book

Tomcat: The Definitive Guide, 2nd Edition

by Jason Brittain, Ian F. Darwin

October 2007

Intermediate to advanced

496 pages

16h 50m

English

O'Reilly Media, Inc.

Read now

Unlock full access

What's This Book About?
Jason Brittain's AcknowledgmentsIan Darwin's Acknowledgments

Installing TomcatInstalling Tomcat on LinuxInstalling Tomcat from an Apache multiplatform binary releaseInstalling Tomcat from this book's Linux RPM packagesInstalling Tomcat from the JPackage.org Linux RPM packagesInstalling Tomcat on SolarisInstalling Tomcat on WindowsInstalling Tomcat on Mac OS XInstalling Tomcat on FreeBSD
Starting Up and Shutting DownEnvironment variablesStarting and stopping: The general caseStarting and stopping on LinuxStarting and stopping on SolarisStarting and stopping on WindowsStarting and stopping on Mac OS XStarting and stopping on FreeBSDCommon ErrorsRestarting TomcatThe general caseRestarting Tomcat on LinuxRestarting Tomcat on SolarisRestarting the Tomcat Windows ServiceRestarting Tomcat on Mac OS XRestarting Tomcat on FreeBSD
Automatic Startup on LinuxAutomatic Startup on SolarisAutomatic Startup on WindowsAutomatic Startup on Mac OS XAutomatic Startup on FreeBSD
A Word About Using the Apache Web Server
Relaying Port 80 TCP Connections to Port 8080Running Tomcat on Port 80 via a Service WrapperCommon Errors
RealmsUserDatabaseRealmJDBCRealmJNDIRealmJAASRealmContainer-Managed SecurityBasic authenticationDigest authenticationForm authenticationClient-cert authenticationSingle Sign-on
Session PersistenceStandardManagerPersistentManagerUsing FileStore for storing sessionsUsing JDBCStore for storing sessions
JDBC DataSourcesOther JNDI Resources
HostsThe Host Manager Webapp
Deploying Servlets and JavaServer Pages
server.xml Context DeploymentContext XML Fragment File Deployment
server.xml Context DeploymentContext XML Fragment File Deployment
Building a JAR/WARDeployment via AntCopying the WAR file or webapp directoryAccessing the Manager webappThe Tomcat standalone deployerThe scp Ant TaskCommon ErrorsXML in property filesFileNotFoundExceptions
Measuring Web Server PerformanceLoad-Testing Toolsab: The Apache benchmark toolSiegeApache Jakarta JMeterWeb Server Performance ComparisonTomcat connectors and Apache httpd connector modulesBenchmarked hardware and software configurationsBenchmark procedureBenchmark results and summaryWhat else we could have benchmarked
JVM PerformanceOperating System Performance
Disabling DNS LookupsAdjusting the Number of ThreadsSpeeding Up JSPsPrecompiling JSPs by requesting themPrecompiling JSPs at webapp start timePrecompiling JSPs at build time using JspC
Anecdotal Capacity PlanningEnterprise Capacity PlanningCapacity Planning on Tomcat
The Pros and Cons of IntegrationRunning Tomcat StandaloneIt's easier to set upNo web server connector module to worry aboutTomcat standalone is faster than Apache httpd proxying requests to TomcatPotential for better securityEase of migrationEase of upgradesTomcat has less supporting softwareFewer people who know Tomcat's web serverFewer web server featuresRunning Tomcat with Apache httpdTomcat's web server is faster than Apache httpdMore support softwareFaster startup and shutdown timesMore difficult to set upTomcat dynamic content slowdownPotential for additional security holesMore complicated upgrades
Sharing the Load Using Separate Port NumbersApache httpd is oblivious to Tomcat securityTwice the web servers to tune, maintain, and secureAwkward user experience and splintered loggingTroublesome double authenticationProxying from Apache httpd to TomcatSetting Up Apache httpdSetting Up TomcatVerify That Proxying WorksDisadvantagesApache httpd slows Tomcat's response timeTwice the web servers to tune, maintain, and secureTroublesome dual authenticationSee alsoProxying from Tomcat to Apache httpdUsing the mod_jk ConnectorUsing binary releasesCompiling mod_jkStarting up the integrated serversworkers.properties
Installing APRUsing binary releasesCompiling and installing APRBuilding and Installing the APR ConnectorConfiguring Tomcat to Use the APR Connector
Securing the SystemOperating System Security ForumsConfiguring Your Network
Setting Up a chroot JailUsing a Non-Root User in the chroot Jail
VulnerabilitiesCross site scriptingHTML injectionSQL injectionCommand injectionHTTP Request FilteringInstalling the BadInputValveInstalling the BadInputFilterSee also
Generating a Self-Signed Server CertificateRequesting and Installing a Commercial CertificateSetting Up an SSL Connector for TomcatConfiguring the JIO connector for SSLConfiguring the APR connector for SSLConfiguring the NIO connector for SSLClient Certificates
server.xmlServerServiceExecutorConnectorEngineHostVirtual hostingAliasContextRealmGlobalNamingResourcesEnvironmentResourceResourceEnvRefWatchedResourceListenerLoaderManagerStoresResourcesValveControlling access logs with an access log valveRemoteHostValve and RemoteAddrValveLimiting request concurrency with SemaphoreValveTransactionClusterChannelMembershipSenderTransportReceiverInterceptorMemberDeployerClusterListenerMigrating from Older Versions of TomcatMigrating from 4.1 to 5.0Migrating from 5.0 to 5.5Migrating from 5.5 to 6.0
web-appicon, display-name, and descriptiondistributablecontext-paramfilter and filter-mappinglistenerservletservlet-mappingsession-configmime-mappingwelcome-file-listerror-pagejsp-config and taglibresource-env-refresource-refSee alsosecurity-constraintSee alsologin-configSee alsosecurity-roleenv-entrySee alsoejb-ref and ejb-local-refservice-refmessage-destination-refmessage-destinationlocale-encoding-mapping-list
Reading Logfiles
HTTP RequestsResponse Codes and HeadersInteracting with HTTP
Installing Apache Ant
Downloading Source CodeObtaining Source Code from Apache's Subversion Repository
Clustering Terms
DNS Request DistributionTCP NAT Request Distributionmod_proxy Load Balancing and Failover
Servlet sessionsSession affinityReplicated sessions
FeaturesConfiguring and Testing IP MulticastConfiguring All-to-All ReplicationTesting Session ReplicationConfiguring Static MembershipConfiguring Primary/Backup Replication
Supplemental ResourcesOnline Documentation That Shipped with TomcatThe Apache Tomcat Web DocumentationThe Apache Tomcat Mailing List ArchivesWeb Sites Related to This BookThird-Party Web Sites About TomcatThe #tomcat IRC ChannelThe Apache Tomcat Mailing Lists
Choosing a Java JDK

Content preview from Tomcat: The Definitive Guide, 2nd Edition

Filtering Bad User Input

Regardless of what you use Tomcat for, if untrusted users can submit requests to your Tomcat server, it is at risk of being attacked by malicious users. Tomcat's developers have endeavored to make Tomcat as secure as possible, but ultimately it's Tomcat's administrators who install and configure Tomcat, and it's the web application developers who must develop the web applications themselves to operate within Tomcat. As secure as Tomcat is, it's still easy to write an insecure web application; however, just writing an application that does what it needs to do is difficult. Knowing about all of the ways that malicious users could exploit the web application code, and how to prevent that exploitation from happening, isn't always something that web developers focus on.

Unfortunately, if the web application itself is not specifically written to be secure, Tomcat may not be secure either. There are a small number of known web application security exploits that can compromise a web site's security. For that reason, anyone administering a Tomcat installation should not assume that Tomcat has already taken care of all of the security concerns! Configuring Tomcat to use a security manager helps to secure a web application that wasn't written to be secure, and installing it in a chroot jail places OS kernel-level restrictions that are hard to break out of, but doing those things doesn't magically fix all its vulnerabilities. Some exploits will still work, depending ...