-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 2/26/15 4:26 PM, Jan Tosovsky wrote:
> On 2015-02-26 Aurélien Terrestris wrote:
>>
>> It makes me remember this doc which is not bad for securing
>> Tomcat : https://www.owasp.org/index.php/Securing_tomcat
>>
>
> This is a good one. I've
On 2015-02-26 Aurélien Terrestris wrote:
>
> It makes me remember this doc which is not bad for securing Tomcat :
> https://www.owasp.org/index.php/Securing_tomcat
>
This is a good one. I've also found this:
http://server.dzone.com/articles/hacking-liferay-%E2%80%93-securing
It would be nice to
On 2015-02-26 Christopher Schultz wrote:
> On 2/26/15 5:23 AM, Aurélien Terrestris wrote:
> > I agree with Leon.
>
> As do I. Apache httpd can change the attack surface somewhat, but if
> requests can still come from an untrusted remote client through to the
> application server, then you still ha
Good post Christopher ;)
It makes me remember this doc which is not bad for securing Tomcat :
https://www.owasp.org/index.php/Securing_tomcat
But it lacks some important information on Windows rights which could
be more restricted (I'll try to post something about it one day). And
others like :
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Aurélien,
On 2/26/15 5:23 AM, Aurélien Terrestris wrote:
> I agree with Leon.
As do I. Apache httpd can change the attack surface somewhat, but if
requests can still come from an untrusted remote client through to the
application server, then you s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 2/25/15 5:13 PM, Jan Tosovsky wrote:
> there are plenty resources mentioning it is a must to run tomcat as
> a dedicated user with limited permissions.
>
> Is it still true when tomcat doesn't run standalone, but via Apache
> web server con
I agree with Leon. That said, a service account with low privileges
only gives filesystem protection ; interesting data is usually stored
in the database and you won't be more protected against SQL injections
or even against a modified jsp stored by the hacker (like in some old
STRUTS vulnerabiliti
Hello Jan,
that would be better yes. For example some time ago, there were a virus
that would place a modified jsp in a webapp and try to access further data
from it. If the user, the tomcat runs under, would have limited permission,
such a malware would have less chances to actually do something
Dear All,
there are plenty resources mentioning it is a must to run tomcat as a
dedicated user with limited permissions.
Is it still true when tomcat doesn't run standalone, but via Apache web
server connected via AJP? That webserver already runs in the restrictive
mode.
Thanks, Jan
