book

Tomcat: The Definitive Guide, 2nd Edition

by Jason Brittain, Ian F. Darwin

October 2007

Intermediate to advanced

496 pages

16h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

What's This Book About?
Jason Brittain's AcknowledgmentsIan Darwin's Acknowledgments

Installing TomcatInstalling Tomcat on LinuxInstalling Tomcat from an Apache multiplatform binary releaseInstalling Tomcat from this book's Linux RPM packagesInstalling Tomcat from the JPackage.org Linux RPM packagesInstalling Tomcat on SolarisInstalling Tomcat on WindowsInstalling Tomcat on Mac OS XInstalling Tomcat on FreeBSD
Starting Up and Shutting DownEnvironment variablesStarting and stopping: The general caseStarting and stopping on LinuxStarting and stopping on SolarisStarting and stopping on WindowsStarting and stopping on Mac OS XStarting and stopping on FreeBSDCommon ErrorsRestarting TomcatThe general caseRestarting Tomcat on LinuxRestarting Tomcat on SolarisRestarting the Tomcat Windows ServiceRestarting Tomcat on Mac OS XRestarting Tomcat on FreeBSD
Automatic Startup on LinuxAutomatic Startup on SolarisAutomatic Startup on WindowsAutomatic Startup on Mac OS XAutomatic Startup on FreeBSD
A Word About Using the Apache Web Server
Relaying Port 80 TCP Connections to Port 8080Running Tomcat on Port 80 via a Service WrapperCommon Errors
RealmsUserDatabaseRealmJDBCRealmJNDIRealmJAASRealmContainer-Managed SecurityBasic authenticationDigest authenticationForm authenticationClient-cert authenticationSingle Sign-on
Session PersistenceStandardManagerPersistentManagerUsing FileStore for storing sessionsUsing JDBCStore for storing sessions
JDBC DataSourcesOther JNDI Resources
HostsThe Host Manager Webapp
Deploying Servlets and JavaServer Pages
server.xml Context DeploymentContext XML Fragment File Deployment
server.xml Context DeploymentContext XML Fragment File Deployment
Building a JAR/WARDeployment via AntCopying the WAR file or webapp directoryAccessing the Manager webappThe Tomcat standalone deployerThe scp Ant TaskCommon ErrorsXML in property filesFileNotFoundExceptions
Measuring Web Server PerformanceLoad-Testing Toolsab: The Apache benchmark toolSiegeApache Jakarta JMeterWeb Server Performance ComparisonTomcat connectors and Apache httpd connector modulesBenchmarked hardware and software configurationsBenchmark procedureBenchmark results and summaryWhat else we could have benchmarked
JVM PerformanceOperating System Performance
Disabling DNS LookupsAdjusting the Number of ThreadsSpeeding Up JSPsPrecompiling JSPs by requesting themPrecompiling JSPs at webapp start timePrecompiling JSPs at build time using JspC
Anecdotal Capacity PlanningEnterprise Capacity PlanningCapacity Planning on Tomcat
The Pros and Cons of IntegrationRunning Tomcat StandaloneIt's easier to set upNo web server connector module to worry aboutTomcat standalone is faster than Apache httpd proxying requests to TomcatPotential for better securityEase of migrationEase of upgradesTomcat has less supporting softwareFewer people who know Tomcat's web serverFewer web server featuresRunning Tomcat with Apache httpdTomcat's web server is faster than Apache httpdMore support softwareFaster startup and shutdown timesMore difficult to set upTomcat dynamic content slowdownPotential for additional security holesMore complicated upgrades
Sharing the Load Using Separate Port NumbersApache httpd is oblivious to Tomcat securityTwice the web servers to tune, maintain, and secureAwkward user experience and splintered loggingTroublesome double authenticationProxying from Apache httpd to TomcatSetting Up Apache httpdSetting Up TomcatVerify That Proxying WorksDisadvantagesApache httpd slows Tomcat's response timeTwice the web servers to tune, maintain, and secureTroublesome dual authenticationSee alsoProxying from Tomcat to Apache httpdUsing the mod_jk ConnectorUsing binary releasesCompiling mod_jkStarting up the integrated serversworkers.properties
Installing APRUsing binary releasesCompiling and installing APRBuilding and Installing the APR ConnectorConfiguring Tomcat to Use the APR Connector
Securing the SystemOperating System Security ForumsConfiguring Your Network
Setting Up a chroot JailUsing a Non-Root User in the chroot Jail
VulnerabilitiesCross site scriptingHTML injectionSQL injectionCommand injectionHTTP Request FilteringInstalling the BadInputValveInstalling the BadInputFilterSee also
Generating a Self-Signed Server CertificateRequesting and Installing a Commercial CertificateSetting Up an SSL Connector for TomcatConfiguring the JIO connector for SSLConfiguring the APR connector for SSLConfiguring the NIO connector for SSLClient Certificates
server.xmlServerServiceExecutorConnectorEngineHostVirtual hostingAliasContextRealmGlobalNamingResourcesEnvironmentResourceResourceEnvRefWatchedResourceListenerLoaderManagerStoresResourcesValveControlling access logs with an access log valveRemoteHostValve and RemoteAddrValveLimiting request concurrency with SemaphoreValveTransactionClusterChannelMembershipSenderTransportReceiverInterceptorMemberDeployerClusterListenerMigrating from Older Versions of TomcatMigrating from 4.1 to 5.0Migrating from 5.0 to 5.5Migrating from 5.5 to 6.0
web-appicon, display-name, and descriptiondistributablecontext-paramfilter and filter-mappinglistenerservletservlet-mappingsession-configmime-mappingwelcome-file-listerror-pagejsp-config and taglibresource-env-refresource-refSee alsosecurity-constraintSee alsologin-configSee alsosecurity-roleenv-entrySee alsoejb-ref and ejb-local-refservice-refmessage-destination-refmessage-destinationlocale-encoding-mapping-list
Reading Logfiles
HTTP RequestsResponse Codes and HeadersInteracting with HTTP
Installing Apache Ant
Downloading Source CodeObtaining Source Code from Apache's Subversion Repository
Clustering Terms
DNS Request DistributionTCP NAT Request Distributionmod_proxy Load Balancing and Failover
Servlet sessionsSession affinityReplicated sessions
FeaturesConfiguring and Testing IP MulticastConfiguring All-to-All ReplicationTesting Session ReplicationConfiguring Static MembershipConfiguring Primary/Backup Replication
Supplemental ResourcesOnline Documentation That Shipped with TomcatThe Apache Tomcat Web DocumentationThe Apache Tomcat Mailing List ArchivesWeb Sites Related to This BookThird-Party Web Sites About TomcatThe #tomcat IRC ChannelThe Apache Tomcat Mailing Lists
Choosing a Java JDK

Content preview from Tomcat: The Definitive Guide, 2nd Edition

Using the SecurityManager

One of the nice features of the Java runtime environment is that it allows application developers to configure fine-grained security policies for constraining Java code via SecurityManagers. This in turn allows you to accept or reject a program's attempt to shut down the JVM, access local disk files, or connect to arbitrary network locations.

In the case of Java server software, turning on the security manager with a carefully configured security policy can ensure that malicious network clients cannot command the JVM to access anything that the administrator did not preapprove. For example, your security policy can dictate that your custom servlets are not allowed to access any files on the filesystem. This would make it impossible for an attacker to carefully craft requests to use those custom servlets to expose the contents of files on the server; the security manager would stop them even if the servlets didn't.

Deciding When to Use the SecurityManager

Most Tomcat installations do not use and do not need the security manager feature. Without the security manager, and configured carefully, Tomcat itself is very secure. Most companies running Tomcat and other organizations and individual users of Tomcat do not need more security than what Tomcat provides without the security manager. Also, it takes some time and effort to write an effective security policy that does more than just cause trouble for the webapp developer(s), and it takes more time and effort ...