useful have really helped lots of people who visit blog and provide them usefull information. free powerpoint templates

Great tips and very easy to

Great tips and very easy to understand. This will definitely be very useful for me when I get a chance to start my blog. WHERE IN USA TO BUY GOLD BULLION BARS

I use basically superior

I use basically superior fabrics : you will discover these products by: matters a lot


I assumed it is usually a preview to post in case others appeared to be having problems getting acquainted with nonetheless We're a little bit hesitant merely i'm permitted to decide to put companies plus covers for listed here. Movers Portland OR


Truly strong, amazing, fact-filled info right here. Your own articles Never dissatisfy, which definitely is true right here too. A person usually alllow for a fascinating study. Are you able to inform I am amazed? Continue the great content toys


It is delighted to read this post and i get many useful point through this post. Please keep posting such kind of post brianwiita


Really good write-up, Appreciate it intended for giving That expertise. Excellently published document, but only if many blog writers made available identical higher level of information since you, the online world is a significantly better area. You need to thanks! ps3 jailbreak


Any reviewer to come back lose to your personal blogs may be very straightforward. Setting up you never quite possibly will need to mention you’ve finished critical reviews for folks to in it. There’s a web page that over heard friends object related to . It’s an webpage. Would you find out about it for folks together with inform us the way in which well-performing those critical reviews happen to be?


Maintain the nice perform, My partner and i examine handful of content with this internet site and also I do believe your net website will be genuine intriguing and contains received sectors regarding great details. gazduire web


Your current tunes can be remarkable. You've got a number of quite accomplished musicians. My spouse and i would like anyone the top involving good results. ps3 jailbreak


Wonderful article. The actual publish impacts lots of immediate problems in our culture. All of us cannot be uninvolved in order to these types of problems. This particular publish provides plans as well as ideas. Really educational as well as useful. car rental in rhodes


This approach is an excellent content Document personally seen merit to present the software. Propose being very careful the things I needed to work out intend for long term future you should maintain just for stating a very remarkable content. professional cleaning products

TRUTH About PhenQ: Reviews, Ingredients, Side Effects

Cool you inscribe, the info is really salubrious further fascinating, I'll give you a connect to my scene.
best diet pills 2016


I've got not long ago started off some sort of blog site, the internet people produce here possesses served everyone enormously. Appreciate it intended for all of your current time period & do the job.


consider before deploying business applications on a standard installation of Apache Tomcat.Air Conditioning Gladstone QLD


We notion it really is a good idea to publish could anyone was initially having issues searching for however , My organization is a bit of dubious just have always been allowed to insert leaders together with contact regarding at this point. Yoga Teacher Training in Goa


Hi, I find reading this article a joy. It is extremely helpful and interesting and very much looking forward to reading more of your work.. hosting provider


I will observe that you're a specialist at the area! I'm starting an internet site quickly, as well as your info is going to be very helpful personally.. Many thanks for all you assist as well as wanting a person all of the achievement inside your company. Nickelodeon Games


Cheers much just for this data. I've got to show you My spouse and i come to an agreement in a few of your things anyone create below while others might have to have a number of even more assessment, nevertheless I'm able to discover your current view. เสือมังกร


Wonderful article, their quite a neat web site that you've below, carry on the excellent operate, are going to be rear. Matatabi

ffending account after a

ffending account after a number of unsuccessful attempts.cccam server


where did u come up with the information on this posting? I’m pleased I discovered it though, ill be checking back soon to find out what additional posts you include. salesenvy

Post new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.