Tomcat Security Configuration

 What is tomcat?

 　 TomcatThe server is a free open-source Web Application Server. The latest version is 6.0.18 (as ).

Tomcat is a core project in the Jakarta project of the Apache Software Foundation, Sun Developed together with other companies and individuals. With Sun's participation and support, the latest Servlet And JSP specifications can always be reflected in Tomcat. Tomcat 5 supports the latest servlet 2.4 and JSP 2.0 specifications. Because of the advanced Tomcat technology, stable performance, and free of charge, Tomcat is favored by Java enthusiasts and recognized by some software developers. It has become a popular Web application server.
Tomcat is very popular with programmers, because it occupies a small amount of system resources during running and has good scalability. It supports common functions of development application systems such as load balancing and mail service; in addition, it is constantly being improved and improved. Any interested programmer can change it or add new functions to it.
Tomcat is a small and lightweight application server. It is widely used for development and debugging in a small and medium-sized system and a few concurrent users. JSP Program first. For a beginner, it can be thought that when configured on a machine Apache Server, which can be used to respond Html Page access request. In fact, Tomcat is an extension of the Apache server, but it runs independently. Therefore, when you run tomcat, it actually runs independently as a process independent of Apache.

The trick here is that when the configuration is correct, Apache serves the HTML page, while Tomcat actually runs the JSP page and servlet. In addition, tomcat, like Web servers such as IIS and Apache, can process HTML pages. In addition, it is a Servlet and JSP Container. The independent servlet container is the default mode of Tomcat. However, Tomcat cannot process static html as well as Apache servers.

Ii. How can I view the tomcat version?View its log Catalina. Out
Note the red part
2006-6-12 15:31:53 org. Apache. Coyote. http11.http11protocol init
& ETH; cipher: initializing coyote HTTP/1.1 on http-8080
2006-6-12 15:31:53 org. Apache. Catalina. startup. Catalina Load
& ETH; Initialization processed in 3687 MS
2006-6-12 15:31:54 org. Apache. Catalina. Core. standardservice start
& ETH; commandid usage: starting service Catalina
2006-6-12 15:31:54 org. Apache. Catalina. Core. standardengine start
& ETH; restart failed: Starting Servlet Engine: Apache Tomcat/5.0.28
2006-6-12 15:31:54 org. Apache. Catalina. Core. standardhost start
& ETH; validation failed: XML validation disabled
2006-6-12 15:31:54 org. Apache. Catalina. Core. standardhost getdeployer
& ETH; deployment environment: Create host deployer for direct deployment (non-JMX)
2006-6-12 15:31:54 org. Apache. Catalina. Core. standardhostdeployer install
& ETH; cipher: Processing context Configuration File URL File:/opt/wondertek/jakarta-tomcat-5Security Configuration for iiitomcat
1. Download {
Window. Open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. SRC)
} 'Src = "http://www.blogcn.com/images/aurl.gif" border = "0" alt = ": URL:" hspace = "2" align = "absbottom"> [url] success
The default admin module is not installed in jakarta-tomcat-5.0.28.exe {
Window. Open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. SRC)
} 'Src = "http://www.blogcn.com/images/aurl.gif" border = "0" alt = ": URL:" hspace = "2" align = "absbottom"> [url] HTTP: // 127.0.0.1: 8080/admin [/url]
Tomcat's administration Web application is no longer installed by default. download and install the "admin" package to use it.
Therefore, we need to download the "admin" package
Bringing jakarta-tomcat-5.5.x.zip with jakarta-tomcat-5.5.x-compat.zip and jakarta-tomcat-5.5.x-admin.zip
Decompress the three files in the same directory.
(If JDK is used to compile compat.zip, JDK is not used .)

2. Modify jakarta-tomcat-5.5.x/CONF/tomcat-users.xml.
Add the Administrator account lizongbo with the password lizongbopass.
The new XML is as follows:
<? XML version = '1. 0' encoding = 'utf-8'?>
<Tomcat-users>
<Role rolename = "Tomcat"/>
<Role rolename = "role1"/>
<Role rolename = "manager"/>
<Role rolename = "admin"/>
<User Username = "Tomcat" Password = "Tomcat" roles = "Tomcat"/>
<User Username = "role1" Password = "Tomcat" roles = "role1"/>
<User Username = "both" Password = "Tomcat" roles = "tomcat, role1"/>
<User Username = "lizongbo" Password = "lizongbopass" roles = "Admin, Manager"/>
</Tomcat-users>

Sometimes some modifications are made in % catalina_home %/Server/webapps/admin/WEB-INF/Web. xml

<! -- Security is active on entire directory -->
<Security-constraint>
<Display-Name> Tomcat server configuration security constraint </display-Name>
<Web-resource-collection>
<Web-resource-Name> Protected Area </Web-resource-Name>
<! -- Define the context-relative URL (s) to be protected -->
<URL-pattern> *. jsp </url-pattern>
<URL-pattern> *. DO </url-pattern>
<URL-pattern> *. html </url-pattern>
</Web-resource-collection>
<Auth-constraint>
<! -- Anyone with one of the listed roles may access this area -->
<Role-Name> admin </role-Name>
</Auth-constraint>
</Security-constraint>

<! -- Login configuration uses form-based authentication -->
<Login-config>
<Auth-method> form </auth-method>
<Realm-Name> Tomcat server configuration form-based authentication area </realm-Name>
<Form-login-config>
<Form-login-page>/login. jsp </form-login-page>
<Form-error-page>/error. jsp </form-error-page>
</Form-login-config>
</Login-config>

<! -- Security roles referenced by this Web Application -->
<Security-role>
<Description>
The role that is required to log in to the Administration Application
</Description>
<Role-Name> admin </role-Name>
</Security-role>
Whether authentication or authorization (permission control only sets the relevant admin role, when you want to add or modify the relevant AA, you must modify this file, to meet your environment.
3. Modify jakarta-tomcat-5.5.x/CONF/server. XML to solve the encoding problem.
(Add the uriencoding parameter to connector. For details, refer {
Window. Open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. SRC)
} 'Src = "http://www.blogcn.com/images/aurl.gif" border = "0" alt = ": URL:" hspace = "2" align = "absbottom"> [url] URLs)
(It can be set to gb18030)
<Connection Port = "8080"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" redirectport = "8443" acceptcount = "200"
Connectiontimeout = "20000" disableuploadtimeout = "true" uriencoding = "GBK"
Compression = "on" compressionminsize = "2048"
Nocompressionuseragents = "gozilla, Traviata"
Compressablemimetype = "text/html, text/XML"/>
 
<Connection Port = "8009"
Enablelookups = "false" redirectport = "8443" protocol = "AJP/1.3" uriencoding = "GBK"/>
 

4. enable support for gzip compression.
({
Window. Open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. SRC)
} 'Src = "http://www.blogcn.com/images/aurl.gif" border = "0" alt = ": URL:" hspace = "2" align = "absbottom"> [url] http://www.linuxaid.com.cn/forum/showdoc.jsp? L = 1 & I = 81169 [/url])
Add the following attributes
Compression = "on"
Compressionminsize = "2048"
Nocompressionuseragents = "gozilla, Traviata"
Compressablemimetype = "text/html, text/XML"
 
5. Set the VM.
Create the folder vhost/[url] www.mydomain.com [/url] Under jakarta-tomcat-5.5.x/.
Then modify the jakarta-tomcat-5.5.x/CONF/server. xml
 
<Engine defaulthost = "localhost" name = "Catalina">
<Host appbase = "vhost/www.mydomain.com" name = "{
Window. Open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. SRC)
} 'Src = "http://www.blogcn.com/images/aurl.gif" border = "0" alt = ": URL:" hspace = "2" align = "absbottom"> [url] http://www.mydomain.com/#/url] ">
</Host>
<Host appbase = "webapps" name = "localhost">
</Host>
<Realm classname = "org. Apache. Catalina. realm. userdatabaserealm"/>
</Engine>
 
6. Add the database driver and update Mail. jar and actiovation. jar.
Copy mysql-connector-java-3.0.16-ga-bin.jar, pg74.215.jdbc3. jar to jakarta-tomcat-5.5.x/common/lib/
And javamail 1.3.2 mail. jar, jaf-1_0_2 activation. Jar
MSSQL 2000 JDBC SP3, msbase. jar, msutil, jar, MSSQLServer. Jar
 
 
7. Configure SSL
Reference {
Window. Open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. SRC)
} 'Src = "http://www.blogcn.com/images/aurl.gif" border = "0" alt = ": URL:" hspace = "2" align = "absbottom"> [url] success
D:/j2sdk1.4.2 _ 06/bin> % java_home %/bin/keytool-genkey-alias tomcat-keyalg RSA
Enter the keystore password: lizongbossl
What is your first name and last name?
[Tomcat5.5.x]: tomcat5.5.x
What is the name of your organization?
[Jakarta]: Jakarta
What is your organization name?
[Apache]: Apache
What is the name of your city or region?
[Hzcity]: hzcity
What is the name of your state or province?
[GDP]: GDP
What is the two-letter country code for this unit?
[CN]: CN
CN = tomcat5.5.x, ou = Jakarta, O = Apache, L = hzcity, St = GDP, c = cn correct?
[No]: Y
 
Enter the master password of <Tomcat>
(If the password is the same as the keystore password, press Enter ):

(The password must be consistent, so press enter directly)
Then copy the. keystore in userhome (for example, C:/Documents and Settings/lizongbo/)
In the conf/directory of Tomcat.
(Example: D:/jakarta-tomcat-5.5.x/CONF/. keystore
Configure jakarta-tomcat-5.5.x/CONF/server. xml
Add
<Connection Port = "8443"
Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"
Enablelookups = "false" disableuploadtimeout = "true"
Acceptcount = "100" Scheme = "HTTPS" secure = "true"
Clientauth = "false" sslprotocol = "TLS"
Keystorefile = "CONF/. keystore"
Keystorepass = "lizongbossl"> <! -- Consistent with the previously set password -->
</Connector>
8. Disable the file directory list,
Modify jakarta-tomcat-5.5.x/CONF/Web. xml and set listing to false
 
<Servlet>
<Servlet-Name> default </servlet-Name>
<Servlet-class> org. Apache. Catalina. servlets. DefaultServlet </servlet-class>
<Init-param>
<Param-Name> debug </param-Name>
<Param-value> 0 </param-value>
</Init-param>
<Init-param>
<Param-Name> listings </param-Name>
<Param-value> true </param-value>
</Init-param>
<Load-on-startup> 1 </load-on-startup>
</Servlet>
 
9. You have specified your own javaencoding.
(Refer {
Window. Open ("http://blog.51cto.com/viewpic.php? Refimg = "+ this. SRC)
} 'Src = "http://www.blogcn.com/images/aurl.gif" border = "0" alt = ": URL:" hspace = "2" align = "absbottom"> [url] http://gceclub.sun.com.cn/staticcontent/html/sunone/app7/app7-dg-webapp/ch6/ch6-4.html [/url]

<Servlet>
<Servlet-Name> JSP </servlet-Name>
<Servlet-class> org. Apache. Jasper. servlet. jspservlet </servlet-class>
<Init-param>
<Param-Name> fork </param-Name>
<Param-value> false </param-value>
</Init-param>
<Init-param>
<Param-Name> javaencoding </param-Name>
<Param-value> gb18030 </param-value>
</Init-param>
<Init-param>
<Param-Name> xpoweredby </param-Name>
<Param-value> true </param-value>
</Init-param>
<Load-on-startup> 3 </load-on-startup>
</Servlet>
10. Add mime-type ing for RAR and ISO
Avoid opening it directly in the browser.
<Mime-mapping>
<Extension> MHT </extension>
<Mime-type> text/X-MHT </mime-type>
</Mime-mapping>
<Mime-mapping>
<Extension> RAR </extension>
<Mime-type> application/octet-stream </mime-type>
</Mime-mapping>
<Mime-mapping>
<Extension> ISO </extension>
<Mime-type> application/octet-stream </mime-type>
</Mime-mapping>
<Mime-mapping>
<Extension> ape </extension>
<Mime-type> application/octet-stream </mime-type>
</Mime-mapping>
<Mime-mapping>
<Extension> rmvb </extension>
<Mime-type> application/octet-stream </mime-type>
</Mime-mapping>
<Mime-mapping>
<Extension> ICO </extension>
<Mime-type> image/X-Icon </mime-type>
</Mime-mapping>
10.1 set encoding for HTML static pages
<! -- Modify the following two lines to support Automatic Static hypertext encoding.
-->
<Mime-mapping>
<Extension> HTM </extension>
<Mime-type> text/html; charset = gb2312 </mime-type>
</Mime-mapping>
<Mime-mapping>
<Extension> HTML </extension>
<Mime-type> text/html; charset = gb2312 </mime-type>
</Mime-mapping>
</Web-app>
 
11. Add welcome-file-list and adjust the order.
<Welcome-file-List>
<Welcome-File> index. jsp </welcome-File>
<Welcome-File> index.html </welcome-File>
<Welcome-File> index.htm </welcome-File>
<Welcome-File> default.html </welcome-File>
<Welcome-File> default.htm </welcome-File>
<Welcome-File> default. jsp </welcome-File>
</Welcome-file-List>