Chapter 6. Tomcat Security
Everyone needs to be concerned about security, even if you're just a mom and pop shop or someone running a personal web site with Tomcat. Once you're connected to the big bad Internet, it is important to be proactive about security. Bad guys can mess up your system in a number of ways if you don't. Worse, they can use your system as a launching pad to start attacks on other sites.
In this chapter, we detail what security is and how to improve it in your Tomcat installation. Still, lest you have any misconceptions, there is no such thing as a perfectly secure computer, unless it is powered off, encased in concrete, and guarded by both a live guard with a machine gun and a self-destruct mechanism in case the guard is overpowered. Of course, a perfectly secure computer is also a perfectly unusable computer. What you want is your computer system to be "secure enough."
A key part of security is encryption. E-commerce, or online sales, became one of the killer applications for the Web in the late 1990s. Sites such as eBay and Dell handle hundreds of millions of dollars in retail and business transactions over the Internet. Of course, these sites are driven by programs, oftentimes the servlets and JSPs that run within a container like Tomcat, so security of your Tomcat server is a priority.
If, after reading this chapter and testing the security of your Tomcat installation, you find that there are either bugs or design flaws that make Tomcat insecure in some way, ...