-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Indu,
Indudhar Devanath wrote: | I tried looking for one place where I could find information on the best | practices for configuring Tomcat in production. I couldn't find it. | Tomcat FAQ doesn't list that either. Is there any place where I can | find more information on that. Most of the "production" options for Tomcat are relatively environment-specific. | What I would like even better is, just put your thoughts on what you | think should be considered. JVM options such as -Xmx and -Xms is well | known. Is there any other JVM options that are worth considering? I would enable "-server" if your machine does not choose the "server" JVM automatically upon startup. Obviously, setting memory sizes is something you should consider. I would recommend setting the min and max to the same size, so the JVM does not need to dynamically grow the heap during its lifetime. | I am seeking both tomcat specific configuration settings and also JVM | settings. If you don't trust the applications being deployed on your server, or you want an added level of security, you should run Tomcat with a security manager enabled. See http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html for details. Enabling a security manager will take some time, because you have to make sure that anything your webapp needs to be able to access has been enabled through the security manager configuration. You can't just turn it on and expect everything to work properly. Make sure you test your entire application before deploying with a security manager enabled. Tomcat itself does not have very many options in general, so there's not a lot of tweaking necessary. Most of the suggestions that I would give are pretty standard for production deployments: turn off any options and services that you do not absolutely need (in server.xml, for instance). Disable any default webapps that are configured (even Tomcat's ROOT webapp). Then, there's always http://www.owasp.org/index.php/Securing_tomcat Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgxkLoACgkQ9CaO5/Lv0PBqzQCcCDeHaii2lFJqp2tg2DZ8fSme 2zYAoK7KVDIkwXngOmem7BdtVBWRRDvj =DZZi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
