THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Known vulnerabilities http://tomcat.apache.org/security.html
- Security considerations (Apache Tomcat 7 documentation) http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html - Tomcat 8, Tomcat 7
Questions
- How do I use OpenSSL to set up my own Certificate Authority (CA)?
- Oh no! Port 8005 is available for anyone on localhost to shutdown my tomcat!
- What about Tomcat running as root?
- How do I force all my pages to run under HTTPS?
- What is the default login for the manager and admin app?
- How do I restrict access by ip address or remote host?
- How do I use jsvc/procrun to run Tomcat on port 80 securely?
- Has Tomcat's security been independently analyzed or audited?
- How do I change the Server header in the response?
- Why are passwords in plain text?
- How can I restrict the list of ciphers used for HTTPS?
- Is Tomcat vulnerable to Heartbleed bug?
...
The admin and manager application do not provide a default login. Doing so is would be a security flaw. You need to edit $CATALINA_HOME/conf/tomcat-users.xml file if you are using the default install. See Configuring Manager Application Access for details.
Note that there exists malware that tries to guess the manager password.
There was once a bug that blindly clicking-trough the Windows installer configured a manager user with blank password (CVE-2009-3548). This was fixed by April 2010 (Tomcat 5.5.29, 6.0.24 and later are safe).
| Anchor | ||||
|---|---|---|---|---|
|
How do I restrict access by ip address or remote host?
By using the RemoteHostValve or RemoteAddrValve. Warning, these valves rely on accurate incoming ip addresses or hostnames. So they can fall victim to spoofing! See also RemoteIpValve. Valve Reference Link
| Anchor | ||||
|---|---|---|---|---|
|
How do I use jsvc/procrun to run Tomcat on port 80 securely?
...