WebApp Sec: Re: Securing Tomcat

[oc.rynning.no () securityfocus com]

Four (obvious) points:
* Run as a non-privileged user (You might want to use a pre-emptive kernel to ensure performance).
* Limit access to manager and administrator to localhost, admin-ip/-net. (and choose a proper password).
* Change error messages (if the service is down, don't advertise the stacktrace, give a generic apology). (This is 
security by obscurity but nonetheless it hides specifics that may give an attacker information about possible 
injections or DoS).
* Use a web-tier:
Firewall <-> (load balancer if its for a web cluster) <-> Web frontend (Apache) <-> Firewall <-> Tomcat Application 
Server (cluster)

For inexpensive solutions i.e. Use a two linux servers with packet filters...

For the connections between Apache and Tomcat you have several options.. If you choose Apache, you have mod_jk, mod_jk2 
(deprecated), mod_proxy_ajp, mod_proxy, mod_voodoo (my favourite).

Alternatives to Apache can be simple proxying servers or caching proxies such as Squid (with a ipfilter redirect of 
port 80 to port 8080 on the application server). The point is that there are many options. I usually use Apache2 with 
mod_voodoo or mod_proxy (_ajp) on the frontend and run Tomcat on its own server only accepting connections from the 
web-frontend using iptables (netfilter). The downside with mod_proxy is that it is proxying - whereas voodoo forwards 
the client IP, etc.

-------------------------------------------------------------------------------
Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download AppScan 6.0 today.

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
-------------------------------------------------------------------------------