Chapter 14: Tomcat Security Creating a Non-Privileged Tomcat
Chapter 14: Tomcat Security Creating a Non-Privileged Tomcat User The first step in the process is to create an account for running Tomcat. For simplicity, this account is referred to as tomcat in the remainder of this section. Be sure to configure the tomcat account with the environment variables required to run Tomcat notably, the JAVA_HOMEand CATALINA_HOMEvariables. Restricting Account Privileges in Windows To ensure that unintentional privileges are not extended to the account, the tomcat account should be removed from all groups. When creating a user from the Users and Passwords control panel (called User Accounts in Windows Vista and Windows XP), Windows automatically adds tomcat to at least one group. The Computer Management utility must be used to remove the tomcat account from all groups. System administrators may want to consider creating a special Restricted Services group for the tomcat account (more on this strategy will follow in subsequent paragraphs). Note also that the tomcat account should be given a password that never expires, which can be accomplished with the same Computer Management utility. Restricting Account Privileges in Linux Create both a tomcatuser and a tomcat group. This is the default behavior of the useraddcommand. By assigning tomcat to its own new group, system administrators ensure that privileges are not unintentionally granted to the account. Running Tomcat with the Tomcat User After creating the tomcat account, the operating system must be configured to use the account when launching Tomcat. Configuring Windows If Tomcat is configured to run as a service (see Chapter 3 for details), you can use the Services utility to select a user account when launching Tomcat. The Services utility is in the Administrative Tools folder, which in turn is located in the Control Panel folder. To change the account, double-click on the Tomcat service and select the Log On tab. That tab provides the capability for the service to log on as a specific account. Enter the Tomcat account and its password in the appropriate locations. The service should then be restarted for the new setting to take effect. Configuring Linux There s no one way to configure a Linux system to start Tomcat with its own user account. The basic idea is to launch Tomcat using a syntax similar to the following in whatever startup scheme is used: /bin/su tomcat $CATALINA_HOME/bin/startup.sh
For high quality java hosting services please check java web hosting website.