• Post Reply Bookmark Topic Watch Topic
  • New Topic

What are the security risks and fixes I should look for when hosting tomcat as a web server?  RSS feed

 
Andy Lin
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I've looked around for this for a while, but I was only able to dig up information on linux based OSes. Unfortunately, I didn't set up Tomcat on my linux based laptop since I wanted to have it on a desktop. Anyways, I've been reading about security for having tomcat running and open to the public. I changed my port to redirect to from 80 to 8080 from router to my pc. I'm also going to strengthen password. I also read that it is best not to run Tomcat as root. Is there something similar in windows that I should look out for to restrict privileges like that comparable to Linux based OSes?

What else should I look for? I've never hosted a site before, and I just wanted to take precautions. The site I am hosting is very simple and just shows a sample work from school and hopefully more as I develop side projects. I am running this on windows 7 64 bit.

Thank you! Help is always appreciated
 
Tim Holloway
Saloon Keeper
Posts: 18797
74
Android Eclipse IDE Linux
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Truth be told, Windows security infrastructure is actually more powerful than the traditional Unix/Linux, although less than selinux.

Yes, you should avoid running Tomcat as an Administrative user. That means that for best results, you should create a non-admin user named "tomcat" (or something) and - if you're planning on running as a Windows Service, set the service used to be "tomcat". Unlike the Apache httpd server, Tomcat can't "jail" itself, so it has to run non-admin start-to-finish.

The port 80 restriction comes from the fact that in many OS's (but not all), ports below 4096 can only be opened as listeners by admin/root users. And since it's dangerous to run Tomcat as an admin user, the next best thing is to run it on a higher port such as 8080 and proxy to it, like you're doing with your router.

For additional security, setup a Tomcat user group and constrain the tomcat user and tomcat group to the absolute bare minimum of resource access rights needed. Note that the CATALINA_HOST parts of Tomcat are essentially read-only as far as Tomcat is concerned, so you can make it harder to sabotage Tomcat's executable code by write-protecting it.
 
Andy Lin
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply!

I can make a new tomcat user, but I don't understand which role I should assign to the guest user I am making. Is there a default role that has no privileges to change anything and can only look at the webapps? Do I have to assign this myself in a xml file or is there a default like there is with "admin" and "manager"? How do I set this user to be the default user when tomcat starts for windows 7 system? Thanks!
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!