Links User Guide Reference Apache Tomcat Development | Security ConsiderationsIntroduction |
Tomcat is configured to be reasonably secure for most use cases by
default. Some environments may require more, or less, secure configurations.
This page is to provide a single point of reference for configuration
options that may impact security and to offer some commentary on the
expected impact of changing those options. The intention is to provide a
list of configuration options that should be considered when assessing the
security of a Tomcat installation.
Note: Reading this page is not a substitute for reading
and understanding the detailed configuration documentation. Fuller
descriptions of these attributes may be found in the relevant documentation
pages.
|
Non-Tomcat settings |
Tomcat configuration should not be the only line of defense. The other
components in the system (operating system, network, database, etc.) should
also be secured.
Tomcat should not be run under the root user. Create a dedicated user for
the Tomcat process and provide that user with the minimum necessary
permissions for the operating system. For example, it should not be possible
to log on remotely using the Tomcat user.
File permissions should also be suitable restricted. Taking the Tomcat
instances at the ASF as an example (where auto-deployment is disabled and
web applications are deployed as exploded directories), the standard
configuration is to have all Tomcat files owned by root with group Tomcat
and whilst owner has read/write priviliges, group only has read and world
has no permissions. The exceptions are the logs, temp and work directory
that are owned by the Tomcat user rather than root. This means that even if
an attacker compromises the Tomcat process, they can't change the
Tomcat configuration, deploy new web applications or modify existing web
applications. The Tomcat process runs with a umask of 007 to maintain these
permissions.
At the network level, consider using a firewall to limit both incoming
and outgoing connections to only those connections you expect to be
present.
|
Default web applications |
Tomcat ships with a number of web applications by default.
Vulnerabilities have been discovered in these applications in the past.
Applications that are not required should be removed so the system will not
be at risk if another vulnerability is discovered.
|
Security manager |
Enabling the security manager causes web applications to be run in a
sandbox, significantly limiting a web application's ability to perform
malicious actions such as calling System.exit(), establishing network
connections or accessing the file system outside of the web application's
root and temporary directories. However, it should be noted that there are
some malicious actions, such as triggering high CPU consumption via an
infinite loop, that the security manager cannot prevent.
Enabling the security manager is usually done to limit the potential
impact, should an attacker find a way to compromise a trusted web
application . A security manager may also be used to reduce the risks of
running untrusted web applications (e.g. in hosting environments) but it
should be noted that the security manager only reduces the risks of
running untrusted web applications, it does not eliminate them. If running
multiple untrusted web applications, it is recommended that each web
application is deployed to a separate Tomcat instance (and ideally separate
hosts) to reduce the ability of a malicious web application impacting the
availability of other applications.
Tomcat is tested with the security manager enabled; but the majority of
Tomcat users do not run with a security manager, so Tomcat is not as well
user-tested in this configuration. There have been, and continue to be,
bugs reported that are triggered by running under a security manager.
The restrictions imposed by a security manager are likely to break most
applications if the security manager is enabled. The security manager should
not be used without extensive testing. Ideally, the use of a security
manager should be introduced at the start of the development cycle as it can
be time-consuming to track down and fix issues caused by enabling a security
manager for a mature application.
|
server.xml |
General |
The default server.xml contains a large number of comments, including
some example component definitions that are commented out. Removing these
comments makes it considerably easier to read and comprehend
server.xml.
If a component type is not listed, then there are no settings for that
type that directly impact security.
|
Server |
Setting the port attribute to -1 disables
the shutdown port.
If the shutdown port is not disabled, a strong password should be
configured for shutdown.
|
Listeners |
The APR Lifecycle Listener is not stable if compiled on Solaris using
gcc. If using the APR/native connector on Solaris, compile it with the
Sun Studio compiler.
The Security Listener should be enabled and configured as appropriate.
|
Connectors |
By default, an HTTP and an AJP connector are configured. Connectors
that will not be used should be removed from server.xml.
The address attribute may be used to control which IP
address the connector listens on for connections. By default, the
connector listens on all configured IP addresses.
The allowTrace attribute may be used to enable TRACE
requests which can be useful for debugging. Due to the way some browsers
handle the response from a TRACE request (which exposes the browser to an
XSS attack), support for TRACE requests is disabled by default.
The maxPostSize attribute controls the maximum size
of a POST request that will be parsed for parameters. The parameters are
cached for the duration of the request so this is limited to 2MB by
default to reduce exposure to a DOS attack.
The maxSavePostSize attribute controls the saving of
POST requests during FORM and CLIENT-CERT authentication. The parameters
are cached for the duration of the authentication (which may be many
minutes) so this is limited to 4KB by default to reduce exposure to a DOS
attack.
The xpoweredBy attribute controls whether or not the
X-Powered-By HTTP header is sent with each request. If sent, the value of
the header contains the Servlet and JSP specification versions, the full
Tomcat version (e.g. Apache Tomcat/7.0.0), the name of the JVM vendor and
the version of the JVM. This header is disabled by default. This header
can provide useful information to both legitimate clients and attackers.
The server attribute controls the value of the Server
HTTP header. The default value of this header for Tomcat 4.1.x, 5.0.x,
5.5.x, 6.0.x and 7.0.x is Apache-Coyote/1.1. This header can provide
limited information to both legitimate clients and attackers.
The SSLEnabled, scheme and
secure attributes may all be independently set. These are
normally used when Tomcat is located behind a reverse proxy and the proxy
is connecting to Tomcat via HTTP or HTTPS. They allow Tomcat to see the
SSL attributes of the connections between the client and the proxy rather
than the proxy and Tomcat. For example, the client may connect to the
proxy over HTTPS but the proxy connects to Tomcat using HTTP. If it is
necessary for Tomcat to be able to distinguish between secure and
non-secure connections received by a proxy, the proxy must use separate
connectors to pass secure and non-secure requests to Tomcat. If the
proxy uses AJP then the SSL attributes of the client connection are
passed via the AJP protocol and separate connectors are not needed.
The tomcatAuthentication attribute is used with the
AJP connectors to determine if Tomcat should authenticate the user or if
authentication can be delegated to the reverse proxy that will then pass
the authenticated username to Tomcat as part of the AJP protocol.
The allowUnsafeLegacyRenegotiation attribute provides
a workaround for
CVE-2009-3555, a TLS man in the middle attack. This workaround applies
to the BIO connector. It is only necessary if the underlying SSL
implementation is vulnerable to CVE-2009-3555. For more information on the
current state of this vulnerability and the work-arounds available see the
Tomcat 7 security
page.
|
Host |
The host element controls deployment. Automatic deployment allows for
simpler management but also makes it easier for an attacker to deploy a
malicious application. Automatic deployment is controlled by the
autoDeploy and deployOnStartup
attributes. If both are false , only Contexts defined in
server.xml will be deployed and any changes will require a Tomcat restart.
In a hosted environment where web applications may not be trusted, set
the deployXml attribute to false to ignore any
context.xml packaged with the web application that may try to assigned
increased privileges to the web application.
|
Context |
The crossContext attribute controls if a context is
allowed to access the resources of another context. It is
false by default and should only be changed for trusted web
applications.
The privileged attribute controls if a context is
allowed to use container provided servlets like the Manager servlet. It is
false by default and should only be changed for trusted web
applications.
The allowLinking attribute controls if a context is
allowed to use linked files. If enabled and the context is undeployed, the
links will be followed when deleting the context resources. To avoid this
behaviour, use the aliases attribute. Changing this
setting from the default of false on case insensitive
operating systems (this includes Windows) will disable a number of
security measures and allow, among other things, direct access to the
WEB-INF directory.
|
Realms |
The MemoryRealm is not intended for production use as any changes to
tomcat-users.xml require a restart of Tomcat to take effect.
The JDBCRealm is not recommended for production use as it is single
threaded for all authentication and authorization options. Use the
DataSourceRealm instead.
The UserDatabaseRealm is not intended for large-scale installations. It
is intended for small-scale, relatively static environments.
The JAASRealm is not widely used and therefore the code is not as
mature as the other realms. Additional testing is recommended before using
this realm.
By default, the realms do not implement any form of account lock-out.
This means that brute force attacks can be successful. To prevent a brute
force attack, the chosen realm should be wrapped in a LockOutRealm.
|
Manager |
The manager component is used to generate session IDs.
The default entropy value has been shown to generate predictable values
under certain conditions. For more secure session generation, this should
be set to a long string. This is done automatically if the APR/native
library is installed; a random value will be obtained from the APR/native
library.
The class used to generate random session IDs may be changed with
the randomClass attribute.
The length of the session ID may be changed with the
sessionIdLength attribute.
|
|
System Properties |
Setting org.apache.catalina.connector.RECYCLE_FACADES
system property to true will cause a new facade object to be
created for each request. This reduces the chances of a bug in an
application exposing data from one request to another.
The
org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH
system properties allow non-standard parsing of the request URI. Using
these options when behind a reverse proxy may enable an attacker to bypass
any security constraints enforced by the proxy.
The
org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER
system property has security implications if disabled. Many user
agents, in breach of RFC2616, try to guess the character encoding of text
media types when the specification-mandated default of ISO-8859-1 should be
used. Some browsers will interpret as UTF-7 a response containing characters
that are safe for ISO-8859-1 but trigger an XSS vulnerability if interpreted
as UTF-7.
|
CATALINA_BASE/conf/web.xml |
The DefaultServlet is configured with readonly set to
true . Changing this to false allows clients to
delete or modify static resources on the server and to upload new
resources. This should not normally be changed without requiring
authentication.
The DefaultServlet is configured with listings set to
false . This isn't because allowing directory listings is
considered unsafe but because generating listings of directories with
thousands of files can consume significant CPU leading to a DOS attack.
|
General |
BASIC and FORM authentication pass user names and passwords in clear
text. Web applications using these authentication mechanisms with clients
connecting over untrusted networks should use SSL.
The session cookie for a session with an authenticated user are nearly
as useful as the user's password to an attacker and in nearly all
circumstances should be afforded the same level of protection as the
password itself. This usually means authenticating over SSL and continuing
to use SSL until the session ends.
|
|