I know my answer is not a guide but I not believe there is a definitive guide, because security is not a product you buy or get, or a feature you switch on. This short guide covers very basic web.xml security settings.
http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files/ I would disable any feature and port, and undeploy all applications, not needed for production. (like the /docs applcation). Remember to keep it all as simple as possible, so you at least have a chance to comprehend what is happening. You could also setup a Apache webserver up with mod_jk, making it the "front" server of your Tomcat backend. I have this setup running on a OpenBSD front server and it works great. You could also run Tomcat locked inside a chroot (jail), although this take some work and maintainance. It really depends on what the application does and which features it needs. The "art" of security is knowing exactly what your application(s) are doing and what it needs, and try limit it accordingly. On 10-07-2012 05:06, zeeman wrote: > I'll be releasing the first version of my web app on Amazon EC2 on Ubuntu > once Tomee 1.1 is released. I have below questions: > > 1- Most Linux distros have a Tomcat package but not a Tomee package. Distros > include a simple way to use authbind to run Tomcat on port 80. Since I'll be > installing Tomee manually, not via a distro package, what do I need to do to > run Tomee on port 80 as an unprivileged user? > A Tomcat example > http://case.bradysoftware.com/blog/2012/03/14/1331779080000.html > > 2- Is there any documentation on securing Tomee. I understand it's Tomcat > plus JavaEE but I figured I would ask in case there is Tomee-specific > details. > > 3- Any good guides on configuring Tomcat for production? > > Some details is appreciated, it'll be a large web app and don't want to have > any security risks. Thanks! > > -- > View this message in context: > http://openejb.979440.n4.nabble.com/Tomee-on-port-80-on-Linux-in-Production-tp4656198.html > Sent from the OpenEJB User mailing list archive at Nabble.com.
