This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Securing tomcat"

From OWASP
Jump to: navigation, search
 
(18 intermediate revisions by 10 users not shown)
Line 1: Line 1:
What's the best way to acknowledge the contributions of others as I'd like to add some thanks to Kris Easter, Michel Prunet and Stephen More. This discussion area?  In brackets after the article link from [https://www.owasp.org/index.php/OWASP_Java_Project_Roadmap#Securing_Popular_J2EE_Servers Java Project Roadmap] ? [[User:Dledmonds|Darren]] 08:58, 27 October 2006 (EDT)
+
== InvokerServlet ==
 +
There needs to be an addendum in here about disabling the InvokerServlet. See my blog entry at [[http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html yet-another-dev.blogspot.com]] for details about why this is a bad idea. --[[User:Chris Schmidt|Chris Schmidt]] 22:03, 17 December 2009 (UTC)
  
I've added an acknowledgements section to the main page.  [[User:Stephendv|Stephendv]] 11:58, 14 January 2008 (EST)
+
== File permissions ==
  
==UNIX Permissions==
+
Hmm, what does "Make sure tomcat user has read/write access to /tmp" mean? 
  
> Change files in CATALINA_HOME/conf to be readonly (440)
+
Tomcat creates a directory "temp", not "tmp", and read/write on a directory doesn't actually allow reading or writing.  I assume the intention is "chmod 700 temp"... would love if anyone can clarify.
 +
[[User:Douglasheld|Douglasheld]] 18:06, 3 April 2009 (UTC)
  
Initially these are 600 (except for tomcat-users.xml which is 644 and Tomcat keeps it that way). Is there a need to make them group-readable?
+
== Newer Tomcat branches ==
  
> Make sure tomcat user has ... write (220 - yes, only write) access to CATALINA_HOME/logs
+
This page is hopelessly outdated for anyone working with the Tomcat 6 branch. We need to figure out the best way to document security measures for the different supported branches.
 +
[[User:Ken|Ken]] 10:25, 20 March 2009 (UTC)
  
This doesn't work. I think the best that can be done here is 750 or 700.
+
I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version.  I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet.  My preference would be a single article as it will cut down on duplication.  In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. [[User:Dledmonds|Darren]] 09:11, 26 March 2009 (UTC)
  
[[User:Combatopera|Combatopera]] 15:53, 12 November 2006 (EST)
+
== HttpOnly configuration ==
  
CATALINA_HOME/conf files updated to recommend chmod 400. tomcat-user.xml the same as tomcat doesn't write to it. Original file permissions for all these conf files were 600 when 5.5.20 was unpacked on a debian box.
+
Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly [http://www.owasp.org/index.php/HttpOnly] cookie option.
  
CATALINA_HOME/logs directory updated to recommend chmod 300.  Prevents tomcat user reading the logs within, but writing works fine for me - again after 5.5.20 was unpacked on a debian box.
+
This is configured in the conf/context.xml file:
  
[[User:Dledmonds|Darren]] 04:35, 9 January 2007 (EST)
+
<Context useHttpOnly="true">
 +
...
 +
</Context>
  
==Replacing Default Error Page==
+
[[User:Simon Bennetts|Simon Bennetts]] 14:40, 18 June 2010 (UTC)
Why only restrict the default error page on java.lang.Exception?  The more inclusive java.lang.Throwable would seem to be the better choice, as it would prevent leakage of stack traces in the event of a java.lang.Error.
 
  
[[User:Ken|Ken]] 23:07, 21 February 2008 (EST)
+
== Overriding Tomcat Version Number ==
 +
 
 +
Rebuilding the catalina.jar to alter ServerInfo.properties may not be an ideal way to override the version number, the same effect can be achieved without repackaging JARs in the default distribution (repackaging can be somewhat intrusive and/or impractical). Classloader classpaths can be patched using strategically placed files on the classpath. Classes that are loaded first always take precedence, the same goes for properties files, hence you can override by creating files in the following places:
 +
 
 +
# For Tomcat 5.5 (inject your new file onto the path of the server classloader):
 +
${catalina.home}/server/classes/org/apache/catalina/util/ServerInfo.properties
 +
 
 +
# For Tomcat 6 (inject it onto the path of the common classloader, or whichever classloader is loading catalina.jar):
 +
${catalina.home}/lib/org/apache/catalina/util/ServerInfo.properties
 +
 
 +
In both cases, ${catalina.home} is typically either the root of your local installation, or your global installation if you are making use of disjoint installs using ${catalina.base} to provide instance-specific information.
 +
 
 +
== autoDeploy feature ==
 +
 
 +
Wouldn't it make sense to disable the autoDeploy feature in production environments for added security?
 +
 
 +
[[User:Pierre Ernst|Pierre Ernst]] 2011-08-12
 +
 
 +
== Disabling weak ciphers in Tomcat ==
 +
 
 +
Copied from [https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1225]
 +
 
 +
In order to disable weak ciphers, please modify your SSL Connector container attribute inside server.xml with the following information.
 +
 
 +
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
 +
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
 +
  SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 +
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
 +
 
 +
Example:
 +
 
 +
<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"
 +
enableLookups="false" disableUploadTimeout="true"
 +
acceptCount="100" scheme="https" secure="true"
 +
clientAuth="false" sslProtocol="SSL"
 +
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
 +
  TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
 +
  SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
 +
  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 +
keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"
 +
truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"/>
 +
 
 +
[[User:Psiinon]] 2011-10-06
 +
 
 +
[[User:Dirk Wetter]] 2014-03-27 : Those ciphers were maybe ok in 2011, in 2014 I would not recommend using RC4 and CBC ciphers!
 +
 
 +
==  No missing steps required in Tomcat 7 or 8 ==
 +
I've done some research and as far as I can tell there are no recommended hardening steps for Tomcat 7 or 8 missing from this guide.
 +
 
 +
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Securing_Management_Applications
 +
http://chandank.com/application-server/tomcat/apache-tomcat-hardening-and-security-guide
 +
 
 +
The SSL Cipher list should be upgraded however:
 +
http://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html
 +
 
 +
[[User:Kenneth Kron|Kenneth Kron]] ([[User talk:Kenneth Kron|talk]]) 16:56, 22 August 2014 (CDT)

Latest revision as of 00:38, 23 August 2014

InvokerServlet

There needs to be an addendum in here about disabling the InvokerServlet. See my blog entry at [yet-another-dev.blogspot.com] for details about why this is a bad idea. --Chris Schmidt 22:03, 17 December 2009 (UTC)

File permissions

Hmm, what does "Make sure tomcat user has read/write access to /tmp" mean?

Tomcat creates a directory "temp", not "tmp", and read/write on a directory doesn't actually allow reading or writing. I assume the intention is "chmod 700 temp"... would love if anyone can clarify. Douglasheld 18:06, 3 April 2009 (UTC)

Newer Tomcat branches

This page is hopelessly outdated for anyone working with the Tomcat 6 branch. We need to figure out the best way to document security measures for the different supported branches. Ken 10:25, 20 March 2009 (UTC)

I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version. I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet. My preference would be a single article as it will cut down on duplication. In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. Darren 09:11, 26 March 2009 (UTC)

HttpOnly configuration

Tomcat versions from 5.5.28 and 6.0.19 support the HttpOnly [1] cookie option.

This is configured in the conf/context.xml file:

<Context useHttpOnly="true">
...
</Context>

Simon Bennetts 14:40, 18 June 2010 (UTC)

Overriding Tomcat Version Number

Rebuilding the catalina.jar to alter ServerInfo.properties may not be an ideal way to override the version number, the same effect can be achieved without repackaging JARs in the default distribution (repackaging can be somewhat intrusive and/or impractical). Classloader classpaths can be patched using strategically placed files on the classpath. Classes that are loaded first always take precedence, the same goes for properties files, hence you can override by creating files in the following places:

# For Tomcat 5.5 (inject your new file onto the path of the server classloader):
${catalina.home}/server/classes/org/apache/catalina/util/ServerInfo.properties
# For Tomcat 6 (inject it onto the path of the common classloader, or whichever classloader is loading catalina.jar):
${catalina.home}/lib/org/apache/catalina/util/ServerInfo.properties

In both cases, ${catalina.home} is typically either the root of your local installation, or your global installation if you are making use of disjoint installs using ${catalina.base} to provide instance-specific information.

autoDeploy feature

Wouldn't it make sense to disable the autoDeploy feature in production environments for added security?

Pierre Ernst 2011-08-12

Disabling weak ciphers in Tomcat

Copied from [2]

In order to disable weak ciphers, please modify your SSL Connector container attribute inside server.xml with the following information.

ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

Example:

<Connector port="443" maxHttpHeaderSize="8192" address="192.168.1.1"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="SSL"
ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, 
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 
 SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,   
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
keystoreFile="SomeDir/SomeFile.key" keystorePass="Poodle"
truststoreFile="SomeDir/SomeFile.truststore" truststorePass="HomeRun"/>

User:Psiinon 2011-10-06

User:Dirk Wetter 2014-03-27 : Those ciphers were maybe ok in 2011, in 2014 I would not recommend using RC4 and CBC ciphers!

No missing steps required in Tomcat 7 or 8

I've done some research and as far as I can tell there are no recommended hardening steps for Tomcat 7 or 8 missing from this guide.

http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Securing_Management_Applications http://chandank.com/application-server/tomcat/apache-tomcat-hardening-and-security-guide

The SSL Cipher list should be upgraded however: http://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2-in-tomcat.html

Kenneth Kron (talk) 16:56, 22 August 2014 (CDT)