book

Tomcat: The Definitive Guide

by Jason Brittain, Ian F. Darwin

June 2003

Intermediate to advanced

320 pages

9h 52m

English

O'Reilly Media, Inc.

Read now

Unlock full access

A Note Regarding Supplemental Files
Preface
What’s This Book About?Why an Entire Book on Tomcat?Who This Book Is ForConventions Used in This BookHow to Contact UsAcknowledgmentsIan Darwin’s AcknowledgmentsJason Brittain’s Acknowledgments
1. Getting Started with Tomcat
1.1. Installing Tomcat1.1.1. Installing Tomcat on Linux1.1.1.1. Installing Tomcat from a Jakarta multiplatform binary release1.1.1.2. Installing Tomcat from a Jakarta Linux RPM1.1.2. Installing Tomcat on Solaris1.1.3. Installing Tomcat on Windows 20001.1.4. Installing Tomcat on Mac OS X1.1.5. Installing Tomcat on OpenBSD1.2. Starting, Stopping, and Restarting Tomcat1.2.1. Starting Up and Shutting Down1.2.1.1. Environment variables1.2.1.2. Starting and stopping on Linux and Solaris1.2.1.3. Starting and stopping on Windows 20001.2.1.4. Starting and stopping on Mac OS X1.2.1.5. Starting and stopping on OpenBSD1.2.2. Common Errors1.2.3. Restarting Tomcat1.2.3.1. Restarting Tomcat on Unix-based systems1.2.3.2. Restarting the Tomcat Windows Service1.3. Automatic Startup1.3.1. Automatic Startup on Linux1.3.2. Automatic Startup on Solaris1.3.3. Automatic Startup on Windows1.3.4. Automatic Startup on Mac OS X1.3.5. Automatic Startup on OpenBSD1.4. Testing Your Tomcat Installation
2. Configuring Tomcat
2.1. Using the Apache Web Server2.2. Managing Realms, Roles, and Users2.2.1. Realms2.2.1.1. UserDatabaseRealm2.2.1.2. JDBCRealm2.2.1.3. JNDIRealm2.2.1.4. JAASRealm2.2.2. Container-Managed Security2.2.2.1. Basic authentication2.2.2.2. Digest authentication2.2.2.3. Form authentication2.2.2.4. Client-cert authentication2.2.3. Single Sign-On2.3. Controlling Sessions2.3.1. Session Persistence2.3.1.1. StandardManager2.3.1.2. PersistentManager2.3.1.3. Using FileStore for storing sessions2.3.1.4. Using JDBCStore for storing sessions2.4. Accessing JNDI and JDBC Resources2.4.1. JDBC DataSources2.4.2. Other JNDI Resources2.5. Servlet Auto-Reloading2.6. Relocating the Web Applications Directory2.7. Customized User Directories2.8. Tomcat Example Applications2.9. Server-Side Includes2.10. Common Gateway Interface (CGI)2.11. The Tomcat Admin Application
3. Deploying Servlet and JSP Web Applications in Tomcat
3.1. Layout of a Web Application3.2. Manual Application Deployment3.2.1. Deploying Servlets and JavaServer Pages3.2.2. Working with WAR Files3.3. Automatic Deployment3.3.1. Plan A: Copying a WAR File3.3.2. Plan B: Context Fragments3.4. The Manager Application3.4.1. See Also3.5. Automation with Jakarta Ant3.5.1. Building a JAR/WAR3.5.2. Deployment3.5.3. Common Errors3.5.3.1. XML in property files3.5.3.2. FileNotFoundExceptions
4. Tomcat Performance Tuning
4.1. Measuring Web Server Performance4.1.1. Load Testing Tools4.2. External Tuning4.2.1. JVM Performance4.2.2. Operating System Performance4.3. Internal Tuning4.3.1. Disabling DNS Lookups4.3.2. Adjusting the Number of Threads4.3.3. Speeding Up JSP Compilation4.3.3.1. Changing the JSP compiler under Tomcat 4.04.3.3.2. Changing the JSP compiler under Tomcat 4.14.3.3.3. Precompiling JSPs4.4. Capacity Planning4.4.1. Anecdotal Capacity Planning4.4.2. Enterprise Capacity Planning4.4.3. Capacity Planning on Tomcat4.5. Additional Resources
5. Integration with Apache Web Server
5.1. Introduction5.2. The Pros and Cons of Integration5.2.1. Running Tomcat Standalone5.2.2. Running Tomcat with Apache httpd5.3. Installing Apache httpd5.4. Apache Integration with Tomcat5.4.1. Sharing the Load Using Separate Port Numbers5.4.2. Proxying from Apache to Tomcat5.4.2.1. Setting up Apache httpd5.4.2.2. Setting up Tomcat5.4.2.3. Verify that proxying works5.4.2.4. Disadvantages5.4.3. Using the mod_jk2 Connector5.4.3.1. Using binary releases5.4.3.2. Compiling mod_jk25.4.3.3. Master configuration file5.4.3.4. The workers2.properties file5.4.3.5. Starting up the integrated servers5.4.3.6. Configuring mod_jk2 to use a TCP socket5.4.3.7. Configuring mod_jk2 to use a Unix domain socket5.4.3.8. Common errors5.4.4. Two Programs in One Process: Tighter Integration5.4.5. Generating mod_jk2 Webapp URI Mappings5.5. Of Connectors and Configuration Files5.5.1. Configuration Files5.5.1.1. workers.properties5.5.1.2. urimap.properties5.5.1.3. workers2.properties5.6. Summary
6. Tomcat Security
6.1. Introduction6.2. Securing the System6.2.1. Operating System Security Forums6.2.2. Configuring Your Network6.3. Multiple Server Security Models6.4. Using the -security Option6.4.1. Granting File Permissions6.5. Setting Up a Tomcat chroot Jail6.5.1. Setting Up a chroot Jail6.5.2. Using a Non-root User in the chroot Jail6.6. Filtering Bad User Input6.6.1. Vulnerabilities6.6.1.1. Cross-site scripting6.6.1.2. HTML injection6.6.1.3. SQL injection6.6.1.4. Command injection6.6.2. HTTP Request Filtering6.6.3. See Also6.7. Securing Tomcat with SSL6.7.1. Setting Up an SSL Connector for Tomcat6.7.2. Multiple Server Certificates6.7.3. Client Certificates
7. Configuration Files and Their Elements
7.1. server.xml7.1.1. Server7.1.2. Service7.1.3. Connector7.1.3.1. Changing the port number from 80807.1.3.1.1. Running Tomcat via the Jakarta Commons Daemon component7.1.3.1.2. Common Errors7.1.4. Engine7.1.5. Host7.1.5.1. Virtual hosting7.1.6. Context7.1.7. DefaultContext7.1.8. Realm7.1.9. GlobalNamingResources7.1.9.1. Environment7.1.9.2. Resource7.1.9.3. ResourceParams7.1.9.4. See also7.1.10. Listener7.1.11. Loader7.1.12. Logger7.1.13. Manager7.1.13.1. Stores7.1.13.2. Resources7.1.13.3. Valve7.1.13.4. Controlling access log files with AccessLogValve7.1.13.5. RemoteHostValve and RemoteAddrValve7.2. web.xml7.2.1. web-app7.2.2. icon, display-name, and description7.2.3. distributable7.2.4. context-param7.2.5. filter and filter-mapping7.2.6. listener7.2.7. servlet7.2.8. servlet-mapping7.2.9. session-config7.2.10. mime-mapping7.2.11. welcome-file-list7.2.12. error-page7.2.13. taglib7.2.14. resource-env-ref7.2.15. resource-ref7.2.16. security-constraint7.2.16.1. See also7.2.17. login-config7.2.18. security-role7.2.19. env-entry7.2.20. ejb-ref and ejb-local-ref7.3. tomcat-users.xml7.4. catalina.policy
8. Debugging and Troubleshooting
8.1. Reading Log Files8.1.1. Hunting for Errors8.1.2. Making Sense of Multiple Files8.2. URLs and the HTTP Conversation8.2.1. HTTP Requests8.2.2. Response Codes and Headers8.2.3. Interacting with HTTP8.3. Debugging with RequestDumperValve8.4. When Tomcat Won’t Shut Down

9. Building Tomcat from Source
9.1. Installing Jakarta Ant9.2. Obtaining the Source9.2.1. Downloading Source Code9.2.2. Obtaining Source Code with CVS9.3. Downloading Support Libraries9.4. Building Tomcat
10. Tomcat Clustering
10.1. Clustering Terms10.2. The Communication Sequence of an HTTP Request10.2.1. DNS Request Distribution10.2.2. TCP NAT Request Distribution10.2.3. mod_jk2 Load Balancing and Failover10.2.4. Distributed Java Servlet Containers10.2.4.1. Servlet sessions10.2.4.2. Session affinity10.2.4.3. Replicated sessions10.2.4.3.1. Configuring and testing IP multicast10.2.4.3.2. Installing, configuring, and testing session replication10.2.5. JDBC Request Distribution and Failover10.3. Additional Resources
11. Final Words
11.1. Supplemental Resources11.1.1. Online Documentation That Ships with Tomcat11.1.2. The Jakarta Tomcat Web Documentation11.1.3. The Jakarta Tomcat Mailing List Archives11.1.4. Web Sites Related to This Book11.1.5. Third-Party Web Sites About Tomcat11.1.5.1. The #tomcat Internet Relay Chat (IRC) channel11.1.5.2. The Jakarta Tomcat mailing lists11.2. Community
A. Installing Java
A.1. Choosing a Java SDKA.1.1. Working Around the Kaffe JDKA.1.2. Sun Microsystems J2SE SDKA.1.3. IBM JDKA.1.4. BEA JRockitA.1.5. Apple J2SE 1.4.1
B. JSPs and Servlets
B.1. Why Both JSPs and Servlets?B.2. Simplifying JSPs with JavaBeans:Reusable ComponentsB.3. Simplifying Your JSPs with Custom TagsB.4. Extending TomcatB.4.1. Cocoon: XML PublishingB.4.2. Element Construction SetB.4.3. Formatted Objects Printing (FOP)B.4.4. JavaMail APIB.4.5. JetSpeed: Scalable Information PortalB.4.6. Lucene Text SearchingB.4.7. PDF GeneratorsB.4.8. POIB.4.9. SOAPB.4.10. StrutsB.4.11. VelocityB.4.12. WebDAVB.4.13. See Also
C. jbchroot.c
D. BadInputFilterValve.java
About the Authors
Colophon
Copyright

Content preview from Tomcat: The Definitive Guide

Chapter 6. Tomcat Security

Introduction

Everyone needs to be concerned about security, even if you’re just a mom-and-pop shop or someone running a personal web site with Tomcat. Once you’re connected to the big bad Internet, it is important to be proactive about security. There are a number of ways that bad guys can mess up your system if you aren’t. Worse, they can use your system as a launching pad for attacks on other sites.

In this chapter, we detail what security is and how to improve it in Tomcat. Still, lest you have any misconceptions, there is no such thing as a perfectly secure computer, unless it is powered off, encased in concrete, and guarded by both a live guard with a machine gun and a self-destruct mechanism in case the guard is overpowered. Of course, a perfectly secure computer is also a perfectly unusable computer. What you want is for your computer system to be “secure enough.”

A key part of security is encryption. E-commerce, or online sales, became one of the killer applications for the Web in the late 1990s. Sites such as eBay.com and Dell Computer handle hundreds of millions of dollars in retail and business transactions over the Internet. Of course, these sites are driven by programs, oftentimes the servlets and JSPs that run within a container like Tomcat. So, security of your Tomcat server is a priority.

This chapter briefly covers the basics of securing a server machine that runs Tomcat, and then goes on to discuss security within Tomcat. We look at operating ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Tomcat: The Definitive Guide, 2nd Edition

Publisher Resources

ISBN: 0596003188Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Tomcat: The Definitive Guide

by Jason Brittain, Ian F. Darwin

Chapter 6. Tomcat Security

Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.