Tomcat FAQ

Security

Security issues. But first a helpful link or two ...

• Using OpenSSL to set up your own CA

• OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!
• What about Tomcat running as root?
• How to I force all my pages to run under HTTPS?
• What is the default login for the manager and admin app?
• How do I restrict access by ip address or remote host?

OH NO! PORT 8005 is available for anyone on localhost to shutdown my tomcat!

See these 2 discussions.

• Possible to switch off tcp/ip server shutdown?
• Tomcat shutdown & security

What about Tomcat running as root?

See these threads:

• Tomcat as root and security issues

How to I force all my pages to run under HTTPS?

Use security-constraint in web.xml.

What is the default login for the manager and admin app?

The admin and manager application do not provide a default login. Doing so is a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml if you are using the default install. Configuring Manager Application Access

How do I restrict access by ip address or remote host?

By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! Valve Reference Link