Tomcat is a Web server widely used in the world to support JSP and servlets. It runs well in JAVA and supports Web application deployment.
It is easy to run Tomcat. Download the installation program from the Tomcat website to install Tomcat. No one has a thorough understanding of the risks of Tomcat. The main security risks of Tomcat Web applications exist in the following aspects:
Tomcat's JSP or bean called in JSP can implement the following high-risk tasks:
· Run a program in Windows
· Read the content of any file in any folder
· Delete files in any folder
· Create a new file in any folder
Although Tomcat does provide a lot of security, it shows its vulnerabilities due to the following factors:
1. After installation, Tomcat runs as a system service
2. If it is not run as a system service, almost all Web server administrators run it as Administrator by default.
Both methods allow Java runtime access to any files in any folder in Windows. By default, Java runtime grants security permissions based on the user who runs it. When Tomcat runs as a system administrator or as a system service, the Java runtime grants all permissions of the System user or system administrator. In this way, the Java runtime obtains all permissions for all files in all folders. In addition, Servlets (JSP must be converted to Servlets during running) has the same permissions. Therefore, Java code can call the file API in Java SDK to list all files in a folder and delete any files. The biggest danger is that a program runs with system permissions. When any Servlets contains the following code:
Runtime rt = Runtime. getRuntime ();
Rt.exe c ("c: \ SomeDirectory \ SomeUnsafeProgram.exe ")
This is the greatest danger, and many people do not realize it.
Ways to ensure Tomcat security
First, create an account
1. Use "ITOMCAT _ computer name" to create a common user
2. Set a password for it
3. Ensure that "Password Never Expires" (Password Never Expires) is selected
Modify Tomcat installation folder Access Permissions
1. Select the Tomcat installation folder pointed to by the Environment Parameter CATALINA_HOME or TOMCAT_HOME.
2. Grant read, write, and execute permissions to the "ITOMCAT _ computer name" user.
3. Assign read-only access to the WebApps folder to the "ITOMCAT _ computer name" user.
4. If some Web applications require write access permissions, grant them write access permissions to that folder separately.
To run Tomcat as a system service, take the following steps:
1. Go to "Control Panel", select "Administrative Tools", and then select "service ".
2. Find Tomcat, such as Apache Tomcat.exe, and open its "attribute ".
3. select its "Log" tab.
4. Select Log ON Using.
5. type the new "ITOMCAT _ computer name" user as the user name.
6. Enter the password.
7. Restart the machine.
To run Tomcat in a DOS window, take the following steps:
1. Type CMD in the "run" box of the "Start" button to open a DOS window.
2. type the "RunAs/user: ITOMCAT _ computer name CMD.exe" command.
3. Enter the password set when you ask "ITOMCAT _ computer name.
4. This opens a new DOS window.
5. In the new DOS window, convert it to the bin folder of Tomcat.
6. type the "catalina run" command.
7. Close the first DOS window.
You can only grant the corresponding permissions to a user running in the new DOS window using the "ITOMCAT _ computer name". When you run Tomcat in the new DOS window, it only obtains the permissions of the selected user. In this way, Tomcat is safe.