This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Securing tomcat"

From OWASP
Jump to: navigation, search
(Newer Tomcat branches: new section)
Line 1: Line 1:
==UNIX Permissions==
 
 
> Change files in CATALINA_HOME/conf to be readonly (440)
 
 
Initially these are 600 (except for tomcat-users.xml which is 644 and Tomcat keeps it that way). Is there a need to make them group-readable?
 
 
> Make sure tomcat user has ... write (220 - yes, only write) access to CATALINA_HOME/logs
 
 
This doesn't work. I think the best that can be done here is 750 or 700.
 
 
[[User:Combatopera|Combatopera]] 15:53, 12 November 2006 (EST)
 
 
CATALINA_HOME/conf files updated to recommend chmod 400.  tomcat-user.xml the same as tomcat doesn't write to it.  Original file permissions for all these conf files were 600 when 5.5.20 was unpacked on a debian box.
 
 
CATALINA_HOME/logs directory updated to recommend chmod 300.  Prevents tomcat user reading the logs within, but writing works fine for me - again after 5.5.20 was unpacked on a debian box.
 
 
[[User:Dledmonds|Darren]] 04:35, 9 January 2007 (EST)
 
 
==Replacing Default Error Page==
 
Why only restrict the default error page on java.lang.Exception?  The more inclusive java.lang.Throwable would seem to be the better choice, as it would prevent leakage of stack traces in the event of a java.lang.Error.
 
 
[[User:Ken|Ken]] 23:07, 21 February 2008 (EST)
 
 
Agreed, article updated [[User:Dledmonds|Darren]] 04:49, 22 February 2008 (EST)
 
 
 
== Newer Tomcat branches ==
 
== Newer Tomcat branches ==
  
 
This page is hopelessly outdated for anyone working with the Tomcat 6 branch.  We need to figure out the best way to document security measures for the different supported branches.
 
This page is hopelessly outdated for anyone working with the Tomcat 6 branch.  We need to figure out the best way to document security measures for the different supported branches.
 
[[User:Ken|Ken]] 10:25, 20 March 2009 (UTC)
 
[[User:Ken|Ken]] 10:25, 20 March 2009 (UTC)
 +
 +
I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version.  I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet.  My preference would be a single article as it will cut down on duplication.  In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. [[User:Dledmonds|Darren]] 09:11, 26 March 2009 (UTC)

Revision as of 09:11, 26 March 2009

Newer Tomcat branches

This page is hopelessly outdated for anyone working with the Tomcat 6 branch. We need to figure out the best way to document security measures for the different supported branches. Ken 10:25, 20 March 2009 (UTC)

I've not had call to use Tomcat 6, but in a few months I plan to start experimenting with the embedded version. I don't mind expanding the article to have a section on 6 (and keep the section on 5.5), but I can't contribute anything just yet. My preference would be a single article as it will cut down on duplication. In the meantime, any differences, areas to cover, new features, etc. that others could note down will help speed things up. Darren 09:11, 26 March 2009 (UTC)

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Securing_tomcat&oldid=57390"