Is Tomcat Security Manager worthwhile for 1-admin box

Question

I'm developing an app which uses Spring quite heavily. Spring and the Tomcat Security Manager require quite some configuration to make work.

The documentation for Tomcat Security Manager indicate that it's for protection from malicious code which a deployer puts on to the server. If I'm the only person with the access rights to admin the server and deploy the code then Tomcat Security Manager is only protecting myself from myself.

Is there anything useful in Tomcat Security Manager in this scenario?

Thanks in advance.

Answer 1

Pragmatically, no there's not. If your server is adequately protected (i.e. behind a firewall, appropriate file permissions assigned to tomcat install directory, tomcat process not running as root/Administrator, you control what is deployed, etc.) then it's not.

But if the answer to more than 1 of these questions is no, then you should do what it takes to make the answer yes to as many as you can (which is often easier) or configure and activate the security manager (which is a huge pain).