posted by Stacey Schneider on January 4, 2012 07:31 AM

2011 has been a great year for the Tomcat Expert community. After almost 2 years of operating, the Tomcat Expert has hit its stride, unloading an array of new information, as well as keeping you up to date with the newest releases for Apache Tomcat 6 and Apache Tomcat 7. With the addition of two new Tomcat Expert Contributors, (Channing Benson and Daniel Mikusa), the Tomcat Expert community continues to build on its reputation for being the leading source for fresh perspectives and new information on how to best leverage Apache Tomcat in the enterprise.

Read More

posted by mthomas on November 2, 2011 07:27 AM

Every effort is made to have each version of Apache Tomcat to ship with a system of reasonable defaults forsecurity purposes. This means that the standard defaults for the security settings are reasonably secure—it is not as secure as it could be, but not horribly insecure either. The default security level is essentially a compromise between security and usability. It is probably OK for simple use in production, but there are a number of things that all users should consider before deploying business applications on a standard installation of Apache Tomcat.

General precautions:

• Tomcat security configuration should not be your only line of defense. Take a comprehensive look at security and ensure that your OS is secure,there are firewalls in place, and file permissions are set correctly as well.Remember, it won’t matter how secure your application is if your underlying platform is vulnerable. A simple rule of thumb (especially for those firewalls) is to ban everything and only explicitly allow what access you need to run your applications.
• Delete all the stuff you don’t need. Tomcat will by default install a handful of default applications that you don’t need, and having them in production is just more applications to look after and to ensure are secure. Take a look at the documentation, examples, default root web application, Manager App and Host Manager App and if you are not using them, delete them and focus just on your production applications. While these applications are relatively low risk, eliminating risk is always a better strategy. Same would be true if applications are archived or no longer in use – move them off of the production site to eliminate any additional pathways for threats.
• Consider running under a Security Manager. This is always a good idea if you are running applications that you do not trust (e.g. a hosting environment), or if you want an additional layer of protection. A Security Manager will essentially run each deployed web application in a separate sandbox to prevent malicious code from accessing your files or other applications on your network. While it is always a good idea to run under a security manager, it should be noted that this is best done during early stages of development as it can impact how an application behaves and thorough testing is always recommended. For later stage projects you’llneed to evaluate if the benefits of a security managerare worth the extra cost of development and testing to deploy it properly. The TCK tests that are used as part of every Tomcat release are always run under a Security Manager but few users run with a Security Manager in production. There is, therefore, a slightly increased risk that you will hit a Tomcat bug running with a Security Manager. However, it is usually possible to configure around such bugs if they occur.

Read More

posted by fhanik on October 19, 2011 07:39 AM

Apache Tomcat, and other containers, have been around for so long today that it has become increasingly harder to get started with them today.

In this article, we will take you back from the beginning with how to get started with Apache Tomcat. We will go into the lowest level, so you don't have to rely on an IDE or other system to get started. This article is written for those that have never used Apache Tomcat and wish to get started in an easy, yet explanatory, way that helps you to understand what is happening under the hood. This will fast track you to become very proficient with this light weight application server.

Step 1. Download and Install Apache Tomcat

While there are a lot of different packages available to install Tomcat, for example some Linux distributions you can download it using that distributions package and dependency management. This is good, for the sake of simplicity, but once again, you lose the concept of what Tomcat is and what true dependencies it has as well on how to use it.

I strongly recommend only moving to a third party packaging of Apache Tomcat after you understand the container itself. This will help avoid complications when you try to create a plan for how you distribute, upgrade and maintain your software.

Rule 1. When learning, only download the software from http://tomcat.apache.org/

Now, since you are learning Apache Tomcat from scratch, I suggest you start with Apache Tomcat 7.  As explained in an earlier post,  the majority of features that are implemented, are driven by the (Servlet) and (JSP) specifications.  Each time the Servlet specification is upgraded, new features added, the Apache Tomcat will plan for a new major release of Apache Tomcat. The latest version, Apache Tomcat 7,  is based on the version of the Servlet specification, in this case, Servlet 3.0.

Read More

posted by Stacey Schneider on September 2, 2011 08:43 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.21

Apache Tomcat 7.0.21 includes security fixes, bug fixes and new features compared to version 7.0.20 including:

• - A fix for CVE-2011-3190 that allowed an attacker to inject requests when Tomcat was configured behind a reverse proxy using the AJP protocol.
• - Multiple additions and improvements to the memory leak detection/prevention features.
• - Improved validation of received AJP messages.

Read More

posted by Stacey Schneider on August 18, 2011 02:49 PM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 6.0.33 stable.

Apache Tomcat 6.0.33 is primarily a security and bug fix release. All users of older versions of the Tomcat 6.0 family should upgrade to 6.0.33.

Note that is version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for different CPU architectures.

Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5, including support for the new Servlet 2.5 and JSP 2.1 specifications, a refactored clustering implementation, advanced IO features, and improvements in memory usage.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from Apache Tomcat 5.5.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

posted by Stacey Schneider on August 12, 2011 04:19 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.20

Apache Tomcat 7.0.20 includes bug fixes and the following new features compared to version 7.0.19:

• JSP files with dependencies in JARs are no longer recompiled on every access thereby improving performance.
• Update to version 1.1.22 of the native component of the AJP and HTTP APR/native connectors.
• Update to Commons Daemon 1.0.7.
• Converted unit tests to JUnit 4.

Please refer to the change log for the complete list of changes: http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Note that this version has 4 zip binaries: a generic one and three bundled with Tomcat native binaries for Windows operating systems running on different CPU architectures.

Downloads: http://tomcat.apache.org/download-70.cgi

Migration guide from Apache Tomcat 5.5.x and 6.0.x: http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

Read More

posted by Stacey Schneider on August 10, 2011 08:38 AM

Announced this morning by the Apache Tomcat team:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Apache Tomcat team announces that support for Apache Tomcat 5.5.x will end on 30 September 2012.

This means that after 30 September 2012:

• releases from the 5.5.x branch are highly unlikely
• bugs affecting only the 5.5.x branch will not be addressed
• security vulnerability reports will not be checked against the 5.5.x branch

Three months later (i.e. after 31 December 2012)

• the 5.5.x download pages will be removed
• the latest 5.5.x release will be removed from the mirror system
• the 5.5.x branch in svn will move from /tomcat/tc5.5.x to /tomcat/archive/tc5.5.x
• the links to the 5.5.x documentation will be removed from tomcat.apache.org
• The bugzilla project for 5.5.x will be made read-only

Note that all 5.5.x releases will always be available from the archive.

It is anticipated that the final 5.5.x release will be made shortly before 30 September 2012.

Thank you,

-- The Apache Tomcat Team

Read More

posted by Stacey Schneider on July 29, 2011 12:09 PM

13 months ago today marked the initial release of the Apache Tomcat 7 beta. Proving itself to be very backwards compatible with Apache Tomcat 6, Tomcat 7 is wealth of add-on features and bug fixes that purely builds on the success of Tomcat 6. Many of these features were not around 13 months ago, many of which we have covered here including:

• Session Fixation Protection
• Cross-site Request Forgery
• Crawler Session Manager Valve
• Parallel Deployment
• NIO Implementation of the AJP Connector
• Windows Authentication
• Windows Installer Improvements

Originally presented in the SpringSource S2F Forum in Amsterdam, Mark Thomas recorded a new update on the overall status of the Tomcat 7 project for the Tomcat Expert community. This update is slightly more current and gives good insight as to what is now in Tomcat 7 and what will be coming (and how to influence what gets worked on!). Some interesting points Mark brings up:

Read More

posted by mthomas on July 20, 2011 07:18 AM

Apache Tomcat 7 includes several security updates that further harden the application server that came directly from the Bugzilla queue. One new feature, the Security Lifecycle Listener, helps ensure that Tomcat is started in a reasonably secure way.

Preventing Tomcat Running as Root

One user cited that while all administrators worth their salt should know that it is irresponsible and incredibly insecure to run Tomcat as the root user to the system, Tomcat still allows the server to start under root. Although this problem is largely contained to Linux systems, the fix had to be applicable to all operating systems. Therefore, the fix that was implemented was to create a list of users that are not allowed to start Tomcat. Tomcat checks to see if it is running as one of those users, and if it is, it shuts itself down.

Securing Tomcat Files

A secondary check after the user is validated as a secure user, is to check that any files written by Tomcat (such the contents of an expanded WAR) are created securely. As a minimum, these files must not be world writeable. In some environments it may be desirable to restrict this even further such as read/write for owner, no access for anyone else. The permissions for created files are controlled by the current user's umask. If the umask is not restrictive enough on the running user, this too will prevent Tomcat from starting.

Read More