You are here

Protecting your Tomcat with the Security Manager

Tomcat comes with a Security Manager which provides some protection against hacking. Of course, it's not a full layer-7 firewall but at least it provides file access and network checking, for free. With this, we can somehow protect our website against defacement, intrusion, and service denial. Now, let's see how to configure it easily.

  1. Configure the Security Manager
    Open the conf/catalina.policy file and at the WEB APPLICATIONS PERMISSIONS, add as many SocketPermissions as databases you are using, for example :
    permission java.net.SocketPermission "10.10.12.12:1521", "connect,resolve";

    Also, add permissions for each file that you need to read (such as a properties file) :
    permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}testread.txt", "read";

    Same logic for writing a file :
    permission java.io.FilePermission "${catalina.base}${file.separator}testwrite.txt", "write";

  2. Activate the manager
    Edit the bin/startup.sh file this way :
    exec "$PRGDIR"/"$EXECUTABLE" start "$@" -security
  3. Write a test JSP
    Writing a JSP to test all this is pretty simple, you can download the JSP for this example here.
  4. Debugging
    In case of problem, you can debug by setting this option CATALINA_OPTS=-Djava.security.debug=all in catalina.sh
    Beware it will gives tons of logs leading to a filesystem full very quickly.

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer


Fatal error: Class 'FeedsHTTPCache' not found in /usr/local/httpd-resources/vhosts/drupal-7.56/modules/feeds/feeds.module on line 82