https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Pierre+ErnstOWASP - User contributions [en]2026-05-27T04:16:14ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=User:Pierre_Ernst&diff=141823User:Pierre Ernst2013-01-04T17:27:45Z<p>Pierre Ernst: </p>
<hr />
<div>http://www.linkedin.com/in/pernst<br />
<br />
<br />
Pierre Ernst is a senior member of the IBM Business Analytics Security Competency Group at the Ottawa Lab in Canada. <br />
A former software developer turned penetration tester, he's responsible for finding security vulnerabilities in IBM applications before they are released.<br />
Using a combination of manual testing and secure code review, his work complements automated vulnerability scanners. <br />
Pierre is also responsible for giving guidance to developers on how to mitigate and fix security issues.</div>Pierre Ernsthttps://wiki.owasp.org/index.php?title=Talk:Securing_tomcat&diff=115615Talk:Securing tomcat2011-08-12T17:07:06Z<p>Pierre Ernst: </p>
<hr />
<div>== InvokerServlet ==<br />
There needs to be an addendum in here about disabling the InvokerServlet. See my blog entry at [[http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html yet-another-dev.blogspot.com]] for details about why this is a bad idea. --[[User:Chris Schmidt|Chris Schmidt]] 22:03, 17 December 2009 (UTC)<br />
<br />
== File permissions ==<br />
<br />
Hmm, what does "Make sure tomcat user has read/write access to /tmp" mean? <br />
<br />
Tomcat creates a directory "temp", not "tmp", and read/write on a directory doesn't actually allow reading or writing. I assume the intention is "chmod 700 temp"... would love if anyone can clarify.<br />
[[User:Douglasheld|Douglasheld]] 18:06, 3 April 2009 (UTC)<br />
<br />
== Newer Tomcat branches ==<br />
<br />
This page is hopelessly outdated for anyone working with the Tomcat 6 branch. We need to figure out the best way to document security measures for the different supported branches.<br />
[[User:Ken|Ken]] 10:25, 20 March 2009 (UTC)<br />
<br />
I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version. I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet. My preference would be a single article as it will cut down on duplication. In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. [[User:Dledmonds|Darren]] 09:11, 26 March 2009 (UTC)<br />
<br />
== HttpOnly configuration ==<br />
<br />
Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly [http://www.owasp.org/index.php/HttpOnly] cookie option.<br />
<br />
This is configured in the conf/context.xml file:<br />
<br />
<Context useHttpOnly="true"><br />
...<br />
</Context><br />
<br />
[[User:Simon Bennetts|Simon Bennetts]] 14:40, 18 June 2010 (UTC)<br />
<br />
== Overriding Tomcat Version Number ==<br />
<br />
Rebuilding the catalina.jar to alter ServerInfo.properties may not be an ideal way to override the version number, the same effect can be achieved without repackaging JARs in the default distribution (repackaging can be somewhat intrusive and/or impractical). Classloader classpaths can be patched using strategically placed files on the classpath. Classes that are loaded first always take precedence, the same goes for properties files, hence you can override by creating files in the following places:<br />
<br />
# For Tomcat 5.5 (inject your new file onto the path of the server classloader):<br />
${catalina.home}/server/classes/org/apache/catalina/util/ServerInfo.properties<br />
<br />
# For Tomcat 6 (inject it onto the path of the common classloader, or whichever classloader is loading catalina.jar):<br />
${catalina.home}/lib/org/apache/catalina/util/ServerInfo.properties<br />
<br />
In both cases, ${catalina.home} is typically either the root of your local installation, or your global installation if you are making use of disjoint installs using ${catalina.base} to provide instance-specific information.<br />
<br />
<br />
<br />
== autoDeploy feature ==<br />
<br />
Wouldn't it make sense to disable the autoDeploy feature in production environments for added security?<br />
<br />
[[User:Pierre Ernst|Pierre Ernst]] 2011-08-12</div>Pierre Ernsthttps://wiki.owasp.org/index.php?title=Talk:Securing_tomcat&diff=115614Talk:Securing tomcat2011-08-12T17:06:19Z<p>Pierre Ernst: </p>
<hr />
<div>== InvokerServlet ==<br />
There needs to be an addendum in here about disabling the InvokerServlet. See my blog entry at [[http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html yet-another-dev.blogspot.com]] for details about why this is a bad idea. --[[User:Chris Schmidt|Chris Schmidt]] 22:03, 17 December 2009 (UTC)<br />
<br />
== File permissions ==<br />
<br />
Hmm, what does "Make sure tomcat user has read/write access to /tmp" mean? <br />
<br />
Tomcat creates a directory "temp", not "tmp", and read/write on a directory doesn't actually allow reading or writing. I assume the intention is "chmod 700 temp"... would love if anyone can clarify.<br />
[[User:Douglasheld|Douglasheld]] 18:06, 3 April 2009 (UTC)<br />
<br />
== Newer Tomcat branches ==<br />
<br />
This page is hopelessly outdated for anyone working with the Tomcat 6 branch. We need to figure out the best way to document security measures for the different supported branches.<br />
[[User:Ken|Ken]] 10:25, 20 March 2009 (UTC)<br />
<br />
I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version. I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet. My preference would be a single article as it will cut down on duplication. In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. [[User:Dledmonds|Darren]] 09:11, 26 March 2009 (UTC)<br />
<br />
== HttpOnly configuration ==<br />
<br />
Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly [http://www.owasp.org/index.php/HttpOnly] cookie option.<br />
<br />
This is configured in the conf/context.xml file:<br />
<br />
<Context useHttpOnly="true"><br />
...<br />
</Context><br />
<br />
[[User:Simon Bennetts|Simon Bennetts]] 14:40, 18 June 2010 (UTC)<br />
<br />
== Overriding Tomcat Version Number ==<br />
<br />
Rebuilding the catalina.jar to alter ServerInfo.properties may not be an ideal way to override the version number, the same effect can be achieved without repackaging JARs in the default distribution (repackaging can be somewhat intrusive and/or impractical). Classloader classpaths can be patched using strategically placed files on the classpath. Classes that are loaded first always take precedence, the same goes for properties files, hence you can override by creating files in the following places:<br />
<br />
# For Tomcat 5.5 (inject your new file onto the path of the server classloader):<br />
${catalina.home}/server/classes/org/apache/catalina/util/ServerInfo.properties<br />
<br />
# For Tomcat 6 (inject it onto the path of the common classloader, or whichever classloader is loading catalina.jar):<br />
${catalina.home}/lib/org/apache/catalina/util/ServerInfo.properties<br />
<br />
In both cases, ${catalina.home} is typically either the root of your local installation, or your global installation if you are making use of disjoint installs using ${catalina.base} to provide instance-specific information.<br />
<br />
[[User:Pierre Ernst|Pierre Ernst]] 2011-08-12<br />
<br />
== autoDeploy feature ==<br />
<br />
Wouldn't it make sense to disable the autoDeploy feature in production environments for added security?</div>Pierre Ernst