Hi Rowan Thanks for your email! This would make a great page on the site, so please do follow up with your experiences as you get to grips with TomEE. It would be useful to know which version of TomEE you are running, as there are a couple of things that are slightly different between TomEE 7.x and TomEE 1.7.x, specifically in terms of the tomee/ejb servlet being available for remote EJB calls (it is off in TomEE 7.x by default).
As a start, I'd suggest you remove any applications you do not want from the webapps directory, and ensure that server.xml has only the ports that you wish to use. The config in server.xml is the same config you're used to with Tomcat, please do let us know if you encounter anything that doesn't work in that regard (the information on the page you reference should be good). Lock down any users and permissions in tomcat-users.xml, and check your realm config in server.xml - out of the box we ship with the UserDatabaseRealm (tomcat-user.xml) wrapped with the LockOutRealm. If you're putting HTTPD or NGinx in front of TomEE or you have complex LAN setup there may be other things you want to do to allow access to administrative applications from a management VLAN but not the outside world, for example - the above doesn't cover anything like that, but is hopefully useful as a start. Please do let us know if you have any questions or feedback! Jon On Wed, Jul 26, 2017 at 6:23 AM, Romain Manni-Bucau <rmannibu...@gmail.com> wrote: > Hi Rowan, > > listing what didnt work can help to be more accurate but dont think we > duplicated this page on tomee site directly. > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://blog-rmannibucau.rhcloud.com> | Old Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > <https://javaeefactory-rmannibucau.rhcloud.com> > > 2017-07-26 1:29 GMT+02:00 Rowan Burgess <rowan.j.burg...@gmail.com>: > > > Hello, > > > > Is there a guide/reference available that outlines "best practices" on > how > > to configure TomEE securely? > > > > I have used Tomcat in the past, and am familiar with steps such as those > > described in https://tomcat.apache.org/tomcat-8.0-doc/security-howto. > html > > , > > but I have not worked with TomEE before. > > > > I need to ensure that no ports/services have been exposed unnecessarily. > > > > I also need to ensure that there are no servlets / JSP's mapped and > > accessible by default. > > > > Appreciate any help/guidance you might have, > > > > Thanks! > > >
