Michael Ji wrote:
No particular vunerable higher than the case you
running a web server, if I am not wrong;
tomcat is same as a webserver except JSP is its' core
engine;
I would suggest following any instructions that Tomcat has
for locking it down. For instance, there is a conf setting
(the default servlet setup in conf/web.xml) to disallow
reading directories when a welcome page (index.html,
index.jsp, etc) is not present. v5.5 comes with the manager
webapp disabled and the admin webapp uninstalled. (I'm not
sure whether this practice started with v5.0)
The invoker servlet should be disabled (conf/web.xml) too.
I have not seen any discussion about the dumbo passwords in the
tomcat-users.xml in the default install for user tomcat and
role1. Just in case, my practice is to change those default
passwds. (These might be for examples.)
Paul
