• Java Security Manager
    – Java security manager can be configured in file CATALINA_HOME/conf/Catalina.policy
    – Once the file is configured Tomcat will start with SecurityManager in place of security option
  • Java Package Access
    – Tomcat has a feature to restrict package access
    – A user trying to access a package without access permission gets access exception
    – To modify package.access alter the package.access list in CATALINA_BASE/conf/Catalina..properties

Tomcat General Security Setting

  • Do not make unnecessary changes in the default settings of Tomcat configurations
  • Remove unwanted, default, servlet examples, etc. from Tomcat webapp directory
  • Custom Error Page
    – It is the best practice to include a custom error page in the web application. The following code must be added in CATALINA_HOME/webapps/webapp/WEB-INF/web.xml
  • Automatic Deployment
    – Automatic deployment must be disabled to prevent malicious applications from deploying
    – This can be done by editing the file CATALINA_HOME/conf/server.xml
    – Change the following line in server.xml file
    < . . …… . . autoDeploy="false">
    < . . …… . . DeployOnStartup="false">

Tomcat General Security Setting (Cont’d)

  • Create Webapp
    – A manager Webapp can be created by adding a new role and user into the CATALINA_HOME/conf/tomcat-users.xml file as follows:
  • Rename the Manager Webapp as follows
    – In the example below the new name is “sample"
  1. Move CATALINA_HOME/conf/Catalina/localhost/manager.xml to
  2. CATALINA_HOME/conf/Catalina/localhost/sample.xml
  1. Update the docBase attribute within CATALINA_HOME/conf/Catalina/localhost/sample.xml to
  2. {catalina.home}/server/webapps/foobar
  1. Move CATALINA_HOME/server/webapps/manager to CATALINA_HOME/server/webapps/sample
  • Run Tomcat with a Security Manager that controls the access to server resources
    – It is a good practice to start Tomcat with “-security" parameter

Verify Trace Element Setting in server.xml

  • The tracing process is accountable for all activities accomplished by a web page on a web server and is enabled mainly to troubleshoot issues during the development of an application
  • However, leaving trace enabled after deployment of the application may expose critical information and allow attackers to alter and manipulate the application
  • Set <Connector URIEncoding="UTF …… allowTrace="false" />. Disabling trace element prevent the attackers from gaining information from the trace

Vulnerable Configuration

Secure Configuration

Verify CustomError Settings in web.xml

  • Attackers can use this information to make an educated guess and craft attack techniques to compromise the security of the application
  • The attackers may use the exception details to perform attacks or manipulation of information in the application
  • The user will be redirected to any generic web page in the event of any error

The following code from web.xml file shows a secure way of setting custom error:

Secure Configuration

💖Verify maxPostSize Setting

  1. The maxPostSize attribute of httpRuntime element, restricts attackers from uploading files with large sizes to the server
  2. Allowing users to upload files with large sizes may put the application under risk of denial-of-service attacks
  3. Set <connector… maxPostSize="6291456″ /> the limit can be disabled by setting this attribute to less than zero, like -1

Vulnerable Configuration

Secure Configuration

Tomcat Security Checklist

  • The following default settings must not be changed in server.xml
    – allowTrace="false"
    – Privileges="false"
    – crossContext="false"
    – allowLinking="false"
  • Make sure to change DefaultServlet configuration with read only set to false
  • Make sure the following are set to false in Startup script
    – Dorg.apache.catalina.connector.RECYCLE_FACADES=false
    – Dorg.apache.catalina.connector.CoyteAdapter.ALLOW_BACKSLASH=false
    – Dorg.apache.tomcat.util.buf.UDecder.ALLOW_ENCODED_SLASH=false
    – Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false

Checklist for Security Configuration in server.xml File in Apache Tomcat

  • Port Disabling
    – Avoid malicious attacks by setting Port on the server element to (-1) disable
  • Security Lifecycle Listener
    – Linux: By using Security Lifecycle Listener we can prevent Tomcat from running as root user
  • Specifying Interfaces for connectors
    – We can specify address attribute of the connector tag or element thereby decrease the ways of attacks
  • Disable allowTrace Feature
    – The AllowTrace feature enables the debugging and tracing feature which becomes a source of sensitive information discloser
  • Disable sslEnableProtocols
    – By exploiting this (sslEnableProtocols) vulnerability a user can gain access to sensitive information like password, cookies etc.
    – It is recommended that sslEnableProtocols is disabled
  • Disabling Directory Listing
    – When the directory listing feature is enabled the application displays the entire directory structure of the web application
    – Displaying directories containing a large no of files results in denial-of-service attack. To disable directory listing set DefaultServlet listings to false
  • Disable Automated Deployment(if not in use)
    – Ensure that the host attributes (autoDeploy, deployOnStartup, and deployXML) are disabled if not in use
  • Avoid running Tomcat under root user
    – Do not run Tomcat under a user account with administrative privileges
    – Ensure to create a user account with minimum required OS permissions for running the Tomcat process

Tomcat High Availability

  • The system requires to be in zero downtime effectively while failure or disaster occurs
  • An alternative system is the way to achieve immediate availability
  • With Session Replication, clients don’t have to reauthenticate while one of the server instance is down

Tomcat High Availability (Cont’d)

  • Tomcat Clustering Configuration:
    – Edit the file CATALINA_HOME/conf/server.xml, add the following code in the <engine> section

Tomcat High Availability (Cont’d)

  • Tomcat Clustering Configuration:
    – Edit the file APPLICATION/WEB_INF/web.xml, add the code <distributable />
  • Restart Tomcat Services

Best Practices for Securing Tomcat

  • Delete everything from the path CATALINA_HOME/webapps
  • Delete everything from CATALINA_HOME/server/webapps
  • Delete CATALINA_HOME/conf/Catalina/localhost/host-manager.xml
  • Ensure that the default web servlet configuration does not serve the index pages in the absence of a welcome page

The following code should be implemented in CATALINA/conf/web.xml

Best Practices for Securing Tomcat (Cont’d)

  • Replace the version string of HTTP error messages with CATALINA_HOME/server/lib/catalina.jar and an updated ServerInfo.properties file
  • Replace the default error page code in CATALINA_HOME/conf/web.xml with the following code
  • Rename CATALINA_HOME/conf/server.xml to CATALINA_HOME/conf/server-original.xml
  • Rename CATALINA_HOME/conf/server-minimal.xml to CATALINA_HOME/conf/server.xml
  • Replace the server version string from HTTP headers in server responses, by adding the server keyword in your Connectors in CATALINA_HOME/conf/server.xml

Clear all text passwords from CATALINA_HOME/conf/server.xml