Java Development News:
Understanding Tomcat Security
By John Turner, Ben Galbriath, Brian P. Rickabaugh, Vivek Chopra and Gotham Polisetty
01 May 2003 | TheServerSide.com
Misconfiguration and improper installation of web and application servers can be a serious problem and adversely affect the integrity of your web application and its components. 'Understanding Tomcat Security', excerpted from the Apache Tomcat Security Handbook (Wrox), looks at the top ten web application vulnerabilities as listed by the Open Web Application Security Project. It goes over the proper installation of Tomcat as a service running under an unprivileged user account, how to use a local firewall to add additional layers of security to network traffic, and shows you how to properly manage default applications and Contexts, included with Tomcat, to minimize possible entry points for attacks.
About the Authors
John Turner is a senior application developer and UNIX systems administrator with Advertising Audit Service, Inc. in Farmington Hills, Michigan. A technology professional for over 10 years, John has experience in the automotive, health care, advertising, and finance industries. His industry interests include vintage technology, open source, mobile computing, and wireless networking. Outside interests and hobbies include cottage farming, dogs, recycling, history, tattoos, travel, multimedia, and electronica.
Ben Galbriath was hired by a major Silicon Valley computer manufacturer to develop Windows-based client-server applications with international deployments and hundreds of users. In 1995, Ben began developing for the Web and fell in love with Unix, vi, and Perl. After building countless web applications with Perl, Ben discovered server-side Java in 1999 and his relationship with Perl has since become somewhat estranged. Ben is presently a consultant in Provo, Utah. He regularly lectures, evangelizes, and gives classes on Java technology.
Brian P. Rickabaugh is a senior systems architect for a large global conglomerate in the financial, manufacturing, and media industries. He is also president of StrayCat Incorporated, a small business focused primarily on software consulting services. He has been developing web-centric, object-oriented software in C/C++ and Java for six years. He is also a huge proponent of open source software and the positive impact it can have on small, medium, and large organizations. His current focus is on XML and implementing web services technologies for internal and external systems integration.
Vivek Chopra has extensive experience in software design and development. He has worked on a range of technologies, including compilers, programming tools, middleware, and XML/web services. He has authored a number of books on web services technologies and on Apache Software. He is actively involved with Open Source software, and is a committer for the UDDI4J API.
Gotham Polisetty is the founder and principal architect of Global Software Solutions, Inc. in Charlotte, North Carolina. Gotham currently consults for large Fortune 500 companies and helps them architect complex distributed systems and solve problems related to the distribution of data and processing within these systems. Gotham has been involved in the IT industry since 1982 and consults extensively on the design and architectural issues involved in implementing large web-based corporate ERP systems. Gotham Polisetty can be reached at firstname.lastname@example.org