So basically run Tomcat as a specific user and tune the filesystem parameters to only allow access to the resources it needs (standard approach for every app Java or not). Now focus all your attention on the application code (not Tomcat but the webapp) make sure all database interactions are escaped properly etc etc etc
One thing to look out for would be the use of JNI i.e. native calls. I'm not sure if there is a way of preventing someone from packaging a .so in a WAR and then loading it in to the app via code to bypass the lack of LD_LIBRARY_PATH (on *nix).
The authentication / authorisation stuff (e.g. realms) is all to do with access to webapps.
If you come across anything else I would be interested to know about it, especially if it is to do with securing Java in general.
PJ
Patrick Lacson wrote:
Specifically authoritative articles on how to do this.. would be greatly appreciated.
On Wed, 23 Feb 2005 11:24:12 -0800, Patrick Lacson <[EMAIL PROTECTED]> wrote:
Does anybody have any links/documents on how to harden tomcat?
thanks, -- Patrick
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]