• Replace the server.xml with server-minimal.xml which contains the minimum required configuration

To replace server.xml

  • Rename server.xml file present in CATALINA_HOME/conf/to/originalserver.xml
  • Rename server-minimal.xml file present in CATALINA_HOME/conf/ to server.xml

Protect Shutdown Port

  • Tomcat listens to 8005 port (default) for shutdown commands
  • When running a publicly accessible server, it should be ensured that external access to the shutdown port is prevented by using a firewall
  • To prevent unintended shutting down of Tomcat services, disable the shutdown port
  • To disable the shutdown port
    – Edit the port attribute to -1 in the server.xml file
  • Setting port attribute to -1 ensures that Tomcat is shutdown only by the user who owns the Tomcat process
  • Alter the shutdown command by changing the shutdownphrase in the CATALINA_HOME/conf/server.xml file
  • Ensure that Tomcat users only have read rights for server.xml file

Disabling Shutdown Port

Altering Shutdown Command

Restrict Access to Tomcat Manager Applications

  • Make sure to restrict the IP addresses that can access the Tomcat Manager or administrative web applications

To enable connections only from the localhost (127.0.0.1) on the Tomcat server

  1. Edit context element of ${tomcat_home}/conf/Catalina/localhost/admin.xml
  2. Edit context element of ${tomcat_home}/conf/Catalina/localhost/manager.xml

To enable connections using host name use RemoteHostValve

Protecting Resources with Realms

  • Realm is a database of usernames and passwords for authentication of web applications
  • server.xml file has many realms
  • Make sure to enable useful realms and others should be disabled
  • LockOutRealm prevents brute force attacks and denial of service attacks by locking users, with the number of failed login attempts

Example: server.xml to implement lock out functionality to a UserDatabase Realm

Store Passwords as Digest

  • The passwords are stored as clear text in the ${tomcat_home}/conf/tomcat-users.xml file
  • To protect the passwords, store the passwords in digested form
    – Generate the digested form of the password
    – Update the generated password in tomcat-users.xml
    – Include <Realm> element under the <host> element of the server.xml file to implement digested passwords

Generating Digest Form of the Password

> cd ${tomcat_home}/bin
> ./digest.sh -a SHA pass@123
> pass@123:aa04ew2sfaae76c2a7dc5e25ex18c505e58f12d7

Editing server.xml File

Password Stored as Clear Text

Password Stored in Digest Form

Do Not Run Tomcat as Root

  • Do not run Tomcat as root. Create a user with the least required permissions and run Tomcat with the created user account
  • Specify the following privileges to the created user
    – Read/Write permission to ${tomcat_home} directory and subdirectories
    – Read permissions to data directories
Running Tomcat as User:Unix / Linux
  • Create Tomcat User
    sudo adduser tomcatUser
  • Download and unpack Tomcat
    sudo cp apache-tomcat-8.0.33.tar.gz /opt cd /opt
    sudo tar zxvf apache-tomcat-8.0.33.tar.gz
  • Change ownership to created user
    sudo chown -R tomcat: tomcatUser /opt/apache-tomcat-8.0.33
  • Run Tomcat as a created user
    sudo -u tomcat /opt/apache-tomcat-8.0.33/bin/catalina.sh run
Running Tomcat as User:Windows
  • Create unprivileged user account using Administrative Tools > Local Security Policy > Local Policies > User Rights > Assignment > Log on as a service
  • Ensure to set Apache Tomcat service to run as the created user

Configure Restricted Datasets

  1. While restricting access to datasets, create separate users with restrictedDatasetUser roles
  2. Users with a restrictedDatasetUser role can use access non-HTTP URL, which can give rise to session hijacking
  3. Users with a restrictedDatasetUser role should not be assigned roles with privileges to access the security features of Tomcat

Session Handling using App Mode in Tomcat

  • Session Timeout
    – Session timeout for every web application must be set to minimum required duration
    – To set the timeout edit the CATALINA_HOME/conf/web.xml file with following code
  • HttpOnly Flag
    – This flag can be activated with the following configuration option that can be set in the CATALINA_HOME/conf/context.xml
    – If HttpOnly flag is set to true then it may break the application functionality, if access to the session cookie via javascript is necessary

Syntax:

  • CSRF Prevention Filter
    – It helps prevent Cross Site Request Forgery
    – CSRF filter generates a nonce and stores it in a session. It encodes the URLs with the generated nonce. On receiving another request for the URL the received nonce is matched with the sessions nonce. If the two do not match the request is considered forged.
  • CSRF Filter can be configured in file CATALINA_BASE/conf/web.xml at Globally. The global setting can overwrite by writing in WEB-INF/web.xml

Session Handling using App Mode in Tomcat (Cont’d)

  • Disable Session URL rewriting
    – This flag is used to disable the session id displayed in the URL with the following configuration
    – CATALINA_HOME/conf/web.xml with following code:
  • Replace the Default Session Name
    – The default session name is JSESSIONID. The following configuration could be used to change the default name
    CATALINA_HOME/conf/web.xml with following code:
  • Secure Cookie Flag
    – This flag will force the transmission of a cookie only by SSL, with the following configuration
  • CATALINA_HOME/conf/web.xml with following code
  • Change the Session Id length
    – The default session id length is 128bit / 16bytes. The-following configuration could be used to change the default value
  • CATALINA_HOME/conf/context.xml with following code

Role Based Security

  • Tomcat supports role based authorization
  • To implement role based authorization
    1. Create users and roles in /conf/tomcat-user.xml
    2. Define Security role in web.xml

Example: Setting Roles and Users in Tomcat-user.xml

Example: Defining Security Role in web.xml

Security Tomcat at Network Level

Prevent The Connectors:

  • Prevent the application from listening on all interfaces/IP addresses available on the server system. Instead, the IP address must be specified
  • Edit CATALINA_HOME/conf/server.xml file to restrict the listening interfaces
  • Review every connecter and specify the correct IP addresses

Syntax:
<connector PORT="TCP_PORT"
address="Listen_IP_Address" ………. .

Tomcat Port Connection:

  • Tomcat has many ports for network connection. To establish a connection a port works as an identifier. These ports need to be configured correctly
  • For TCP default ports are 8080 and 8443. These ports are very important and need to be configured correctly
  • By opening CATALINA_HOME/conf/server.xml file we can see every connector configuration for the correct/desired port assignment. Remove unnecessary or unused ports or connections

Security Tomcat at Network Level (Cont’d)

Trustworthy connection using encryption of network connection:

  • SSL configuration: To secure an application, SSL configuration must be applied. SSL provides encryption and decryption for communication between two parties over the network. For this, the public over the network. For this, the public key encryption method is used. The following steps are used for Tomcat configuration to use SSL
  • Two different implementations of SSL:
    – JSSE Implementation > If Tomcat native library is installed
    – APR Implementation uses OpenSSL engine
  • Edit the file CATALINA_HOME/conf/server.xml with following code
  • Add the following in CATALINA_HOME/webapps/manager/WEB-INF/web.xml under <security-constraint> tags

Security Tomcat at Network Level(Cont’d)

  • Use valve to filter by IP/hostname that allows only a subset of machines to connect
    – Any one of the following codes can be added in the Context tag in CATALINA_HOME/conf/Catalina/localhost/context.xml

Example 1

<!-- allow only LAN IPs to connect to the manager webapp -->
<!-- contrary to the current Tomcat 7.0 documentation the value for allow is not a regular expression -->
<!-- future versions may have to be specified as 192\.168\.1\.* -->

Example 2

connect to the manager webapp -->
<!-- contrary to the current Tomcat 7.0 documation the value for allow is not a regular expression -->
<!-- future versions may have to be specified as *\.localdomain\.com -->

Security Tomcat at Network Level(Cont’d)

  • Mutual Authentication
    – Certificate-based mutual authentication     provides the mechanism to authenticate two parties by providing and verifying the certificate to each other. Web browsers authenticate themselves to a web server and the server also authenticates itself to the client by verifying the digital certificate

Security Tomcat at Network Level(Cont’d)

  • Create Client Side KeyStore
    command: $JAVA_HOME/bin/keytool -genkey -alias client -keyalg RSA -keystore client.jks
  • Export Client Side Certificate File
    command: $JAVA_HOME/bin/keytool -export -keystore client.jks -alias client -file client.cer
  • Import client.cer to server trustStore
    command: $JAVA_HOME/bin/keytool -importcert -file client.cer -keystore truststore.jks -alias client
  • Convert the client.jks to PKCS12 format
    command: $JAVA_HOME/bin/keytool -importkeystore -scrkeystore client.jks – destkeystore client.pfx – srcstoretype JKS -deststoretype pkcs12 – deststorepass “XXX" -alias client -destalias client
  • Import the client.pfx file to client side browser
  • Configure sever.xml
  • Edit the file CATALINA_HOME/conf/server.xml with following code