how secure is tomcat

views:

850

answers:

+5 Q:

how secure is tomcat

Hey everyone,

as can be seen from two other question I had I am looking for a secure webserver as there where discussion at work how safe tomcat really is. But basically what I found on the net regarding how safe it is is greek to me. So I was hoping, someone could explain to me how safe tomcat really is? Like, is it possible to mess with java-code on the server or something like this?

I know this is probabaly a dumb question, but I really can't seem to find an answer that helps me to argument that writing an own server is not more safe than using tomcat or how it might be better to use tomcat.

Maybe someone knows a good way to secure tomcat and to minimize certain functions of tomcat? (I really dunno how to else explain it ...)

I hope you can help me. Thnx in advance!

... dg

+4 A:

Look at the changelog and count the security issues fixed;
Look at the CVE entries for Tomcat and see how the seem to you.

But all in all, it's a really bad idea to write your own Servlet Container, especially if the Tomcat security arguments are not clear to you.

If you need boss-convincing arguments, show him the serlvet spec you need to implement, and estimate time in the order of man-years ( not kidding! ), contrasting this with the 'download,unzip,start' option of using Tomcat.

Robert Munteanu 2009-06-12 11:39:18

I know it is crappy idea ... but I need arguments to convince my boss ... And that is something I am lacking. "especially if the Tomcat security arguments are not clear to you." - I am looking for these arguments ...:(

doro 2009-06-12 11:45:00

See the update I made to the answer.

Robert Munteanu 2009-06-12 11:57:42

Thnx for the link ... I will look into this :)

doro 2009-06-12 12:11:27

+12 A:

Writing your own server? As opposed to using Tomcat? That is a classic case of reinventing the wheel and (unless you are the NSA) likely to result in a less secure server. Rhetorical question: Why not write your own OS to go with it!

Tomcat 6 is a very mature, stable, current, well understood code base that has had zillions of very, very smart people reviewing, testing it, and operating it in production for years and years.

Tomcat is very secure.

Stu Thompson 2009-06-12 11:40:36

I am not the NSA ... LOL ... But my boss seems to think he is ... :(

doro 2009-06-12 11:45:53

+3 A:

I know this is probabaly a dumb question, but I really can't seem to find an answer that helps me to argument that writing an own server is not more safe than using tomcat or how it might be better to use tomcat.

What you have to remember is that Tomcat has 1000s of hours of people looking at code and fixing bugs and holes. Thinking about writing secure code is easy. Doing it is extremely hard. There are lots of little things that can be overlooked which can contribute to a massive holes.

Kevin 2009-06-12 11:40:53

I do know that tomcat is better, but I cannot give any real arguments. Just saying that a lot of intelligent ppl work(ed) on this is not a very convincing argument for my boss ... :(

doro 2009-06-12 11:47:39

(uh this sounds like a sucky situation for you. You have my sympathy) Don't approach it from the idea that smart people worked on it, explain to him the amount of time that it will take to build a web server....like 10,000+ hours.

Kevin 2009-06-12 12:05:43

funny thing is: he started last week and thinks he is done ... BUT another funny thing: he doesn't really know a lot about web applications and stuff (though he is a great java programmer) ... it is a sucky situation as I cannot make it clear to him ... maybe I should get someone to hack his server, so he sees it live and in action ...

doro 2009-06-12 12:10:11

Yeah...that's going to be difficult. I don't really know what to say, except that I hope he'll realize that he won't be able to duplicate Tomcat anytime soon.

Kevin 2009-06-12 12:38:49

+1 A:

As others have already mentioned, Tomcat is ready for production use and security of Tomcat itself is certainly better than what any small team could achieve while writing their own servlet server.

That said, the probably weakest point in a Tomcat setup is commonly the setup of the underlying OS.

Lucero 2009-06-12 11:54:11

He thinks it is a blackbox (LOL ... yeah right!) ... awww, I will just quit the job and become a farmer or something ... *g*

doro 2009-06-12 12:20:53

+4 A:

maybe before, Tomcat was pretty unsecure, but nowadays... just anything having Apache under its name is enough for me to trust it. Anyway, security was ALWAYS imagination, there is not such thing existing in real life, so there would always be factor of (in)security.

Problem with Tomcat is like problem with Windows, no matter how 'secure' they built it, if there are millions of people out using it, hackers will have interest to invest their energy (and eventually, they will success) in finding way to break into it. So maybe to feel more secure, you can consider using something not wide used, but this will not help if hacker is intentionally hacking your site for some special reason, he will find out technology you are using and in this moment - it would be better it was Tomcat..

That is why is very important to 'get married' with open-source technologies like tomcat, since there is not big chance for a hole in system to live long, people have chance to fix things, you can always do the job yourself, do not have to wait for a new version etc.

ante.sabo 2009-06-12 12:10:56

Thnx for the answer ... The time spent trying to convince him of tomcat could be wisely used working on the application we are supposed to build *g* ... the funny thing is, I dun have to knowledge of how a server can be hacked (though it would surely be helpful to explain why his will be even less secure than tomcat)

doro 2009-06-12 12:19:03

+3 A:

While I'm no hacker, I'd find it hard to imagine how Tomcat would be your first port of call if you were trying to attack a system - after all it's running your code and is presumably behind a firewall and fronting servers. If this isn't that case, then it should be!

Once the network is as secure as possible remember Tomcat is just a Servlet engine - you're gonna have trouble exploiting with http requests. I'd focus on your application code, things like user authentication and avoiding the various injection attacks - this in my mind is the highest risk to your system and will exist whatever server you're running on.

Nick Holt 2009-06-12 12:45:00

Thnx for the hints :)

doro 2009-06-12 12:56:58

+2 A:

Tomcat is a secure server. However, it is even more secure to use Apache Web Server to proxy it. You can use mod_proxy to connect Apache with Tomcat using AJP or HTTP protocol. This is the safest configuration and you can leverage the many plug-in modules available for Apache Http Server.

Some tips for a secure installation:

Create a user to run Tomcat. Do not use the root user.
Uninstall the example applications.
Uninstall the manager application. If you use Apache to proxy Tomcat, you can safely keep the manager and make it available only through your local network.

kgiannakakis 2009-06-12 19:24:15

thnx a lot for the advice :) I will check out some sites for securing/configuring tomcat and using apache to proxy :) thank you!

doro 2009-06-15 06:23:53

ansaurus

tags:

views:

answers:

how secure is tomcat

related questions