You are here
Protecting your Tomcat with the Security Manager
Tomcat comes with a Security Manager which provides some protection against hacking. Of course, it's not a full layer-7 firewall but at least it provides file access and network checking, for free. With this, we can somehow protect our website against defacement, intrusion, and service denial. Now, let's see how to configure it easily.
- Configure the Security Manager
Open the conf/catalina.policy file and at the WEB APPLICATIONS PERMISSIONS, add as many SocketPermissions as databases you are using, for example :permission java.net.SocketPermission "10.10.12.12:1521", "connect,resolve";Also, add permissions for each file that you need to read (such as a properties file) :
permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}testread.txt", "read";Same logic for writing a file :
permission java.io.FilePermission "${catalina.base}${file.separator}testwrite.txt", "write"; - Activate the manager
Edit the bin/startup.sh file this way :exec "$PRGDIR"/"$EXECUTABLE" start "$@" -security - Write a test JSP
Writing a JSP to test all this is pretty simple, you can download the JSP for this example here. - Debugging
In case of problem, you can debug by setting this option CATALINA_OPTS=-Djava.security.debug=all in catalina.sh
Beware it will gives tons of logs leading to a filesystem full very quickly.
- Log in to post comments
Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer