Tomcat is a worldwide-used Web server for JSP and servlets. It runs with proper the JAVA Runtime and supports object-oriented Web application deployement.
Running Tomcat is simple; just install Tomcat with the default installer given on Tomcat’s website. No one knows fully how dangerous Tomcat is. The major security risks with Tomcat Web applications are the following:
Tomcat’s JSP or bean called in JSP can do the following highly risky tasks:
- Run an application in System Context of Windows
- Read the contents of any file in any directory
- Delete files in any directory
- Create new files in any directory
Although Tomcat did provide a good deal of security, it still fails due to the following method:
- After installation, Tomcat Runs As a System Service.
- If it is not run as a system service, by default all Web server administrators run Tomcat As Administrator.
These two things allow Java Run Time to access any files in any directory of any Windows machine. By default, Java Run Time takes the security privileges according to the user that is running the Java Run Time. When Tomcat is run by an administrator or as a System Service, Java Run Time gets all the rights that the System User has or Administrator has. In that manner, Java Run Time gets the complete rights to all files in all directories. And, Servlets (JSP converted to Servlets) gets the same previlleges. So, the Java code can call File API in Java SDK to list all files in the directory, delete any file, and also the greatest risk is to RUN a program with system provileges. When any Servlet has code like this:
Runtime rt = Runtime.getRuntime(); rt.exec("c:SomeDirectorySomeUnsafeProgram.exe")
this is the greatest risk, and it’s unknown to many people.
Ways to Secure Tomcat
Initial Step to Create a User
- Create a general user as ITOMCAT_computername.
- Set password to some password.
- Set Password Never Expires to checked.
Modifying the Rights of a Tomcat-Installed Directory
- Go to the Tomcat-installed directory: CATALINA_HOME or TOMCAT_HOME.
- Give ITOMCAT_computername a user, such as Read, Write, Execute, or Access.
- Give the ITOMCAT_computername user read-only access to the WebApps folder.
- If some Web app requires Write access, exclusively grant the Write access to that directory.
When you want to run Tomcat as a system service, take the following steps.
- Go to Control Panel, select Administrative Tools, and then select Services.
- Go to the Properties of the Tomcat exe: Apache Tomcat.exe, and so forth.
- Go to the Log On tab.
- Select the Log On Using option.
- Enter username as the newly created ITOMCAT_computername.
- Enter the password.
- Restart your machine.
When you want to run Tomcat in a DOS prompt, follow these steps:
- Open a DOS prompt by typing CMD in the Start button’s Run option.
- Type the “RunAs /user:ITOMCAT_computername CMD.exe” command.
- It will ask you for a password for ITOMCAT_computername user; enter the password here.
- This will open a new DOS prompt.
- In this DOS prompt, go to Tomcat’s bin directory.
- Type “catalina run”.
- Close the old DOS prompt.
Running a new DOS prompt on ITOMCAT_computername gives only the privileges of this user; when you run Tomcat from this new DOS prompt, it gets the rights only of this selected user. Tomcat is safe in this way.
To find more about Akash Kava please visit http://akash.kava.neurospeech.com.
This article is provided in view of securing Tomcat for all Web server administrators. If anyone misuses this article or if anyone loses important data, I am not responsible for it. Please read and implement this article at your own risk.
NeuroSpeech Technologies reserves all rights to this article. This article can be distributed as electronic media or published to magazines provided no single word is modified or deleted. NeuroSpeech Technologies owns this article and in every publication of this article, a copyright notice must exist at the bottom.
Copyright © 2003 by NeuroSpeech Technologies