Tomcat server security settings method

Tomcat is an HTTP server that is the official reference implementation of the widely used Servlet and JavaServer Page (JSP) technologies developed by Sun through the Java Community Process. Servlet and JSP technologies are used to build HTTP server applications. Although many features have been added to Servlet technology (including access security, Session management, and thread control). JSP technology provides an easy way to process dynamically generated HTML pages. These HTML pages are directly compiled into Servlets for fast execution time. In addition to the above two technologies to ensure security, you can also configure Tomcat parameters to increase security.

Security Settings:

1. Delete all files in the webapps directory and disable the tomcat management interface

rm -rf /usr/local/tomcat/apache-tomcat-9.0.1/webapps/*

2. Comment or delete all user permissions in the tomcat-users.xml file:

3. Hide version information and modify conf/server.xml

3. User questions:

nginx and httpd use the root user to start guarding port 80, and the child process/thread will switch to the normal user through the setuid() and setgid() functions. That is, the owner of the parent process is the root user, and the owner of the child process and multi-thread is a non-root user. This user does not have a shell and cannot log in to the system through ssh and the console;
Java's JVM is independent of the system and is built on the OS. No matter which user is used to start Tomcat, Tomcat will inherit the permissions of the owner.
This creates a problem. On Linux systems, only root can use ports less than 1024, which is why the default port for Tomcat is 8080. If you want to use port 80, you can only start Tomcat as root. This brings up many security issues.

Create a user that can only be used to start tomcat:

groupadd -g 80 tomcat
adduser -o --home /tomcat --shell /sbin/nologin --uid 80 --gid 80 -c "Web server" tomcat
chown tomcat:tomcat -R /usr/local/tomcat/apache-tomcat-9.0.1/*
su - tomcat -c "/usr/local/tomcat/apache-tomcat-9.0.1/bin/startup.sh"

Make a port mapping and call port 8080 when accessing port 80

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Cancel redirect:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

4. Turn off automatic deployment of war

vim conf/server.xml

5. Hide the version information that appears in 404:

Unzip catalina.jar in lib, jar xf catalina.jar

vim /usr/local/tomcat/apache-tomcat-9.0.1/lib/org/apache/catalina/util/ServerInfo.properties

6. Change the shutdown tomcat command

The management port that can directly shut down the Tomcat instance is defined in server.xml. After we connect to the port through telnet, we can enter SHUTDOWN (this is the default shutdown command) to shut down the Tomcat instance (note that although the instance is shut down at this time, the process still exists). Since the default closing of Tomcat's ports and instructions are very simple. The default port is 8005 and the command is SHUTDOWN. The close command needs to be modified to be a little more complicated.

Or disable port 8005

<Server port="-1" shutdown="SHUTDOWN">

7. Separate tomcat and project users

To prevent Tomcat from being implanted into the web shell program, you can modify the project file. Therefore, we need to separate Tomcat from the project owner, so that even if it is hacked, it will not be able to create and edit project files.

8. Add the following configuration in conf/web.xml

9. Custom Error Pages

web.xml is under a certain application, and it should handle the 404 of this application. However, http://localhost/ accesses tomcat's own application, so the web.xml configuration should be configured in the application under webapp/Root/.
The Tomcat application is placed under the Root directory, just replace it with your own.
Add in /webapps/ROOT/WEB-INF/web.xml

Create the error.jsp file in the webapps directory

<%@ page contentType="text/html; charset=UTF-8" %>
<%@ page import="java.io.*" %>
<%@ page import="java.util.*" %>
<html>
<header>
<title>404 page</title>
<body>
<pre>
<%
  Enumeration<String> attributeNames = request.getAttributeNames();
  while (attributeNames.hasMoreElements())
  {
    String attributeName = attributeNames.nextElement();
    Object attribute = request.getAttribute(attributeName);
  out.println("request.attribute['" + attributeName + "'] = " + attribute);
  }
%>
</pre>

exception.jsp file

<%@ page contentType="text/html; charset=UTF-8" isErrorPage="true" %>
<%@ page import="java.io.*" %>
<html>
<header>
<title>exception page</title>
<body>
<hr/>
<pre>
<%
response.getWriter().println("Exception: " + exception);

 if(exception != null)
{
  response.getWriter().println("<pre>");
  exception.printStackTrace(response.getWriter());
  response.getWriter().println("</pre>");
}

 Responses
e.getWriter().println("<hr/>");
%>

Test the custom error page in the browser:

Define session timeout and prohibit directory listing

Well, that’s all for this article. I hope it can help you.