book

Tomcat: The Definitive Guide, 2nd Edition

by Jason Brittain, Ian F. Darwin

October 2007

Intermediate to advanced

496 pages

16h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

What's This Book About?
Jason Brittain's AcknowledgmentsIan Darwin's Acknowledgments

Installing TomcatInstalling Tomcat on LinuxInstalling Tomcat from an Apache multiplatform binary releaseInstalling Tomcat from this book's Linux RPM packagesInstalling Tomcat from the JPackage.org Linux RPM packagesInstalling Tomcat on SolarisInstalling Tomcat on WindowsInstalling Tomcat on Mac OS XInstalling Tomcat on FreeBSD
Starting Up and Shutting DownEnvironment variablesStarting and stopping: The general caseStarting and stopping on LinuxStarting and stopping on SolarisStarting and stopping on WindowsStarting and stopping on Mac OS XStarting and stopping on FreeBSDCommon ErrorsRestarting TomcatThe general caseRestarting Tomcat on LinuxRestarting Tomcat on SolarisRestarting the Tomcat Windows ServiceRestarting Tomcat on Mac OS XRestarting Tomcat on FreeBSD
Automatic Startup on LinuxAutomatic Startup on SolarisAutomatic Startup on WindowsAutomatic Startup on Mac OS XAutomatic Startup on FreeBSD
A Word About Using the Apache Web Server
Relaying Port 80 TCP Connections to Port 8080Running Tomcat on Port 80 via a Service WrapperCommon Errors
RealmsUserDatabaseRealmJDBCRealmJNDIRealmJAASRealmContainer-Managed SecurityBasic authenticationDigest authenticationForm authenticationClient-cert authenticationSingle Sign-on
Session PersistenceStandardManagerPersistentManagerUsing FileStore for storing sessionsUsing JDBCStore for storing sessions
JDBC DataSourcesOther JNDI Resources
HostsThe Host Manager Webapp
Deploying Servlets and JavaServer Pages
server.xml Context DeploymentContext XML Fragment File Deployment
server.xml Context DeploymentContext XML Fragment File Deployment
Building a JAR/WARDeployment via AntCopying the WAR file or webapp directoryAccessing the Manager webappThe Tomcat standalone deployerThe scp Ant TaskCommon ErrorsXML in property filesFileNotFoundExceptions
Measuring Web Server PerformanceLoad-Testing Toolsab: The Apache benchmark toolSiegeApache Jakarta JMeterWeb Server Performance ComparisonTomcat connectors and Apache httpd connector modulesBenchmarked hardware and software configurationsBenchmark procedureBenchmark results and summaryWhat else we could have benchmarked
JVM PerformanceOperating System Performance
Disabling DNS LookupsAdjusting the Number of ThreadsSpeeding Up JSPsPrecompiling JSPs by requesting themPrecompiling JSPs at webapp start timePrecompiling JSPs at build time using JspC
Anecdotal Capacity PlanningEnterprise Capacity PlanningCapacity Planning on Tomcat
The Pros and Cons of IntegrationRunning Tomcat StandaloneIt's easier to set upNo web server connector module to worry aboutTomcat standalone is faster than Apache httpd proxying requests to TomcatPotential for better securityEase of migrationEase of upgradesTomcat has less supporting softwareFewer people who know Tomcat's web serverFewer web server featuresRunning Tomcat with Apache httpdTomcat's web server is faster than Apache httpdMore support softwareFaster startup and shutdown timesMore difficult to set upTomcat dynamic content slowdownPotential for additional security holesMore complicated upgrades
Sharing the Load Using Separate Port NumbersApache httpd is oblivious to Tomcat securityTwice the web servers to tune, maintain, and secureAwkward user experience and splintered loggingTroublesome double authenticationProxying from Apache httpd to TomcatSetting Up Apache httpdSetting Up TomcatVerify That Proxying WorksDisadvantagesApache httpd slows Tomcat's response timeTwice the web servers to tune, maintain, and secureTroublesome dual authenticationSee alsoProxying from Tomcat to Apache httpdUsing the mod_jk ConnectorUsing binary releasesCompiling mod_jkStarting up the integrated serversworkers.properties
Installing APRUsing binary releasesCompiling and installing APRBuilding and Installing the APR ConnectorConfiguring Tomcat to Use the APR Connector
Securing the SystemOperating System Security ForumsConfiguring Your Network
Setting Up a chroot JailUsing a Non-Root User in the chroot Jail
VulnerabilitiesCross site scriptingHTML injectionSQL injectionCommand injectionHTTP Request FilteringInstalling the BadInputValveInstalling the BadInputFilterSee also
Generating a Self-Signed Server CertificateRequesting and Installing a Commercial CertificateSetting Up an SSL Connector for TomcatConfiguring the JIO connector for SSLConfiguring the APR connector for SSLConfiguring the NIO connector for SSLClient Certificates
server.xmlServerServiceExecutorConnectorEngineHostVirtual hostingAliasContextRealmGlobalNamingResourcesEnvironmentResourceResourceEnvRefWatchedResourceListenerLoaderManagerStoresResourcesValveControlling access logs with an access log valveRemoteHostValve and RemoteAddrValveLimiting request concurrency with SemaphoreValveTransactionClusterChannelMembershipSenderTransportReceiverInterceptorMemberDeployerClusterListenerMigrating from Older Versions of TomcatMigrating from 4.1 to 5.0Migrating from 5.0 to 5.5Migrating from 5.5 to 6.0
web-appicon, display-name, and descriptiondistributablecontext-paramfilter and filter-mappinglistenerservletservlet-mappingsession-configmime-mappingwelcome-file-listerror-pagejsp-config and taglibresource-env-refresource-refSee alsosecurity-constraintSee alsologin-configSee alsosecurity-roleenv-entrySee alsoejb-ref and ejb-local-refservice-refmessage-destination-refmessage-destinationlocale-encoding-mapping-list
Reading Logfiles
HTTP RequestsResponse Codes and HeadersInteracting with HTTP
Installing Apache Ant
Downloading Source CodeObtaining Source Code from Apache's Subversion Repository
Clustering Terms
DNS Request DistributionTCP NAT Request Distributionmod_proxy Load Balancing and Failover
Servlet sessionsSession affinityReplicated sessions
FeaturesConfiguring and Testing IP MulticastConfiguring All-to-All ReplicationTesting Session ReplicationConfiguring Static MembershipConfiguring Primary/Backup Replication
Supplemental ResourcesOnline Documentation That Shipped with TomcatThe Apache Tomcat Web DocumentationThe Apache Tomcat Mailing List ArchivesWeb Sites Related to This BookThird-Party Web Sites About TomcatThe #tomcat IRC ChannelThe Apache Tomcat Mailing Lists
Choosing a Java JDK

Content preview from Tomcat: The Definitive Guide, 2nd Edition

Chapter 6. Tomcat Security

Everyone needs to be concerned about security, even if you're just a mom and pop shop or someone running a personal web site with Tomcat. Once you're connected to the big bad Internet, it is important to be proactive about security. Bad guys can mess up your system in a number of ways if you don't. Worse, they can use your system as a launching pad to start attacks on other sites.

In this chapter, we detail what security is and how to improve it in your Tomcat installation. Still, lest you have any misconceptions, there is no such thing as a perfectly secure computer, unless it is powered off, encased in concrete, and guarded by both a live guard with a machine gun and a self-destruct mechanism in case the guard is overpowered. Of course, a perfectly secure computer is also a perfectly unusable computer. What you want is your computer system to be "secure enough."

A key part of security is encryption. E-commerce, or online sales, became one of the killer applications for the Web in the late 1990s. Sites such as eBay and Dell handle hundreds of millions of dollars in retail and business transactions over the Internet. Of course, these sites are driven by programs, oftentimes the servlets and JSPs that run within a container like Tomcat, so security of your Tomcat server is a priority.

If, after reading this chapter and testing the security of your Tomcat installation, you find that there are either bugs or design flaws that make Tomcat insecure in some way, ...