O'Reilly logo

Tomcat: The Definitive Guide, 2nd Edition by Ian F. Darwin, Jason Brittain

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Filtering Bad User Input

Regardless of what you use Tomcat for, if untrusted users can submit requests to your Tomcat server, it is at risk of being attacked by malicious users. Tomcat's developers have endeavored to make Tomcat as secure as possible, but ultimately it's Tomcat's administrators who install and configure Tomcat, and it's the web application developers who must develop the web applications themselves to operate within Tomcat. As secure as Tomcat is, it's still easy to write an insecure web application; however, just writing an application that does what it needs to do is difficult. Knowing about all of the ways that malicious users could exploit the web application code, and how to prevent that exploitation from happening, isn't always something that web developers focus on.

Unfortunately, if the web application itself is not specifically written to be secure, Tomcat may not be secure either. There are a small number of known web application security exploits that can compromise a web site's security. For that reason, anyone administering a Tomcat installation should not assume that Tomcat has already taken care of all of the security concerns! Configuring Tomcat to use a security manager helps to secure a web application that wasn't written to be secure, and installing it in a chroot jail places OS kernel-level restrictions that are hard to break out of, but doing those things doesn't magically fix all its vulnerabilities. Some exploits will still work, depending ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required