Tomcat Recommended Configurations

Tags tomcat

Performance

  1. Use the latest JVM that Tomcat and your applications will support
  2. Use JAVA_OPTS (or CATALINA_OPTS) to:
    1. Configure heap sizes, garbage collection settings, and other settings (discussed in detail in class)
  3. In $CATALINA_BASE/conf/server.xml:
    1. Remove any (<Connector/>) elements you don’t need.
    2. For those that remain, configure minSpareThreads, maxThreads, and acceptCount according to the volume you anticipate
      1. Don’t set acceptCount or maxThreads too high - it may be better to deny a few requests than to overload the server.
    3. In the (<Host/>) element, turn off autoDeploy if you don’t need it.
  4. In $CATALINA_BASE/conf/context.xml:
    1. Comment out the WatchedResource to disable frequent checking of your applications’ web.xml files for changes.
    2. Consider disabling session persistence across restarts if not needed.
  5. In $CATALINA_BASE/conf/web.xml, set the development init-param of the jsp servlet to false.
  6. Use HTML (instead of JSP) pages wherever possible.
  7. Uninstall applications you don’t need (see #1 in Security below).
  8. Use the APR or NIO connectors (Tomcat 8.5 will default to NIO; BIO no longer available).

Security

  1. ​​​​​​​Uninstall all applications that you don’t need. Candidates:
    1. / (ROOT)
    2. docs
    3. examples
    4. manager and host-manager
  2. Consider running Tomcat as its own user, and give that user permissions only on the JVM and Tomcat’s directories.
  3. Consider running Tomcat in -security mode.
  4. In $CATALINA_BASE/conf/server.xml:
    1. Change the shutdown port to -1 to disable the shutdown port if you are running Tomcat as a service. Otherwise, at least change the shutdown command.
    2. Remove connectors that you don’t need
      1. ajp13 can be removed if you’re running Tomcat standalone.
      2. http and/or https can be removed if you’re running Tomcat behind Apache httpd or IIS.
    3. For each (<Connector/>), consider setting the server attribute to report a bogus server header.
    4. If you’re not running host-manager and/or manager, take out the (<Resource>) tag setting up the default realm and the <Realm> tag that implements it.
    5. If you are using the applications in d) above, configure the UserDatabaseRealm to use hashed passwords, or use a different realm (such as JDBCRealm, JNDIRealm, or JAASRealm) with hashed passwords.
    6. At the Engine or Host levels, or in separate context files, consider using the RequestFilterValve to restrict which client IP address(es) are permitted access.
  5. $CATALINA_BASE/conf/web.xml:
    1. In the default servlet, make sure the value of the listings init-param is false.
    2. Make sure the invokercgi, and ssi servlets are commented out (they all are by default in Tomcat 5.0 and later).
    3. Set the session timeout to a shorter interval.
    4. Add error-page elements to specify your own error pages for HTTP status codes 400-417 and 500-509.
      1. In Tomcat 7 and later, you can add a default error-page that simplifies this greatly.
    5. Make sure that any desired welcome pages are registered.
  6. If you enable remote access via JMX, require SSL and/or authentication; don’t just leave the JMX port open for all visitors.
  7. Check all code you deploy for SQL injection, XML injection, and XSS vulnerabilities.

Important: There are many more steps you could take to harden tomcat. Please consult http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html for additional ideas (adjust URL to your Tomcat version).

Print Article