You are here

Protecting your Tomcat with the Security Manager

Tomcat comes with a Security Manager which provides some protection against hacking. Of course, it's not a full layer-7 firewall but at least it provides file access and network checking, for free. With this, we can somehow protect our website against defacement, intrusion, and service denial. Now, let's see how to configure it easily.

  1. Configure the Security Manager
    Open the conf/catalina.policy file and at the WEB APPLICATIONS PERMISSIONS, add as many SocketPermissions as databases you are using, for example :
    permission "", "connect,resolve";

    Also, add permissions for each file that you need to read (such as a properties file) :
    permission "${catalina.base}${file.separator}conf${file.separator}testread.txt", "read";

    Same logic for writing a file :
    permission "${catalina.base}${file.separator}testwrite.txt", "write";

  2. Activate the manager
    Edit the bin/ file this way :
    exec "$PRGDIR"/"$EXECUTABLE" start "$@" -security
  3. Write a test JSP
    Writing a JSP to test all this is pretty simple, you can download the JSP for this example here.
  4. Debugging
    In case of problem, you can debug by setting this option in
    Beware it will gives tons of logs leading to a filesystem full very quickly.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer