I am in the process of setting up an new Tomcat deployment, and want it to be as secure as possible.
I have created a 'jakarta' user and have jsvc running Tomcat as a daemon. Any tips on directory permissions and such to limit access to Tomcat's files?
I know I will need to remove the default webapps – docs, examples, etc… are there any best practices I should be using here? What about all the config XML files? Any tips there?
Is it worth enabling the Security manager so that webapps run in a sandbox? Has anyone had experience setting this up?
I have seen examples of people running two instances of Tomcat behind Apache. It seems this can be done using mod_jk or with mod_proxy… any pros/cons of either? Is it worth the trouble?
In case it matters, the OS is Debian lenny. I am not using apt-get because lenny only offers tomcat 5.5 and we require 6.x.
Thanks!
Best Answer
You can install Tomcat 6 to run under
jsvc
as user tomcat (not as root). Here's what I did last time I set it up:I installed the Tomcat application under
/usr/java/tomcat
(CATALINA_HOME
) and an instance under/var/lib/tomcat
(CATALINA_BASE
):Then I built the
jsvc
wrapper:Finally, I tightened the permissions on the instance directories:
When you run Tomcat now, you'll need to start it using
jsvc
, so add this script as/etc/init.d/tomcat
and symlink it appropriately: